ERM Chapter 3 Context and Risk Assessment

ISO 31000:2018 44 Minutes

3.1 Establishing internal and external context

By understanding the evolving context in which you operate and the objectives you aim to achieve, you can identify and assess the uncertainties that are important (risks). This will give you the necessary information to determine if further action is required or if the risks fall within the organization’s acceptable levels of risk appetite and tolerance. Understanding the context for risk management is a part of most risk management processes. However, many organizations still view the first step as risk identification, assuming that those involved already understand the context in which they are working. ISO 31000 (2018) explains that “defining the scope, context, and criteria is essential to tailor the risk management process, ensuring effective risk assessment and appropriate risk treatment. This involves setting the process’s scope and understanding both the external and internal environment.”

There are three key components of context:

  1. The organization’s risk management context,
  2. The internal context, and
  3. The external context.

The risk management context refers to the overall risk management framework, including the Risk Architecture, Strategy, and Protocols (RASP framework). Customizing the risk management process can be considered when developing the RASP framework.

Internal Context

The internal context looks at the environment within an organization or team where they work to achieve their goals. This includes governance and reporting structures, operational setups, roles and responsibilities—many of which fall under the Risk Architecture. The internal context covers the organization’s structure, objectives, policies, strategies, processes, culture, and the values of its people. It involves:

  • The organization’s divisions, departments, systems, processes, accountability, culture, leadership, strengths, and weaknesses,
  • Internal stakeholders like staff, managers, and the board,
  • Its approach to corporate governance, resources, skills, capabilities, culture, and behavior,
  • Factors that influence how the organization sets and achieves its objectives, which is the main focus of risk management.

Understanding the internal context also helps answer questions such as:

  • What are our objectives?
  • What is our capacity?
  • What are our business processes?
  • How do we make decisions?

Changes in the internal context can create challenges for specific parts or the entire organization, depending on the nature of the change. From a risk management perspective, these changes can impact the risks identified, their priority, how they are managed, and even the overall risk management approach. When conducting a risk assessment for a single team or task, the internal context may focus only on what that team controls, rather than the broader organizational context. COSO (2017) emphasizes strategy setting as the core of the ERM process and highlights how changes in internal and external contexts can affect strategy development and the ability to achieve it.

External Context

The external context looks at the environment outside the organization that can influence its ability to achieve its objectives. This includes factors like external stakeholder expectations, industry regulations, competitor behavior, and the broader economic climate.You can think of the organization’s “world” (or external context) as having two dimensions. First, there’s the inner world, which focuses on the organization’s competitive environment, including competitors, suppliers, and customers. Second, there’s the outer world, which involves broader macro-level factors like economic, technological, ethical, and legal trends in the wider society where the organization operates.

The external context covers:

  • Social, cultural, political, legal, regulatory, financial, technological, economic, natural, and competitive factors, whether at an international, national, regional, or local level,
  • The industry, products, markets, competitors, suppliers, customers, logistics, and the regions or countries where the organization operates,
  • Key trends and drivers that impact the organization’s goals,
  • Relationships with external stakeholders, as well as their perceptions and values.

Understanding the external environment helps answer questions such as:

  • What does the world around us look like?
  • What factors are shaping our strategic direction?

Changes in the external environment can significantly affect organizations, as seen during events like the global financial crisis and the COVID-19 pandemic. However, even smaller-scale events can have a major impact on organizations, industries, or entire countries. It’s important to note that when analyzing the external context, we should not only consider how it affects the organization but also how the organization might influence the external environment. This two-way perspective aligns with the concept of ‘double materiality’ and is increasingly relevant when addressing risks, especially those related to sustainability.

Tools to understand internal and external context

There are numerous tools and techniques available to help us understand the internal and external context in which an organization operates. These tools can offer valuable insights into various aspects of the organization, such as its day-to-day operations, behaviors, dependencies, trends, expectations, strengths, and weaknesses. Like many risk management tools, they can be applied for different purposes and at various stages of the risk management process.

The tools and techniques we will explore to better understand internal and external context include:

  1. The Extended Enterprise,
  2. PESTLE Analysis,
  3. Stakeholder Mapping, and
  4. Horizon Scanning.

1)The extended enterprise

An extended enterprise is a structure where a number of organisations come together in a joint endeavor in order to achieve outcomes that none of them could have achieved on their own.The concept of the extended enterprise can be applied at any level within an organization. To grasp this idea, there are four essential components to consider:

  1. Core Activities: Identify the primary functions of the team, department, project, or organization in question—what is their main purpose or role?
  2. Key Inputs: Determine the critical resources or elements required to carry out these core activities—what is needed to perform these functions effectively?
  3. Key Outputs: Define the results or deliverables produced by these core activities—what outcomes or value do they generate? These three steps outline a basic value chain for the organization.
  4. External Influences: Recognize the external factors that can impact the inputs, core activities, and outputs—what outside forces might affect the process or results?

By examining these elements, one can better understand the dynamics of the extended enterprise.

The diagram represents a process flow of core activities within an organization, showing the relationships between inputs, core activities, outputs, and external influences.

