Please enable JavaScript.
Coggle requires JavaScript to display documents.
Risk Management - Coggle Diagram
Risk Management
Identifying and Analyzing Risk
:warning: Risk Identification & Analysis Overview
MECE Principle
MECE = Mutually Exclusive, Comprehensively Exhaustive.
Goal: Identify all risks without duplication or overlap.
:warning: Overlapping risks lead to incomplete management & resource waste.
:check: Example—Data breach affects:
Compliance (privacy laws)
Reputation (trust)
Financials (loss, fines)
:check: Risk Identification Methods
Expert Consultation
Review insurance claims, speak with insurers.
Study equipment manuals for hazard identification.
Hazards = potential for harm due to uncontrolled conditions/activities.
External Networking
Contact:
Colleagues/peers
Government & embassies
Chambers of commerce, industry associations
Local journalists (e.g., for security/crime risks abroad)
Focus Groups & Interviews
Target: Employee groups across roles and regions.
Use brainstorming, sorting, consensus techniques.
Surveys
Broader data collection when focus groups aren't feasible.
Process Analysis
Map and analyze critical workflows (e.g., onboarding, payroll).
Identify risk points at process level.
Direct Observation
Walk through sites to spot physical vulnerabilities.
Fire hazards, clutter, unsecured access, etc.
:check: Risk Analysis Tools
Risk Equation
Risk Level = Probability × Impact
Risk Scorecard
:check: Rates each risk on:
A. Event Probability
B. Speed of Onset
C. Existing Mitigation
D. Severity of Impact
Final score = A × B × C × D
Helps prioritize risk management focus.
Risk Matrix
X-axis: Probability
Y-axis: Impact
Four quadrants:
High impact/High probability → :warning: High Risk (Immediate attention)
Low impact/Low probability → Low Risk (Monitor)
:warning: Does not account for current protection/control levels.
:check: Key Risk Indicators (KRIs)
Metrics providing early warnings of rising risk exposure.
Based on root causes or intermediate events.
:warning: Require monitoring to be effective.
Example: ↑ absenteeism → possible workplace conflict/stress.
:check: Risk Register
Tool to track and manage identified risks.
Common fields include:
Risk Category & Event
Risk Classification
KRIs
Controls in place
Risk Owner(s)
Reporting Requirements
:warning: Key Considerations
Prioritize honesty, skepticism, and courage during analysis.
Be prepared for resistance from those who downplay risks.
Apply tools for both threats and opportunities (upside risks).
Understanding the Organizational Risk Context
Initial Risk Assessment
Evaluate the prominence and location of risk in the organization.
Use PESTLE analysis (Political, Economic, Social, Technological, Legal, Environmental) to identify external risks.
Use SWOT analysis to assess internal strengths/weaknesses against external opportunities/threats.
Example: NGO Using PESTLE
Political: Tax, trade, laws, political stability.
Economic: Interest/inflation rates, wages, cost of living.
Social: Demographics, safety awareness, culture.
Technological: Tech adaptability and compatibility.
Legal: Local operational laws.
Environmental: Climate/terrain impacts.
Cross-Functional Risk
Risks often span multiple departments.
Example: University stakeholders include administration, faculty, students, government, and community.
Risks intersect (e.g., budget, faculty quality, campus security) and require integrated management.
Risk Appetite vs. Risk Tolerance
Risk Appetite: High-level description of acceptable risk (e.g., "We don’t risk unfilled leadership roles").
Risk Tolerance: Specific acceptable variation range (e.g., "Management roles filled within 30–45 days").
Factors Influencing Risk Appetite/Tolerance
Strategic Goals: Align risk appetite to support/mitigate goal pursuit.
Leadership Attitude: Culture of risk-aversion vs. risk-taking.
Resources (Risk Capacity): Financial strength affects risk decisions.
External Requirements: Insurance, certifications, reserve requirements.
Loss Expectancy (Quantitative Risk Assessment):
SLE (Single Loss Expectancy): SLE = AV (asset value) × EF (exposure factor).
ALE (Annualized Loss Expectancy): ALE = SLE × ARO (annualized rate of occurrence).
Preventive measures may be justified even if cost > expected loss.
Misalignment of Risk Positions
Occurs when risk appetite isn’t matched to resources or ethics.
Moral Hazard: One party takes excessive risks because others bear the consequences.
E.g., under-reporting accidents, abusing health benefits, golden parachutes.
Principal-Agent Problem: Agents act in their own interest, not the principal’s.
Mitigated with aligned incentives (e.g., bonuses, ownership plans).
Conflict of Interest: Dual allegiances may bias decision-making.
E.g., hiring friends, family supervision, gifts to politicians.
Evaluating Risk Controls
Key Questions:
Are there existing risk controls?
Are they effective (based on data)?
Examples:
Workforce planning process: Still results in poor estimates → revise process.
Safety training: No impact on injury rates → explore new methods.
Application vetting: Missed major credential fraud → tighten control mechanisms.