4.2 Risk Identification Strategies
There are many approaches and strategies that an organization can use to identify the potential adverse effects and opportunities that its risks present. When identifying risks, the best approach is an integrated approach, which is consistent with holistic risk management. A holistic approach to risk identification would involve individuals from senior management, middle management, risk management and personnel from all departments and sectors of the organization. In other words, it is a team approach to risk identification.
The following risk identification strategies should be performed by teams or groups that are familiar with the organization:
Brainstorming
Identifying risks in an informal and open discussion where all suggestions are welcomed as good suggestions based on the knowledge and experience of those in attendance. At the conclusion of the session, all the risks that have been identified should be analyzed and evaluated.
Workshops
Identifying risks in a formal setting by collaborating and hearing from others with the purpose of achieving a result. It is recommended that internal and external stakeholders be present at the workshop. It is advisable to have a facilitator who is familiar with leading risk management to guide the discussion, manage time and keep the participants on task. A facilitator can be an employee of the organization, but it is not uncommon to bring in a facilitator from outside of the organization for a more diverse perspective.
SWOT
Identifying risks by analyzing Strengths, Weaknesses, Opportunities, and Threats that exist in the organization. SWOT is commonly used by organizations to make decisions about risk during workshops or brainstorming sessions.
Documents
Identifying risks by examining documents that are relevant to the organization. Documents containing information on surveys that have been conducted, compliance reviews, insurance policies in force and no longer in force, financial statements, contracts, and projects should be reviewed to understand where risks exist in the organization, where risks are transferred and where there are opportunities.
Root Cause Analysis
Identifying risks by understanding the factors that caused an event to adversely affect the organization and controls or strategies that can be implemented to minimize the potential of a re-occurrence. The root causes of negative events that have previously affected the organization’s risks and have the potential to cause future harm can be identified.
Physical Risk inspections
Identifying risks by having persons with skill and experience in risk assessment visit sites to determine if physical hazards exist that could adversely affect the organization. A visit by a qualified risk inspector is key in identifying risks that exist at a site that otherwise might not be known to the organization. The risk inspector will also consult with front-line employees and managers at the location to gather or confirm information that might not be apparent during the inspection.
Experts
Identifying risks using the opinions of subject experts. The Delphi technique brings together a panel of experts to answer questions pertaining to the organization and its risks. Each panel member is separated from the other panel members, and the answers to the questions are gathered anonymously. After each round of questions, a facilitator reviews the replies and presents the responses to all panel members. The same question is then asked again, and each panel member is given the opportunity to re-evaluate their previous response to the question before answering for a second time.
Risk Register
Identifying risks and inserting them into a table. A risk register is a risk management tool that identifies all the risks in an organization across individual scenarios, processes, sectors and locations. It is a useful tool that an organization can use to assess and prioritize its risks. For example, forest fires in Western Canada lead to catastrophic losses. In this case, risks resulting from forest fires should be identified across the four risk classifications of hazard risks, operational risks, financial risks and strategic risks (See Table 4.2.1). The likelihood and consequences of each risk should be listed separately and calculated to determine the level of risk for each of the risk categories. The consequences can be expressed as dollar amounts. A risk register showing all the risks collected from the individual risk registers in the organization can be combined into a single organizational risk register that shows all the identified risks in one place.
Risk Register
| Risk Event/Description | Risk Owner | Likelihood | Impact | SCORE | Improvement Action | Due Date/By When |
|---|---|---|---|---|---|---|
Legends:
| Likelihood | Score |
|---|---|
| 1 | |
| 2 | |
| 3 | |
| 4 | |
| 5 |
| Impact | Score |
|---|---|
| 1 | |
| 2 | |
| 3 | |
| 4 | |
| 5 |
- Risk Event/Description: A description of the risks under each of the four risk categories: hazard, operational, financial, and strategic. It is more common to list risks with negative outcomes as opposed to positive outcomes under this heading. It is customary to build a risk register showing the inherent risks faced by an organization, followed by a second risk register that shows the residual, target or optimum risks that exist after the risks have been treated.
- Risk Owner: The Risk Owner is the entity that will make decisions about the risk and /or reports on the risk.
- Likelihood: The likelihood of an event occurring is expressed as a number between 1 and 5. It is associated with the frequency of an event occurring typically within the next 12 months. A likelihood of 5 would indicate that an event is extremely likely to occur, whereas a likelihood of 1 is indicative of an event that is extremely unlikely to occur.
- Impact: The impact of an event is expressed as a number between 1 and 5. It is associated with the consequences or severity of an event. An impact of 5 would indicate that the event would have a significant effect on an organization, whereas an impact of 1 would be indicative of an event that would have a minimal effect on an organization. The impact can also be expressed in ranges of dollar amounts.
- Score: The score for the risk is calculated as follows: likelihood score × impact score. The calculated score will quantitatively show the level of risk that the organization is exposed to. Scores can be displayed as a matrix on a risk map to visually show what risks fall inside or outside of the organization’s risk appetite.
- Improvement Action: Actions that are already in place and/or plans that could contribute to improving risks faced by the organization. It is not necessary to identify specific risk responses or treatments at this point.
- Due Date/By When: The date showing when existing plans were put into place or the proposed date that plans to address risk are to be implemented by the organization.
Risk Map
Identifying risks by transferring them from the risk register and graphically depicting them on a heat map. Risks are plotted using their likelihood and impact scores. The risk map positions likelihood on a scale along the x-axis against impact or consequences on a scale along the y-axis (Table 4.2.2). The level of risk is calculated by adding the likelihood score to the impact of consequences score. The heat map is colourized into green, yellow and red sectors. A likelihood score of 5 and an impact or consequences score of 5 would place a risk in the top right-hand corner of the risk map in a red-coloured sector. This would be a risk that would not be acceptable to an organization under normal circumstances as it would very likely fall outside of the organization’s risk appetite. Identified risks in this sector should be addressed by stopping the activity that is causing this level of risk or by taking steps to reduce the likelihood or impact/consequences of the risk. In comparison, a risk with a likelihood score of 1 and an impact or consequences score of 1 would place the risk in the green sector of the risk map. Risks in the green sector are normally tolerated by the organization without any further action required as they would fall within the organization’s appetite for risk. An organization can create a variation of the basic risk map that traces an inherent risk (red sector) where there has been no attempt to respond to the likelihood or impact consequences of the risk through to the risk that has been left over after a risk response (residual risk) in the yellow sector. If the organization is not satisfied with the level of risk after the initial risk response, then further risk responses may be required to shift the risk into the green sector, where it would be considered as a target or optimum risk that falls within the organization’s risk appetite. Risks that are identified on the risk map as being outside of the scope of the organization’s risk appetite must be addressed. Risk responses are decisions that will be based on the outcome of a risk assessment, the identification and analysis of the organization’s risks.
| Impact | 5 | Major Risk | |||||
|---|---|---|---|---|---|---|---|
| 4 | |||||||
| 3 | Moderate Risk | ||||||
| 2 | |||||||
| 1 | Minor Risk | ||||||
| 1 | 2 | 3 | 4 | 5 | |||
| Likelihood | |||||||
Table Description
A table with numbers from 1-5 going up for Impact and 1-5 from left to right along the bottom for Likelihood. The top corner (5/5) is labelled Major Risk in red. The mid-way row is labelled Moderate Risk in yellow, and the bottom is labelled Minor Risk in green.