Key Elements:

  1. Core Activities (Center of the diagram)
    • This represents the main tasks or processes performed by an organization, project, or team.
    • It requires understanding what the organization does.
  2. Inputs (Left side of the diagram)
    • These are the resources needed for core activities to function.
    • Examples: raw materials, skills, capital, electricity, and demand for products.
  3. Outputs (Right side of the diagram)
    • The results or outcomes of core activities, which can be both positive and negative.
    • Examples: products, waste, improved skills, and taxes.
  4. External Influences (Surrounding the process)
    • Factors outside the organization that impact inputs, core activities, or outputs.
    • Examples: government policies, foreign exchange fluctuations, and extreme weather events.

Flow:

  • Inputs feed into Core Activities
  • Core Activities produce Outputs
  • External Influences impact all stages of the process

2) PESTLE Analysis

PESTLE analysis is a framework designed to help organizations assess their external environment by using predefined categories as guides. The acronym PESTLE represents:

  • Political
  • Economic
  • Social
  • Technological
  • Legal
  • Environmental/Ethical

This technique is useful for identifying external factors that may impact an organization’s performance. Additionally, PESTLE serves as a tool for classifying and evaluating potential risks.

3) Stakeholder Mapping

Every organization interacts with a diverse range of stakeholders—individuals or groups with whom they have relationships, interactions, or influence. Stakeholders can be both internal and external, including shareholders, partners, owners, employees, customers (both current and potential), suppliers, consultants, regulators, investors, creditors (such as banks), and parent or sister companies. The nature of the relationship with each stakeholder group depends on their specific needs. For instance, frequent communication with employees is typical, regular engagement with shareholders is common, and periodic interaction with regulators may suffice. A critical responsibility of the risk manager is to ensure that all internal and external stakeholders are identified, which can sometimes be challenging. For example, should an insurance company consider individuals without a policy as stakeholders? A regulator might argue yes, as the insurance industry aims to serve as many individuals and organizations as possible. If certain groups cannot access insurance, this becomes a shared concern for regulators and the insurance market. Senior managers often face the task of resolving conflicts between stakeholder groups. For example, in a banking context, regulators may push for higher solvency capital, while investors may prefer lower capital levels to maximize returns. Managers must strike a balance, maintaining enough capital to satisfy regulators while ensuring shareholders receive adequate returns to retain their investment. Identifying all stakeholders requires thorough research. A structured approach might involve assembling a team to review business flowcharts, manufacturing processes, and relationship diagrams. Additionally, brainstorming with executives can help broaden the perspective on the types of stakeholders involved.

In addition to identifying all stakeholder groups, it is important to evaluate the significance of each group in relation to the organization’s goals. For instance, in a healthcare setting, patients, doctors, and other staff are clearly key stakeholders. Similarly, the importance and influence of funding providers should be assessed, as they may also rank as critical stakeholders. Given that senior management has limited time and resources, prioritizing stakeholder groups ensures that risk management efforts are appropriately allocated to the most relevant parties. Stakeholder mapping or analysis involves listing all key internal and external stakeholders and then plotting them on a matrix based on two dimensions: their level of influence over the activity and their level of interest in it, ranging from low to high. Once these factors are considered, a third element can be introduced by marking each stakeholder with a plus or minus to indicate their attitude toward the activity—whether they are supportive (plus) or resistant (minus). This approach helps provide a clearer understanding of stakeholder dynamics.

simple stakeholder map based on Mendelow’s matrix

Horizon Scanning

Horizon scanning is a structured approach designed to:

  • Identify potential sources of uncertainty
  • Ensure proper preparation
  • Capitalize on opportunities
  • Mitigate and withstand threats

It is important to note that horizon scanning is not about predicting the future. Instead, it supports the development of organizational resilience and is one of several tools that help professionals understand and prepare for future risks.Horizon scanning is a valuable technique that enables individuals to examine complexity, question assumptions, and explore various ways events might unfold, thereby enhancing the resilience and reliability of their organizations. It is not about predicting the future but rather about evaluating different scenarios to support evidence-based decision-making. It has been defined in various ways, including as a method to “explore potential future scenarios to better understand uncertainties and assess whether an organization is sufficiently prepared for possible opportunities and threats.” The horizon scanning process can range from simple to complex, depending on the stakeholders involved and their level of engagement. According to the UK Government’s Futures paper, horizon scanning typically involves three time horizons: near-term, mid-term, and long-term. These timeframes vary depending on the organization and its activities. For instance, a tech start-up might view the near term as a month and the long term as a year, while the nuclear industry might consider the long term in terms of decades. Recent events over the past three years have highlighted the growing challenge of assessing risks with a long-term perspective.

  • Horizon 1: Where you are currently taking action
  • Horizon 2: Visible trends for strategic consideration
  • Horizon 3: Little trend information today but planning needed
Steps Process
Identify key stakeholdersGather relevant people to work with, keeping in mind need for diversity and open minds.
Kick OffExplain what horizon scanning means, how it is to be conducted, and how the results will be utilized.
ResearchWorking to a timeframe, assign single issues to stakeholders to research (professional journals, online content, etc.) to identify potential risks
OutputStakeholders to document their research (submit one short report each week).
Collaborate / CombineCollate the reports and present them back to the group for discussion. Visualize the risks where possible.
Monitor and reviewDecide which key risks you wish to look into further, conduct in-depth analysis using “Futures” tools

In addition, a risk radar may also be used to illustrate emerging risks’ time horizon and assessment. This risk radar presents an analysis of several risk sources categorized in a manner which is appropriate for the organization and indicating the near, mid and long range risks which may be impacting society as a whole.

