What is risk assessment?
A risk assessment is a systematic evaluation of potential risks for an activity, project, or business. Risks are identified and prioritized for action based on the probability of them occurring (likelihood) and the seriousness of the outcome if they do (impact). Risk assessment activities are sometimes referred to as risk analysis or risk mapping.
A risk assessment can be quantitative or qualitative. For quantitative analysis, explicit values are assigned to the probability of a risk occurring, and impact is often measured in financial terms. Qualitative risk assessments do not use numbers, and their main aim is to identify those risks are perceived to pose the most danger.
Why do a risk assessment?
Risks assessments provide an opportunity to identify and understand hazards, vulnerabilities, and threats that could impact negatively on the business. Using this information, an organization can then prioritize expenditure and effort on risk mitigation and control strategies. Risk assessments are an opportunity for your whole team to participate in identifying key risks and obtain a mutual understanding of critical issues that might impact on your success.
Who should complete a risk assessment?
Because the technique is so simple and versatile, development of a Risk Map is useful for:
- All industries
- All levels of an organization
- All departments
- Existing or new businesses
- Business processes
Use risk mapping:
- As part of regular organizational reviews
- To proactively assess changing business conditions
- To explore new initiatives
- To focus and redirect efforts and resources
- As part of emergency, crisis and business continuity planning
- As a broad environmental scan for initial planning
- Carefully select participants to provide expert knowledge but also a fresh perspective.
- Use technology to involve critical people in different locations rather than miss their contribution.
- Be specific rather than broad when defining stakeholders.
- Provide adequate time in the session to position and rate stakeholders.
- Communicate outcomes and regularly update throughout the project.
The risk assessment template
A qualitative risk assessment template (aka risk map) provides a visual representation of risks. The relative likelihood of a risk occurring appears on the X axis, while the Y-axis reflects the relative impact the risk would have if it eventuates.
These risks are unlikely to occur but would have a large impact if they did.
These risks have a medium to high likelihood of occurring, and would have a severe impact if they do.
These risks are unlikely to occur and would have minimal consequences if they did. With finite resources, these risks are not a priority.
These risk may occur frequently but have a low impact.
How to run a risk assessment activity
The best process for evaluating risks to an organization will vary depending on the type of industry and the rules and regulations it is subject to. Organizations involved in high-risk industries (nuclear, aviation, medical, engineering) may have dedicated risk managers and departments whose sole role is to assess and plan controls for risks. For many businesses, however, a risk assessment can be carried out by a group of people with expert knowledge in the product, services, or process under assessment.
Give context and identify the scope of the risk assessment
Gather input and ideas on the risks to the business
Position risks according to their perceived likelihood and impact
Vote to identify which ones people think are the most urgent priorities for action
Develop risk mitigation strategies and assign responsibilities and timeframes
Report on the outcomes and monitor as part of your risk management strategy
Give context and define the scope of the risk assessment. The goals of a risk assessment will depend on the industry, organization, and business processes under examination. Participants in the session should have expert knowledge of the area under examination or be provided with enough information to allow them to contribute effectively.
Present any data and information that will help give context for the session. Examples of information might include:
- Results from a business impact assessment, Business Model Canvas, SWOT analysis, PESTLE analysis
- Data from the organization’s quality management and other information systems
- Industry trends and news
- Relevant rules and regulations
Define whether the session is addressing strategic, project, process, systems, product or service risks. By making the scope of the meeting clear, participants can focus their efforts, eg:
- Organizational risks over the next five years
- Risks associated with the development of a new product or service.
- Health & Safety risks for employees involved in a particular manufacturing process.
- Risks to confidential data and information systems.
It is also useful to define criteria for Likelihood and Impact axis in the matrix. Depending on the scope of the session, these definitions are likely to be quite different from one risk analysis to another.
- A high likelihood could mean the risk is almost certain to occur, medium – perhaps once every couple of years, and low is a once in a decade occurrence.
- A high impact might mean the business ceases to function for a period of time or there are multiple fatalities. A low impact could mean minor injuries and a delay in deliveries for a few days.
Participants brainstorm ideas on hazards, threats, and vulnerabilities that can have an adverse impact on the business. They then position those risks according to how likely they believe they will occur and how serious they believe the outcome would be.
Examples of risks:
- Environmental hazards
- Workplace Health & Safety Hazards
- Infrastructure Failure
- Financial Risks
- Information systems vulnerability
- HR Risks
Initial brainstorming can be done individually, in small groups, or as a whole. Gather ideas using a whiteboard, sticky notes, or on dedicated software such as GroupMap.
Using a specialized online tool makes steps 3 to 6 much easier and more efficient, especially if the group is large or in different locations.
Once all the ideas are gathered, remove duplicates, combine similar risks and discard any that aren’t within scope.
Discuss each risk and obtain consensus on where the risk should be positioned on the risk map according to the likelihood it will occur and the impact it would have.
This step is when a tool like GroupMap comes into its own. Individuals or small groups can position each risk according to their insight, and the software automatically provides a group average.
The group votes on those risks they believe are the top priority and should be addressed first.
Each participant or small group has one or more votes to allocate across the risks. They may use one vote for each of their priorities or use multiple votes on something they believe is critical.
Identify a range of solutions to prevent, reduce, control, or insure against those risks which are seen as a priority and agree on the best choice using available resources.
Risk mitigation strategies should try to eliminate the risk entirely or reduced it to an acceptable level. The amount of resources allocated to each action should be in proportion to the expected results. There should be a balance between the cost of preventing the risk versus the cost of recovering should it eventuate.
- Difficult Risks (High Low/High Impact) are the most difficult to control. Possible solutions include insurance, inbuilt redundancy, or backup systems off-site.
- Critical Risks (High Likelihood/High Impact) require the most urgent attention. Management should give priority to preventing these.
- Minor Risks (Low Likelihood/Low Impact) should be monitored to ensure they don’t develop into more serious problems.
- Routine Risks (High Likelihood/Low Impact) can be addressed by implementing controls in routine procedures.
Assign responsibilities, resources, and timeframes for completion.
Compile a report on the results of the risk assessment process. The report should contain the identified risks, the planned actions, those responsible, and timeframes for implementation.
Use the report to:
- Communicate outcomes with participants and relevant stakeholders to encourage buy-in and ownership of risk management efforts.
- Monitor the status of risks, actions, and resource allocations on a regular basis as they are likely to change over time.
- Contribute to other business development processes, e.g. planning, product development, and budgeting.
GroupMap automatically generates visually appealing reports in several formats for distribution, saving time and effort after the workshop.
Save effort, time and money with GroupMap
Whether you have your best minds together in the same room, or distributed around the world, GroupMap’s unique technology allows groups of up to 2000 to submit ideas independently at separate times, from different places, in different timezones. Prevent dominant personalities swaying the group, drowning out the opinions of others – GroupMap allows everyone to brainstorm independently then effortlessly combines that information to reveal the full spectrum of ideas. GroupMap templates keep the objective front and center throughout the session, keeping everyone on task. This ensures the activity identifies actionable issues rather than becoming just a discussion on ideas. GroupMap gives you all the group decision making tools you need to prioritize, decide and take action.
Create your first map and invite people in to start sharing their thoughts right NOW. Experience the power of GroupMap with our 14-day, no risk, FREE trial. You don’t even need to provide your credit card details to access to all of our features, including the entire suite of templates, for a full 14 days.