Please enable JavaScript.
Coggle requires JavaScript to display documents.
Techniques for identifying risk events - Coggle Diagram
Techniques for identifying risk events
Expert judgement
Expert judgement relies on the skills and experiences of relevant specialists, either in isolation or working as a group
For example, an IT specialist should have a good understanding of the types of IT related risk events to which an organisation
Equally finance specialists should have a good udnerstanding of any financial risks such as the risk of making a financial misstatement
Most organisations will use their own internal specialists to provide expert judgement but in some circumstances external experts, such as risk management consultants may be used
It is helpful to have a facilitator to work with experts to help them identify all relevant risks. The facilitator may be an internal risk specialist or an external consultant
Focus groups and surveys
Focus groups may comprise a mix of specialists, such as IT, finance and HR specialists
The idea behind a focus group is to share a range of different perspectives and experiences to achieve a consensus view
This should ensure that a greater number of relevant risk events are identified. The cost is that focus groups take up more specialist or management time due to the greater number of people involved
An alternative way to collect a range of views is via a risk survey, here relevant specialists and managers are asked a series of questions and their responses are consolidated and analysed to identify relevant risk events
A simple risk identification may ask respondents to list the risk events that they believe could occur or may provide a checklist of potential risk events
More sophisticated surveys may ask about how organisational processes and procedures are designed and controlled to identify the potential sources of risk events
Risk events are often linked to weaknesses in process design or control failures
Surveys may be created by internal or external risk management specialists
Checklists
Checklists provide a prepared list of potential risk events
Checklists are used to support other risk identification approaches such as expert judgement, focus groups and surveys
A checklist ensures that particular types of risk event are not forgotten
Experts, focus groups or survey respondents may accidentally overlook certain types of risk event
A checklist ensures that all relevant sources of risk are given consideration
An organisation may draw up its own checklists based on their past experience of risk events or use checklists provided by an external agency such as risk management association, consultant or regulator
The advantage of external agencies is that they are able to learn from the experiences of multiple organisation
Benefits
A cheap and efficient way of collating large amounts of information
Simple and easy to use - ensures that relevant sources of risk are not missed
A useful way of updating information for current use and for monitoring trends against previous surveys
Can be adapted to individual areas of risk focus (such as health and safety, environment and so on)
Useful for putting diverse sources of information into a common format
Can be used to provide evidence of compliance with relevant risk management regulations
Costs
Can be used by someone who may not be skilled in the subject of the checklist
Can be completed by someone who may not understand precisely the objectives and ultimate use of their answers
Can focus the user's attention simply on completing the checklist without keeping the overall reason for the checklist in mind causing the task to be seen as just a form filling exercise
May be ambiguous to the reader, however careful the design
May be completed too quickly and therefore without much thought, by someone who considers that their own time is better spent elsewhere
May be completed by someone who has their own reasons for suppressing risk information
Physical inspections
Physical inspections of workplaces are a common way to assess health and safety related risks or risks relating to fire and other physical hazards
Physical inspections are usually completed by qualified risk identification specialists such as a building surveyor, fire safety professional or health and safety expert
Inspections are often supported by the use of questionnaires or checklists to ensure that nothing important is missed
There is a clear advantage when a workplace and its employees are visited particularly by someone who has the specialised knowledge to take a professional view of what is there
Disadvantages
An inspector can only see risk exposures that are visible on the day of the visit
A visit is a snapshot and can capture only the activity of the day
An inspection programme can be expensive especially when visits are needed across many different workplaces
Some of an organisation's greatest types or sources of risk may be those where third party suppliers provide goods and services. The organisation may have difficulty obtaining authority to conduct detailed inspections in third party premises unless this permission is negotiated within the original contract
Risk management is and should remain the responsibility of every manager and employee throughout an organisation. Regular visits by an inspector, if not carefully managed, could encourage managers and employees to believe that they can abdicate responsibility for risk management to the inspector
SWIFT (Structured What If Technique)
A systematic, team oriented technique commonly used for the identification of health and safety and environmental related risks in areas such chemical processing and manufacturing
The technique uses a series of structured 'what if' and 'how could' type questions to consider deviations from the normal operation of systems and processes
The activity is supported by checklists to help identify potential risk events
SWIFT relies on expert input from the team to identify risk events
The SWIFT leader's function is to structure the discussion
The SWIFT recorder keeps an online record of the discussion on a standard log sheet
There is no standard approach to SWIFT. One of its strength is that it is flexible and can be modified to suit each individual application
A common protocol for the SWIFT analysis of a risk event is as follows
Define the operational systems/processes being analysed
Consider each in turn
Brainstorm possible risk events - list but do not discuss yet
Structure the risk events into a logical sequence for discussion. Start with the major ones and prioritise selection of others
Consider each risk event in turn
Consider possible causes of each risk event
Consider the possible consequences should an event occur
Consider safeguards that are planned to be in place to prevent the event occuring
Consider frequency and consequences
Record discussion on SWIFT log sheets
Reconsider whether any risk events have been omitted
Use checklists and where available, previous risk event experience to check for completeness
Expensive technique to use because of the amount of time and people involved but it is more likely to identify all relevant risk events
Delphi technique
The Delphi technique is an information gathering tool that is used to reach a consensus of experts on a subject, in this case the identification of risk events
Each expert participates anonymously and a facilitator uses a questionnaire to solicit ideas about the important points related to the subject