3.2 Objective and Purpose

Understanding both the internal and external context is crucial because it provides a clearer picture of potential risks. For something to be considered a risk, it must be significant—something that truly matters. This means we also need to define what we aim to achieve, what is important, and how we measure success. These are our objectives. As highlighted in the ISO 31000 definition, risk is the “effect of uncertainty on objectives” or uncertainties that have a meaningful impact. However, it’s not just about achieving the objectives of our activities; it’s also about ensuring these objectives align with the organization’s values, mission, vision, and strategy. As discussed in Units 1 and 2, COSO:2017 emphasizes that enterprise risk management is as much about understanding the implications of strategy and the potential misalignment of strategy as it is about managing risks to achieve set objectives. Organizations must focus on their core purpose and address key questions: Why do we exist? Why are we here? Whose needs are we here to meet? Inspirational statements alone are insufficient. Without active board involvement, there is a risk that the organization’s purpose will remain confined to hollow declarations, and the gap between the stated purpose and the actual experiences of employees will only widen.

Setting business objectives can be challenging for several reasons. Some argue that the process of defining objectives can either introduce risks if mishandled or help mitigate risks if done well. Firstly, even when an organization agrees on its overarching mission, selecting a set of appropriate objectives to support it can be difficult. Balancing the diverse and often competing expectations of stakeholders complicates this task, potentially leading to compromises or contradictory goals. Secondly, because an organization’s internal and external environment is always evolving, its strategies and objectives must be regularly reassessed—what seems like a valid mission now may not hold up in the future. Thirdly, if the strategic mission is poorly defined, misunderstood across the organization, or not effectively translated into actionable tactical and operational goals, employees may interpret it inconsistently, resulting in confusion and chaos. Fourthly, even if objectives are distributed to staff, they may not be fully embraced by those responsible for achieving them, creating a disconnect between official goals and the informal ones people actually pursue, which introduces risks early on. Fifthly, setting easily attainable objectives might temporarily lower risk, but overly ambitious ones could heighten it. In the end, risk management efforts tied to flawed, ambiguous, or misaligned objectives might excel at addressing the wrong issues. A flawed objective-setting process can, by itself, become a risk factor.

A strategy outlines how an organization plans to succeed, breaking down into goals set at various levels within the company. Risks tie directly to these goals, since failing to manage them could mean missing targets and ultimately derailing the broader strategic aims. Ideally, these goals should follow the SMART framework:

  • Specific: Clearly define what you aim to achieve.
  • Measurable: Set concrete metrics to track whether the goal is met.
  • Achievable: Confirm you have the necessary resources or skills—or identify steps to get them.
  • Relevant: Make sure the goal supports the organization’s overall strategy.
  • Time-Bound: Establish a practical deadline for completion.

The idea of setting objectives at three levels means goals can be made at different stages in a company:

First, the company sets big, overall goals that cover the whole organization. These are called strategic objectives, and everything else should line up with them to support the company’s main mission and purpose. Next, through passing down responsibilities, the company sets tactical goals for departments, divisions, or business units. These focus on putting the strategy into action and usually cover one to three years. Finally, those tactical goals get broken down further into operational goals for teams or even individual workers. These cover shorter time frames, like days to months. Keep in mind that different companies might use words like “strategy,” “tactics,” and “objectives” in their own ways.

ISO 31000 says companies should set rules to figure out how important risks are and to help make decisions. These rules, called risk criteria, should look at what kinds of uncertainties might affect goals, and how to measure the chances and results—good or bad—of those risks. In simple words, risk criteria show how much risks matter to a company’s ability to reach its goals. They connect to analyzing risks, judging them, and deciding how much risk the company is okay with. Every goal should be SMART—specific, measurable, achievable, relevant, and time-bound. This means there should be ways to check how well the company is doing on those goals. These ways are called Key Performance Indicators (KPIs). KPIs are important signs that show if the company is moving toward its goals. They help focus on improving big plans and day-to-day work, give a clear basis for decisions, and highlight what’s most important. If you measure something, it’s more likely to get done. Companies use lots of KPIs to check how they’re doing at all levels—big-picture plans (strategic), mid-level goals (tactical), or daily tasks (operational). When goals have clear KPIs (sometimes they don’t), those can help set up categories for analyzing risks. They can also shape Key Risk Indicators (KRIs) and statements about how much risk the company can handle. So, instead of making new ways to measure risks, most companies already have these measurements from their goals. Working with the people in charge of those goals to create risk measures is key. It makes sure the measures focus on what matters, helps fit risk management into the company, and gets support from important people. The “scope, context, and criteria” part of risk management is about tailoring the process to spot risks well and deal with them right (ISO 31000). Setting up these measures first keeps everything consistent and makes it clear how much risks matter and how much risk the company can take.

