Organizations are constantly striving to be better, safer, and more productive, but today no company is immune to a risk that could directly or indirectly affect its organization. At a time when uncertainty has plagued any organization, security has never been more important in all its aspects and seems to be a pillar of successful business models.
How can organizations effectively implement a risk management process?
According to records compiled by the Occupational Safety and Health Administration (OSHA), amputations occur on average twice a week in the meat industry in the United States. This type of incident drastically alters the image of a company. Imagine a multinational food processing company having its name associated with such negative publicity, which will likely earn a citation from OSHA and cause significant financial loss. And what if such a thing is published on social networks, it will cause irreparable damage to the company's brand and public opinion.
This is the scope of risk management that a company must prepare for in the world we live in today, the following article will guide you through the steps to effectively perform a risk management of this caliber.
Risk Management Process
Risk is any type of uncertainty that can improve or reduce an organization's ability to achieve its objectives. This is a broad topic because risks can take many forms, including risks affecting projects, finances, security and privacy, and the environment.
The risk management process is a defined method for understanding: what risks and opportunities are present, how they may impact the business, and how to respond to them. A company's ability to manage risk better than its competitors will certainly contribute to its success. And the incapacity to do so is synonymous with disaster, perhaps beyond recovery.
These are the reasons why it is important to apply a proven and consistent risk management process.
The 5 steps of the risk management process
Several institutions have documented how to perform risk management, but possibly the best recognized one is that of the International Organization for Standardization, or ISO. Specifically, the ISO 31000 standard, which is the risk management guideline that provides risk management principles, framework, and process.
The process is essentially the same for any type of entity and includes five steps:
1 - Risk identification
The first step in the risk management process is to identify the risks to which the company is exposed to in its operating environment.
The very first assignment in this step is to review the goals and objectives of the organization and all of the resources or assets that enable them. There are two approaches for that:
- Top-down approach: it consists in focusing on the critical processes of the company which should not be compromised such as sales transactions or the supply chain. After that, it is necessary to list the conditions which could impair the proper functioning of these processes.
- Bottom-up approach: this approach consists of identifying the various sources of known threats such as natural disasters, political and economic stability, etc., and then thinking about the impact they could have on the business.
It is also important for this step to create probable and measurable scenarios for each risk. Using scenarios to describe risk helps to communicate risk conditions and to analyze its likelihood and impact.
Here are the basic elements that help develop risk scenarios: first, identify which valuable assets or resources would be affected; then define the source of threatening actions that would act against that asset; after that, recognize the vulnerability or pre-existing conditions that allow that source of threat to operating; and finally, describe the detrimental impacts that occur from the
2 - Risk categorization
This step consists of categorizing the risk according to various factors. The previous step will certainly generate a subsequent number of risks. However, by definition, a risk is any uncertainty that affects the objectives.
Categorization also makes it possible to assign the analysis of each category of risk to the processes that are familiar with it. For instance, risks related to the impact of waste on the environment should be assigned to the environment processes/department.
There are four areas of risk categories:
- Strategic risk: they are about brand image and reputation, customer relations and public relationship, etc.
- Financial risk: they are related to market, tax, recovery, liability, etc.
- Compliance and governance risk: they are risks related to ethics, regulations, regulation, good practices, etc.
- Operational risks: they are related to companies’ data and technology security and privacy, supply chain, worker’s health and safety, natural disasters, etc
The final part of this step is to record the results in a risk register platform. There are dedicated digital tools such as Integrated Risk Management (IRM) that facilitate this step through an intuitive risk detail template and prioritization. The more impact a risk has, the higher its priority.
Discover the best Apps for your HSE management
3 - Risk likelihood and impact Analysis
As stated above, a risk is only a risk if it has a probable impact on the business. This step involves analyzing the likelihood of a risk occurring and having a measurable impact.
This step is essentially a calculation of the probability of a risky event occurring and an estimation of the impact of the consequences should it occur. It is important to consider the timing of impact in this step, as there are risks that have an immediate impact and others that have later consequences.
There are two types of risk analysis methods, qualitative and quantitative risk analysis. Let’s see the main differences between them:
- Qualitative risk analysis is the process of evaluating or rating risks based on an individual's perception of the severity and likelihood of its consequences. The objective of this approach is to draw up a shortlist of risks that must be given priority over the others.
- Quantitative risk analysis is the process of calculating risk based on collected data. The purpose of quantitative risk analysis is to further clarify how much the impact of risk will cost the business. This is achieved by using what is already known to predict or estimate an outcome.
Quantitative risk analysis provides more objective information and more accurate data than qualitative analysis because it is based on realistic and measurable data used to calculate the impact values that the risk will create with the probability of occurrence.
Time factors are an important variable in risk analysis and calculation, as well as the frequency of risk events, which is another temporal factor to consider.
Another approach for risk analysis is Risk Value, an estimation of the cost of the risk that is obtained by multiplying the risk probability and the risk impact.
Risk Value = Probability of Event x Cost of Event
The results of the risk analysis make it possible to sort and classify the risks according to their degree. Terms such as "high risk" or "high probability" are the reference used by most organizations to communicate degrees of risk. .
4 - Risks treatment
Risk treatment is the process of selecting and implementing measures to reach an acceptable level of risk. Here are the different approach to this step:
- Avoidance: this option consists in choosing not to pursue the activity likely to generate the risk, when possible. Alternatively, you can think of another way to achieve the objective or task.
- Reduction: this involves reducing the likelihood of the risk occurrence, through various measures such as quality control processes, auditing, compliance with legislation, staff training, etc. Or, to reduce the impact if the risk occurs through emergency procedures.
- Transfer: if possible, transfer all or part of the risk to a third party through insurance, outsourcing, joint ventures or partnerships.
- Acceptance/Retention: this option refers to facing a risk if it cannot be avoided, reduced or transferred. Nevertheless, organizations must have plans to manage and fund the consequences of the risk should it occur.
It is important to ensure that the methods applied are both efficient and cost-effective.
5 - Monitor & Review
Monitoring and review should be an integral part of the risk management process and involve regular checking or monitoring to ensure that risks remain within the limits established by the organization's board.
Hence, risk management results should be recorded and reported externally and internally to ensure that managers and senior executives are informed of progress towards risk objectives and changes that may impact the organization.
The entire risk management process should mimic the PDCA (Plan, Do, Check and Act) cycle. Yes, the results should also provide input into the review and continuous improvement of the organization risk management framework.
The long-term success of an organization relies on many elements, ranging from continuously evaluating and updating its offering to optimizing its processes. Through the application of these five steps, organizations can consistently identify the risks that could have a negative impact, then prioritize cost-effective measures to stay one step ahead of opportune risks.
> Available on BueKanGo’s Marketplace: e Permit to Work