Whilst a SWOT Analysis is a good fast way to discover new opportunities and identify threats, many organisations have gone beyond this relatively simple approach and embraced more advanced forms of identifying and assessing risks and opportunities.
The move by many organisations to adopt an Enterprise-wide Risk Management (ERM) approach has directed organisations towards a more structured approach to identifying and managing risk. In this context,
Tony Harb from InConsult explores the various risk identification and assessment approaches organisations can choose from.
ISO/IEC 31010:2009
Did you know there is a whole standard dedicated to risk assessment techniques? ISO/IEC 31010:2009 Risk management – Risk assessment techniques is a supporting standard for ISO 31000 Risk management – Principles and guidelines and provides guidance on how to select and apply systematic techniques for risk assessment. It contains around 30 separate techniques…although some techniques do cross over.
It’s not critical that managers know all 30, but knowing more about these techniques will help you better align the risk assessment process with your risk assessment objectives.
1. Brainstorming
Brainstorming involves a group of people working together to identify potential risks, causes, failure modes, hazards and criteria for decisions and/or options for treatment. Brainstorming should stimulate and encourage free-flowing conversation amongst a group of knowledgeable people without criticising or rewarding ideas.
It is one of the best and most popular ways to identify both risks and key controls and is the basis for most risk workshops.
2. Interviews
During a structured interview, interviewees are asked a set of prepared questions to encourage the interviewee to present their own perspective and thus identify risks.
Structured interviews are frequently used during consultation with key stakeholders when designing the risk management framework. As an example, structured interviews are good to gauge risk appetite and tolerance when developing risk appetite statements.
3. Checklists
Checklists are pre-populated lists of hazards, risks or control failures that have been developed usually from experience, either as a result of a previous risk assessment or as a result of past failures or incidents.
Auditors often prepare checklists of key controls to aid in their assessment of control effectiveness and the internal control environment.
WARNING: We strongly recommend that risk checklists only be used as a secondary form of risk and control identification. Relying entirely on checklists can restrict ‘risk thinking’. Remember back to year 6 when you used to look at the back of your maths book for the answers before attempting to solve the problem…it’s a bit like that!
4. Structured “What-if” Technique (SWIFT)
This is a systematic, team based exercise, where the facilitator utilises a set of ‘prompt’ words or phrases to stimulate participants to identify risks.
One organisation was looking at reducing service levels in a number of areas to reduce its operating costs and SWIFT was used to analyse the impact of each reduced service level. Risks were then identified and assessed. Where risks could not be reduced to a tolerable level, the service level was maintained.
5. Scenario Analysis
Closely related to SWIFT. Here a scenario is a short story or description of a situation of how a future event or events might turn out or look like. For each scenario, participants reflect and analyse the potential consequences and potential causes when analysing risk.
Scenario analysis can be used to identify opportunities for fraud. For example, a scenario could be “A staff member has just admitted to defrauding or company of $50,000 over 8 years through fictitious expense claims…how can this happen?”
6. Fault Tree Analysis (FTA)
This method is similar to a form of creative thinking called reverse brainstorming. This technique is used for identifying and analysing factors that can contribute to a specified undesired event (called the “top event”). Causal factors are then identified and organized in a logical manner and represented pictorially in a tree diagram.
For example, if you want to improve customer service, state the objective in reverse e.g. “How can we really annoy our customers?” and from this statement, use brainstorming to identify causes that could annoy customers.
7. Bow Tie Analysis
They say “a picture is worth a thousand words” and this method is a perfect example. Bow tie analysis is a diagrammatic way of describing, linking and analysing the pathways of a risk from causes to effects/consequences.
Unlike the risk register, there are no numbers in this analysis i.e. there is no risk or control evaluation involved. This keeps the focus on understanding the relationships between the causes, event and consequences.
TIP: After a brainstorming session, bow tie analysis is a great way to clean up the ideas generated and consolidate the results into more appropriate risk statements.
8. Direct Observations
Simply looking out for risks and being situationally aware is not included in ISO/IEC 31010 as a risk identification technique. This relatively simple technique is used daily in the workplace by staff who may observe risky situations and hazards regularly. It is also used by emergency services when attending to an emergency and is a form of dynamic risk assessment. It is also heavily used by Workplace Health & Safety professionals during inspections and audits.
A risk aware culture and well trained staff will improve people’s ability to observe potential risks and implement controls before the risk eventuates into an incident.
9. Incident Analysis
Incidents are risks that have now occurred. Recording incidents in a register, conducting root cause analysis and periodically running some trend analysis reports to analyse incidents, can potentially enable new risks to be identified. In addition, a high frequency of like incidents can be a lead risk indicator to a potentially larger problem.
10. Surveys
This method is also not included in ISO/IEC 31010 as a risk identification technique, however, it is similar to structured interviews but involves a larger number of people. It can be used to collect a broad set of ideas, thoughts and opinions across a range of areas covering risks and control effectiveness.
One of the best ways for risk managers to use surveys is to assess the organisation’s risk culture. Internal auditors can use surveys to assess the internal control environment. Some organisations use annual staff surveys to gauge staff understanding of key risk and governance policies and procedures.
The Bottom Line
- Risk assessments need not be boring workshops.
- Risk identification techniques vary in complexity and each method has advantages and disadvantages.
- Whilst understanding all 30 plus risk assessment techniques outlined in ISO/IEC 31010:2009 Risk management – Risk assessment techniques is ideal, for most situations, having a tool kit of 5-8 different techniques that can be used at the appropriate time is sufficient.
So, now that you know the different methods…it’s time to leave your comfort zone and try something new.
—
Tony Harb B. Bus, FCA, MBA, MIIA (Aust) has over 20 years’ experience in risk management, financial control and audit. He can be contacted on 02 9241 1344 or tonyh@inconsult.com.au.