Some companies have a list of KPIs they check regularly, sometimes called a balanced scorecard. These KPIs are simpler to set up for goals that are easy to measure, like money stuff. They get trickier for things that are harder to pin down, like people’s feelings or values. A KPI tied to a goal might also show risks after they’ve already happened—like if the goal was met or missed because of a risk. Depending on how a company organizes its big plans, mid-level goals, and daily tasks, a KPI for one goal could also warn about risks coming up. This makes it a Key Risk Indicator (KRI), which ties into how much risk the company is willing to take. KPIs aren’t always perfect for tracking risks, but they’re usually a solid, trusted set of numbers companies already use. Using these existing numbers is an easy way to show how risk management connects to everyday work. It proves risk management should be a core part of the business, not just something tacked on. Sticking with numbers the company already has, instead of making new ones, helps get teams on board with Enterprise Risk Management (ERM) and makes it part of their routine. Still, a lot of times, companies overlook KPIs when figuring out risk impact scales, key risk indicators, or how much risk they’re okay with.

One popular way to define risk is how uncertainty affects goals. Risks definitely mess with a company’s main objectives, but they can also hit other important stuff like key dependencies, core processes, and what stakeholders expect. This idea is called the “attachment of risk,” and companies should figure out how risks connect to each of these things to really understand their effects. Let’s break down these three extra areas:

  • Key dependencies are the must-haves for a company to do well. They could be inside or outside the company, but basically, they’re what the business needs to keep going and succeed later on.
  • Core processes are the essential ways a company gets things done. They’re how the business carries out its big plans and keeps running smoothly. You can think of a core process as “the steps that make sure stakeholders get what they expect.”
  • Stakeholders are the people who care about the business or are affected by it—like investors, suppliers, customers, the community, or the government.

The point of “attachment of risk” is that companies need to map out what happens when risks pop up so they can see the full picture of their impact. This idea also ties into something called the Extended Enterprise. When you compare the two, they line up pretty well:

  • Key dependencies show up in the whole value chain, especially in the stuff the company relies on to start with.
  • Core processes are like the main activities that keep things moving.
  • Stakeholder expectations fit into the value chain too, covering both inside and outside views—external influences focus on people outside the company.
  • Objectives usually pop up in the results part of the extended enterprise.

3.3 Identification of Risk

You can pinpoint relevant risks and goals within a specific situation by employing suitable risk identification methods. It’s useful to recognize that Risk Assessment involves three key phases: Risk identification – what risks exist? Risk analysis – how significant are they? Risk evaluation – what should we do next? Is action necessary? According to ISO 31000, “the goal of risk identification is to identify, acknowledge, and outline risks that could either support or hinder an organization from reaching its objectives.” When outlining risks, there’s often uncertainty about what qualifies as a risk or if it’s truly a risk at all. Therefore, before delving into risk identification, it’s helpful to think about what details should be collected to offer a clear and comprehensible risk description—both for those involved in identifying it and those who weren’t. Take the word “fire,” which frequently appears in risk registers. What does it really signify? Depending on the situation and the reader’s perspective, it might imply:
• A fire is burning in the building, and I need to escape.
• I can start a fire in the room for warmth.
• I can ignite the barbecue for a party.
• You can terminate someone’s employment.
• Someone can discharge a firearm.
A precise description that accounts for the context in which the risk arises, along with its potential impact if it materializes, will aid the reader in grasping not only the risk itself but also its origins and consequences.

An example of a clear risk description for Risk of Equipment Failure in Offshore Drilling Operations can be as follows:

  • Description: “Due to aging infrastructure, there is a risk that a critical component of an offshore drilling rig in the Divided Zone fails, leading to a suspension of oil production for up to 60 days, costing an estimated $10 million in lost revenue and requiring $2 million in repairs.”
  • Context: Offshore rigs face harsh marine conditions, and equipment reliability is critical.
  • Impact: Production delays and financial losses, plus potential safety hazards for workers.

Exploring the outcomes of a risk enables us to grasp its effects on specific parts of our organization, such as goals, essential operations, critical dependencies, and stakeholders; it reveals potential pitfalls stemming from an adverse risk event. By pinpointing where risks might emerge, we can identify the most susceptible areas and implement measures to safeguard them. For instance, if we rely on a single supplier for a vital component, we might seek an additional supplier, or if a lone specialist handles a crucial task, we could train a backup. This approach is fundamental to business continuity planning (BCP). The origins and impacts of risks can also be depicted with a ‘bow-tie diagram,’ known as the risk bow-tie. The risk itself sits at the center, with immediate and root causes branching to the left and immediate and broader consequences extending to the right. The risk bow-tie method further allows us to:

• Extend the analysis of risk causes and consequences beyond a single layer to multiple levels, aiding in root cause analysis.
• Map multiple contributing factors for a single risk and demonstrate how one risk can lead to various outcomes.

This latter aspect strongly supports an Enterprise Risk Management (ERM) approach, as it compels us to examine risk causes across all organizational facets and chart their company-wide repercussions. Notably, the risk bow-tie can be applied to both threats and opportunities.

Example: Risk of Oil Spill During Offshore Operations

Central Risk Statement (Center of the Bow-Tie):

Risk: “An oil spill occurs during offshore drilling operations in the Divided Zone.”

This is the core event we’re analyzing, placed at the center of the bow-tie diagram

Causes (Left Side of the Bow-Tie):

The left side represents the immediate and underlying threats or causes that could lead to the risk event. These are the factors that might trigger the oil spill.