The responses are summarised and re-circulated to the experts for further comment
Consenus may be reached in a few or many rounds of this process
In relation to risk identification, the Delphi technique keeps any one person from having undue influence on the risks that are identified
A range of experts can be used including risk management specialists, other functional specialists (IT, HR, governance etc)
A Delphi approach to risk identification could proceed as follows
Agree the function, department, project or process to be analysed
Select a panel of experts and keep the membership anonymous
Send out background information and a questionnaire that asks them to identify the relevant risks
Facilitator compiles responses
Facilitator sends out compiled information to experts for comments - experts invited to revise their views based on responses
Repeat until a consensus is reached
Anonymity is essential to encourage each expert to be as honest and open as possible- studies have shown that the technique can be effective at predicting risk events but it is time consuming, especially if a consensus is hard to reach
Root cause analysis
Focuses on investigating the root cause of risk events
May be applied to hypothetical risk event scenarios or actual risk events that have occurred either within the organisation or in similar organsiations
Root cause analysis is based on the assumption that many risk events have multiple causes
Root cause analysis approaches vary but are based on four principles
Identify the causes of the event
Establish the timeline from normal operations to a risk event
Distingush between root causes and more immediate causes
Use the results to improve controls and to help manage future risk events
Often the causes of an event, as well s the order in which the causes arise, are identified using the five why's technique
More or fewer than five why's may be used to get to the root cause but usually it is possible to get to the root cause in five question
Root cause analysis is time consuming. It is rarely practical or cost effective to use it to identify all risks but it is a good technique to use when investigating the causes of large and negative risk events that have occurred
This allows an organisation to learn from these events and hopefully prevent a similar chain of causes from occurring in the future
System and process mapping
All organisations have systems and process, in some organisations, considerable time is spent on mapping these systems and processes into flow charts
Systems and process mapping involves putting all of an organisation's systems and processes into flow charts - these charts are then investigated to identify potential sources of risk to the various systems, processes, activities or objectives
A common investigation technique is fault tree analysis, which looks at what might cause a systems or process flow to fail
The fault tree does not look at the system or process leading to the end result - instead it tries to identify potential system or process failures (risk events) and then looks backwards to search out the possible causes of those failures
Fault tree analysis begins with each element in a system or process and then considers what might happen if this element fails. The aim is to identify key points of failure and whether these can be overcome by adapting other parts of the system or process flow
The fault tree approach can be used in different ways by mathematicians, engineers and scientists, through to health and safety and business continuity manager
Fault trees can be long or short, simplistic or highly technical and analogue or computerised as required
Fault trees have been adapted into more advanced tools such as Harvard and operability studies that can be used to focus on particular elements within systems and processes
An advantage of the fault tree approach is that it can highlight connected risk events that could combine to cause much larger risk events - diverse connections between system and process failures are unlikely to be recognised by individuals working on one aspect of an organisational system or process, unless they use a fault tree or similar approach
A disadvantage of the fault tree approach is that it can take a lot of time and money to flow chart systems and processes and then analyse them for points of failure that may cause risk events
Loss event and near miss investigations
All organisations experience risk events that result in monetary or non monetary losses
These could include faulty machinery, liability claims, adverse media attention or employee injury
Organisations also experience near misses, which are risk events that occur but which do not result in a loss
Loss events and near misses are learning opportunities
Whenever they occur, an organisation may decide to identify the causes of these events using techniques such as root cause analysis
These investigations may help an organisation to identify new risks; they may also signfiy an increase in exposure to a previously identified risk or a control weakness
It is imperative that organisations learn quickly from losses and near misses to help prevent more serious risk events in the future
Identifying emerging risk
PEST analysis
Political change can be a key source of emerging risk (in terms of both opportunities and threats), whether this is changes in legislation and regulations or major changes in political philosophies and regimes
Economic change can create new opportunities and threats. The financial crisis of 2007-07 is an example of this, as might be periods of high or low inflation, high or low interest rates or high unemployment
Social and technological - such as the rise of the internet smart phones and social media - can be a source of emerging risks. The rise in hacking attacks and reputation risks linked to social media discussion trends are examples of emerging risks linked to social and technological trends
PEST analysis is usually completed by a group of participants. This might be a focus group of managers or senior managers from relevant functions supported by a expert facilitator. It is common to involve an organisations board of directors or trustees in the case of large scale emerging risks that can have a far reaching strategic impact
SWOT analysis
SWOT analysis is a strategic tool used to identify business objectives. It can also be used to identify emerging risks
SWOT analysis begins by identifying an organisation's strengths and weaknesses. This may include things such as its finances, the abilities of key personnel, market power, reputation and customer goodwill or the efficiency or inefficiency of ts operations
The focus then shifts to identifying potential opportunities and threats that may be on the horizon. This might include opportunities and threats relating to concur demand, distribution channels, system and process innovations or anything else deemed relevant
An organisations strengths and weaknesses are compared in order to identify opportunities that may be exploited and threats to existing objectives that need to be addressed
The technique helps an organisation to identify emerging risks that could be exploited using its strengths and those that are most likely to cause losses, because the organisations weaknesses may intensify their adverse effects
World Economic Forum Global Risk Report
The annual World Economic Forum (WEF) Global Risk Report is a useful source of current and emerging risks