Business leaders that say their company has no risks are dangerously blind and irresponsible. All business transactions bring risks especially international risks. From cybercrime, natural disasters, corporate espionage, disgruntled employees, changing regulations and operating conditions, supply chain disruptions, and activist consumers are all around us. As many guests on The International Risk Podcast have demonstrated, effective risk management involves risk prevention and planning for a response well before the risk materializes. There are many lessons to learn from the international risk environment in 2021.
Effective risk identification is the process of identifying and assessing the likelihood and consequence of risks that could affect your people, operations, suppliers, reputation, or profitability. Identifying, assessing, and prioritizing risks allows risk management committees to develop risk management plans that are more likely to be effective and mitigating the most likely and most dangerous risks to their business.
What is the risk identification process?
There are five core steps within the risk identification and management process. These steps include risk identification, risk analysis, risk evaluation, risk treatment, and risk monitoring. Let’s look at the risk identification steps in more detail:
- Risk Identification: The purpose of risk identification is to reveal what, where, when, why, and how something could affect a company’s ability to operate. For example, a business located in southern Europe might include “wildfire” as an event that could disrupt business operations, whereas a business with operations in northern Europe might include “extreme snow storms” as an event that could negatively impact supply chains and business operations.
There are many ways to identify an organisation’s risks, and, some of the more common examples include brainstorming and seeking employee feedback. Let’s look at these in more detail:
Brainstorming: Risk management committees may find that brainstorming the probability of various catastrophic events with other company stakeholders, such as managers and certain C-level staff, can help identify new threats. It is usually helpful to have an external risk management consultant facilitate these workshops. Having an external facilitator is cost-effective and results in significantly better outcomes.
Seek Employee Feedback: Upper-level management’s perspective of an organization’s risks can be starkly different from the perspective that employees hold. Employees may encounter new risks in their day-to-day activities that may not have otherwise been encountered. For example, insufficient training on a piece of operating equipment may be placing staff at risk of injury. As such, employees are an invaluable source of first-hand information.
- Risk Analysis: This step involves establishing the likelihood that a risk event might occur and the potential consequence of each event. Using a wildfire in southern Europe as an example, the risk management committee should collect data about, how much rainfall has occurred in the past 12 months, the extent and damage of wildfires in southern Europe over the last ten years, and long-term weather forecasts for southern Europe for the next summer.
- Risk Evaluation: Risk evaluation compares the risk severity (the combination of risk likelihood and risk consequence) and ranks the risks. The risks are compared against existing organizational resilience, capacity, and vulnerability. An organisation with high levels of resilience and capacity is likely to be less impacted by the same event as an organisation with more vulnerability. Conducting a realistic assessment of organizational resilience, capacity, and vulnerability will help you identify the real impact of the risks should they eventuate. That will motivate your risk treatment options and priorities.
- Risk Treatment: Risk treatment is sometimes referred to as risk mitigation. In this step, risk mitigation strategies, preventative care, and contingency plans are created based on the assessed value of each risk. Using the southern Europe wildfire example, risk management committees could choose to house additional network servers in more northern latitudes to minimise the disruption of fire, so business operations could still resume if an onsite server is damaged. The risk management committee may also develop evacuation plans for employees. An important component of risk treatment is to consider what residual risk remains after mitigation actions have been taken. Senior leaders will need to decide if the residual risk is within the company’s risk tolerance levels.
- Risk Monitoring: Risk management is a non-stop process that adapts and changes over time. Repeating and continually monitoring the processes can help assure maximum coverage of known and unknown risks. Risk monitoring should ilso include meta-monitoring, whereby the risk committee systematically monitors the effectiveness of the risk monitoring program and asking questions like, “did our risk monitoring program provide adequate warning of emerging risks?”, and “as a result of our risk monitoring program, were managers able to make improved decisions?”
If performed correctly, this process will ensure organisations have done everything reasonable to prevent risks eventuating, and if the risks still materialize, these organisations will be better prepared to mitigate the consequence of the risks and capitalize on associated opportunities. Learn more from our guests on The International Risk Podcast.