  • Immediate Causes (closer to the center):
    • Equipment Malfunction: A failure in the blowout preventer (BOP) system on the drilling rig, which is meant to seal the well in case of pressure surges.
    • Human Error: An operator misinterprets pressure readings and fails to activate safety protocols in time.
  • Underlying Causes (further to the left):
    • Inadequate Maintenance: The BOP system has not been inspected or serviced according to the recommended schedule due to budget constraints.
    • Insufficient Training: Operators lack recent training on updated safety procedures, leading to errors in high-pressure situations.
    • Poor Vendor Quality: The BOP system was sourced from a supplier with a history of providing substandard equipment, but this was overlooked to cut costs.

In the diagram, these causes would be represented as boxes on the left side, with arrows pointing toward the central “Risk” node. Immediate causes would be closer to the center, while underlying causes would be further out, showing the deeper root issues.

Consequences (Right Side of the Bow-Tie):

The right side represents the immediate and ultimate impacts if the risk event (oil spill) occurs. These are the outcomes that KGOC would face.

  • Immediate Consequences (closer to the center):
    • Environmental Damage: 10,000 barrels of crude oil spill into the Persian Gulf, contaminating marine ecosystems and coastal areas.
    • Operational Shutdown: Drilling operations are halted for 45 days to contain the spill and repair the rig.
  • Ultimate Consequences (further to the right):
    • Financial Loss: Cleanup costs, fines, and lost production amount to $20 million, impacting KGOC’s annual revenue.
    • Reputational Harm: Public backlash and media coverage damage KGOC’s reputation, leading to strained relations with stakeholders and potential loss of future contracts.
    • Regulatory Action: Kuwaiti and international environmental agencies impose stricter regulations, increasing operational costs by 15% over the next five years.
    • Legal Liabilities: Local fishing communities file lawsuits for loss of livelihood, resulting in $5 million in settlements.

In the diagram, these consequences would be shown as boxes on the right side, with arrows extending outward from the central “Risk” node. Immediate consequences would be closer to the center, while ultimate consequences would be further out, reflecting longer-term impacts.

Mapping to the Bow-Tie Diagram:

  • Center: “An oil spill occurs during offshore drilling operations in the Divided Zone.”
  • Left Side (Causes):
    • Immediate: “Equipment Malfunction,” “Human Error.”
    • Underlying: “Inadequate Maintenance,” “Insufficient Training,” “Poor Vendor Quality.”
  • Right Side (Consequences):
    • Immediate: “Environmental Damage,” “Operational Shutdown.”
    • Ultimate: “Financial Loss,” “Reputational Harm,” “Regulatory Action,” “Legal Liabilities.”

The timeline at the bottom of the diagram indicates that causes lead to the risk event, which then results in consequences over time.

Using the Bow-Tie for Threats and Opportunities:

The bow-tie can also highlight opportunities. For example:

  • Opportunity from Mitigation (Left Side): By addressing the underlying cause of “Insufficient Training,” KGOC could implement a robust training program, reducing the likelihood of human error not just for this risk but for other operations as well.
  • Opportunity from Consequences (Right Side): The “Regulatory Action” consequence could lead KGOC to adopt cutting-edge environmental technologies, positioning the company as a leader in sustainable oil production and attracting eco-conscious investors.

Risk Description

We have explored how to express risks by identifying their causes, the risk itself, and its consequences, supported by various examples. However, as highlighted in the Orange Book, caution is needed when defining risks to ensure that consequences are not mistaken for the risks themselves, or that risks are not framed as the opposite of the objectives. The project management field has established a method to correctly position each element of a risk statement: the causes are current or past events that could lead to the risk (the facts), the risk represents the uncertainty, and the consequences are the effects on objectives. Risks can be articulated using a risk ‘metalanguage,’ which provides a three-part structured format that distinguishes between cause, risk, and effect. This risk description aligns with the structure of the risk bow-tie.

When outlining risks, it’s crucial to examine the causes and consequences of risk events, their interconnections, and the challenges they pose for effective risk management. We start with Examples of Good Risk Descriptions and Examples of Poor Risk Descriptions, where we evaluate different risk descriptions, distinguishing between those that are well-crafted and those that require refinement. Additionally, we explore how inadequate risk descriptions can create obstacles for successful risk management.

Example of Good risk description
Example of Poor risk description

To enhance risk description, it’s essential to use language that clearly distinguishes between causes, risks, and consequences:
• Causes are events that have occurred or are occurring, so they should be described using factual, concrete language.
• Risks represent uncertainties, so they should be expressed with language that reflects this uncertainty.
• Consequences are the effects on objectives that would arise if the risk materializes, with positive effects signaling an opportunity and negative effects indicating a threat.
It’s worth noting that a single risk can have multiple causes and multiple consequences.

In summary, employing this risk metalanguage and effectively articulating and describing risks offers several advantages:

  • Awareness of Causes: Understanding the context helps gauge the likelihood of the risk occurring, aiding in risk analysis.
  • Identifying Weaknesses in Causes: Recognizing vulnerabilities in the causes highlights areas that can be addressed to alter the probability of the risk happening.
  • Clear Risk Statement: A well-defined risk statement ensures clarity.
  • Awareness of Consequences: Understanding the potential impacts on objectives if the risk occurs provides insights into the severity of the impact, supporting risk analysis.
  • Identifying Weaknesses in Consequences: Pinpointing vulnerabilities in the consequences reveals areas that can be managed to mitigate the impact if the risk materializes.
    This deeper understanding of likelihood, impact, and vulnerabilities enhances the ability to determine the effort required to manage the risk further and identify the appropriate risk owner

Known and Unknown

When identifying risks, some teams may have a tendency to refer back to previously identified risks and ask, “What are we overlooking?” While this can be helpful, it may also cause teams to miss or fail to propose risks that might otherwise seem apparent, as they focus on filling gaps in an existing list rather than approaching the process with a completely open perspective. Additionally, certain organizations tend to sharply distinguish between issues and risks. An issue is a risk that has already materialized, eliminating any uncertainty. Understanding issues is critical for risk management because they may recur or spark new risks as a consequence of their occurrence. The concept of “known unknowns” can be a valuable tool to help teams differentiate between issues and risks, as well as between acknowledged risks, unacknowledged risks, and unexpected surprises. To apply this approach, teams should ask the following questions:

  1. What do I know with certainty?
  2. What do I know I don’t know, but recognize as a gap?
  3. I accept that there will always be unforeseen surprises, but to minimize this possibility, I will seek to uncover:
  4. What do I know I don’t know, but am failing to acknowledge? (i.e., the “elephants in the room”).

Encouraging teams to openly discuss what they are not currently acknowledging can uncover a broad range of risks while also fostering a robust risk culture within the team and the wider organization. In risk management, the “known unknowns” framework is an adaptation of the Johari Window, which categorizes knowledge based on what is known or unknown to oneself and others. This concept has been effectively utilized by various politicians and is a widely adopted tool in military and scientific fields. Ignoring the “elephants in the room” can quickly erode organizational value. As William Wilberforce, a UK Member of Parliament who spearheaded the abolition of slavery in the early 1800s, famously stated, “Having heard all of this, you may choose to turn away, but you can never again claim ignorance.”

Risk Identification Techniques

Having established that we are focusing on identifying actual risks—rather than just causes, issues, incidents, or consequences—we can now select the most suitable identification technique based on the context and participants involved. Risk identification should be conducted systematically to ensure that all major activities within the organization are recognized, and the risks arising from these activities are clearly defined. Any related volatility associated with these activities should also be identified and classified. Risk identification is a critical component of risk management, with some arguing it’s the most vital step. If risks are not identified, the entire risk management process halts, as you cannot address risks you are unaware of. Even if staff only identify risks without taking further action, this awareness can subconsciously prompt them to prepare for those risks, thereby reducing their potential impact. The goal of risk identification within a risk management framework is to create a thorough list of risks stemming from events or uncertainties that could either hinder or support the achievement of objectives. If a risk goes unidentified, there’s no chance to prevent or mitigate it.

Risks can be identified both consciously and subconsciously. For instance, conscious identification often occurs through risk assessment techniques, which we’ll explore soon. Subconscious identification happens in everyday scenarios, like when driving a car and instinctively scanning for hazards without realizing it—a phenomenon referred to as a ‘directly perceived’ risk. There are five key techniques for risk assessment, which cover identifying risks, assessing their severity (risk analysis), and determining whether they require action (risk evaluation):

  1. checklists and questionnaires;
  2. workshops and brainstorming;
  3. inspections and audits;
  4. flowcharts and dependency analysis; and
  5. crowdsourcing technology.

The suitability of these methods varies depending on factors like organizational culture, structure, industry, and operational locations. Beyond these, numerous other risk identification techniques exist, some of which can also be applied to the later stages of risk assessment—namely risk analysis and risk evaluation. For additional examples of such techniques, refer to the further reading in this study guide. Certain techniques are better suited for quantitative risk analysis, while others align more with qualitative analysis. We’ll delve into risk analysis in the next section, so there’s no need to understand the distinction just yet. Your organization likely employs a variety of risk identification methods, and different teams or specialties may use distinct approaches depending on their objectives. Based on what your organization already has in place, you might consider adopting a range of techniques tailored to your needs.

Emerging Risks

The International Risk Governance Council describes an emerging risk as “a risk that is new, or a known risk appearing in a new or unfamiliar context, or re-emerging under new circumstances.” These risks are seen as potentially significant but are not fully understood or evaluated, making it challenging to develop confident risk management strategies. While there are various definitions of emerging risk, there is no universal consensus on the term. At the time this material was written, the ISO standard on emerging risk was still in draft form. A straightforward way to view emerging risks is as those about which little is known when they are first identified. A concise definition of an emerging risk is “a risk that is developing in areas or ways where the available knowledge is limited.” Emerging risks differ from ‘business as usual’ risks due to characteristics such as being ambiguous, chaotic, complex, having a shifting time horizon, and being uncertain, uncontrollable, and volatile. Over the past decade, the need to understand emerging risks has grown, largely due to the constantly evolving internal and external environments in which organizations operate. Addressing emerging risks helps organizations build and sustain resilience, increasing their chances of surviving—and potentially thriving—in highly uncertain times. Fundamentally, an emerging risk is simply a risk, and many organizations do not use the term “emerging,” choosing instead to incorporate these risks into their standard risk management processes.

Risk Classification

Organizations classify risks for several reasons, as risk classification:

  • Offers a structured framework for risk identification, which can help uncover more risks—for instance, during a risk management workshop—than would be identified without such a system.
  • Promotes the use of consistent risk terminology across the organization, a key requirement for effective Enterprise Risk Management (ERM).
  • Allows the organization to group similar risk types from across its operations, which can: enhance organizational knowledge, assign clear responsibilities for specific risk types, estimate total risk exposure by category using the expertise of relevant professionals, determine acceptable risk levels for each type, and bundle risks for uniform treatment (e.g., using a single insurance policy for a specific risk type), thereby improving risk management efficiency.

Risks can be categorized based on their time horizon as short-, medium-, and long-term:

  • Short-term risks: Risks with immediate impacts, typically tied to operational activities.
  • Medium-term risks: Risks related to tactics, with impacts emerging between a few months and a year.
  • Long-term risks: Risks tied to strategy, with impacts manifesting between one and five years after the event.

The FIRM scorecard classifies risks into Financial, Infrastructure, Reputational, and Marketplace categories. This framework can also serve as a tool to define the organization’s objectives, assess the consequences of risks, and identify risk sources. A secondary dimension in the FIRM model involves classifying risks based on their origin:

  • Internally derived risks: Originating within the business (e.g., staff fraud), often linked to financial and infrastructural risks, with the internal context as the source.
  • Externally derived risks: Originating outside the business (e.g., exchange rate fluctuations), typically associated with reputational and marketplace risks, with the external context as the source.

Risk identification should encompass risks regardless of whether their sources are within the organization’s control. External risks are often more likely to be overlooked than internal ones, as people are generally more familiar with their organization’s internal dynamics, leading to fewer surprises.

The FIRM model and the IRM Risk Management Standard can be viewed as high-level risk classifications, which can then be broken down into subcategories. For example, financial risks might be subdivided into Treasury risks, sales management risks, purchase management risks, payroll risks, financial reporting risks, and financial forecasting risks.

These can be further divided into sub-subcategories. For instance, purchase risks might include supplier risks, payment risks, delivery risks, authorization risks, and so on. Numerous other risk classification systems exist, starting with The Orange Book. The Orange Book (2020, P19) includes a supporting principle on risk classification in its Section D2, Risk Identification and Assessment. It emphasizes that “risk identification activities should provide an integrated and holistic view of risks, often organized by taxonomies or categories of risk (see Annex 4), to understand the organization’s overall risk profile.” The World Economic Forum, in its annual Global Risk Report, categorizes risks as Economic (blue), Geopolitical (orange), Environmental (green), Societal (red), and Technological (purple). Many industries and sectors have specific requirements for risk categories. For example, the finance sector classifies risks into types such as market, credit, operational, and insurance risks, influenced in part by regulatory frameworks like BASEL III and Solvency 2, which further break down operational risk into multiple subcategories. This approach is common in financial institutions because their business model revolves around accepting risk, making risk understanding and management a core competency essential for success. Your organization may have its own tailored classification system based on specific needs (e.g., regulatory guidance) or industry standards. Sometimes, operating in a state of blissful ignorance may seem preferable: “‘The more we’re aware of risks, the more we fear their occurrence. This can lead to paralysis, as we worry these risks will materialize, and there’s too much work and not enough resources to manage them all’” (BBC Radio 4, Today program, 28 July 2010).

Risk networks

Risks and their solutions don’t stand alone. One person’s risk might be another’s cause or result. Controls and new steps can apply to many risks and different parts of a company. So, risks and their management are part of a connected, networked system with many links. Risk systems and lists that organize data in a strict, layered way can’t see these connections. Risk classification tools can help us think about risks but may lead to narrow, isolated thinking when identifying and handling them. Companies have gotten better at watching risks across all activities and thinking about the total risk level. But more can be done to understand how risks and their solutions are linked. Looking at risk networks can help companies:

  • Better understand how decisions about risks affect things.
  • Spot secondary risks that come from managing risks.
  • Improve how risk management is built into the company.
  • Increase awareness, ownership, and responsibility for risks.
  • Encourage more involvement in the process.

3.3 Risk Analysis

Risk analysis helps an organization understand the size and type of risks it faces. It does this by looking at how likely a risk is to happen and its possible impact. According to ISO 31000, the goal of risk analysis is to understand risks and their characteristics, including their level. It also helps in deciding whether risks need to be managed and how to do so. Different organizations define risk analysis in various ways. The Chartered Institute of Internal Auditors (CIIA, 2005) describes it as using available information to determine the chances of an event happening and its impact.ISO defines the purpose of risk analysis as being ‘The purpose of risk analysis is to comprehend the nature of risk and its characteristics, including, where appropriate, the level of risk’. Therefore, you might define risk analysis as being an analytical tool that helps you to comprehend the nature of risk and its characteristics, including, where appropriate, the level of risk’ Risk analysis is therefore far broader than just using impact v likelihood matrices to measure the relative importance of a risk to an organization. The Orange Book 2020 states that risk analysis should also consider:

  • sensitivity and confidence levels, based on the information available.
  • complexity and connectivity.
  • time-related factors and volatility; and
  • the effectiveness of existing internal control.

Risk Analysis and Risk Assessment

  • The Orange Book (2020) and COSO (2017) consider risk analysis as part of a broader risk assessment process.
  • It helps prioritize risks based on their importance.
  • It ensures a common understanding of risks across the organization.
  • It guides decisions on resource allocation.
  • It supports choices about new strategies, projects, or investments.

The Orange Book also highlights that risk analysis can be simple or detailed, depending on the available data and its purpose. It can be qualitative (descriptive), quantitative (numerical), or a mix of both. Additionally, ISO 31010 (2019) outlines various risk assessment techniques. These techniques help analyze risks by considering their likelihood, impact, and overall level using both qualitative and quantitative methods.

Prioritizing technique

Risk analysis is tough. You need to collect information from many places and use different ways to gather it. Then, you must process that information to get dependable results. To figure out how important your risks are, you can:

  • Check past records.
  • Use your own relevant experience and gut feeling.
  • Look at the industry’s experience with the risk.
  • Read published studies about the risk.
  • Run tests or experiments, like market research.
  • Use economic or statistical models to predict outcomes.
  • Ask experts in that risk area for their opinions.

To rank the importance of risks, you can compare:

  • How much the risk could affect your goals.
  • How likely the risk is to happen.
  • How fast the risk might impact you.
  • How vulnerable different parts of your company are to the risk.
  • How exposed different parts of your company are to the risk.
  • How soon the risk might happen.
  • How much effort or control is needed to manage the risk to a safe level.
  • How hard it is to manage the risk.
  • How one risk might affect other risks (like a domino effect).

There are many other ways to prioritize risks, but this list is a starting point that companies often use.

1.Impact

The impact of a risk refers to how it might affect an organization or team’s goals. Even if an organization doesn’t have clear goals, the impact can still be measured. Impact can be assessed using simple or complex methods. These range from basic qualitative descriptions (like low to high impact) to advanced quantitative techniques, such as Value at Risk or Monte Carlo simulation. Most organizations use a mixed approach. They apply risk criteria and measure impacts on goals using qualitative scales (low to high), while adding some quantitative measures for consistency. For example, a high financial impact might be over $1 million, while a low financial impact might be under $1,000. Some risks, like financial risks (e.g., losses or gains) and marketplace risks (e.g., income or market share) on the FIRM scorecard, are easier to measure with numbers than infrastructural or reputational risks. We’ll explore more about the criteria for measuring impact later in this section. As mentioned, predefined criteria can be used to analyze a risk event’s impact, especially when dealing with different types of risks in a matrix. This ensures consistency and comparability in rating risks. Examples of these scales are shown in the table below, titled “Examples of Risk Impact Criteria.”

ReputationFinanceService DeliveryComplianceSafetyEnvironmentalStaffInfrastructureICTBusiness Development
ExtremeLoss of credibility with key stakeholders; extensive adverse media; external interventionFinancial Loss exceeding X dollars Total sustained disruption to critical servicesInterventions by regulator; Serious breach of legal or Contractual obligationsFatality Major long-term irreversible environmental lossSudden or unexpected loss of an number of key peopleLong term and permanent loss of critical assets/ buildingsNon recoverable loss of critical data or recordsCessation of major business critical services for up to 3 weeks.
HighSignificant loss of trust; Significant adverse mediaFinancial loss exceeding X dollarsSignificant sustained disruption to critical servicesCensure by regulators; a serious breach of legal or Contractual obligationsSerious injury or ill health Major Environmental damage reversible with long term remediationLess retention rate of key personnel Sustained damage to the assets Large loss of data , files or recordscritical business process not available within defined time frame
MediumSignificant complaintFinancial Loss exceeding X dollars Some short term disruptions to servicesFailure to meet recommended best practicesInjury or ill health resulting in lost timeEnvironmental damage reversible with medium-term remediation Inability to attract or retain key personnel in identified high demand role or hard to fill locationsSignificant but temporary damage to assets or properties Recoverable loss of critical files , data or recordsCritical business processes lost for up to one week
LowIsolated complaintLow level financial lossMinor disruptions to servicesFailure to meet internal standard or SLAInjury or ill health with no lost time.Superficial impact of environment Difficult in recruiting or replacing personnel within reasonable time frameMinor property damage Loss of non critical files, data or recordsMinor effect on services for one day

The examples of risk impact criteria given are focused on threats. When evaluating opportunities, most of these scales can be viewed positively. For instance, instead of measuring reputation by complaints, you could use compliments. For finance, you could measure gains instead of losses. For staff, you might look at better retention and recruitment. However, some scales don’t work for opportunities. For example, legal impacts—you get penalized for breaking the law, but you don’t get rewarded for following it. That said, from a compliance or regulatory angle, you might measure positive feedback from regulators or awards for being the best in your field. The key is that once opportunities are identified, you can measure them in the same way as threats. This allows you to handle both positive (upside) and negative (downside) risks using the same method, instead of creating two separate approaches.

Likelihood

Traditionally, risk analysis has centered on two main aspects: risk likelihood and risk impact. We’ll explore these first before looking at a different approach that’s becoming more popular in the risk management field. Likelihood measures the chance of a specific event happening. It includes both the expected probability and frequency of an event:

  • Probability: This is shown as a number between 0 and 1 (or 0% to 100%) to indicate the chance of something happening. For example, “There is a 5% chance that KGOC’s supervisory control and data acquisition (SCADA) system will experience a cyberattack in the next year” Probability is often used for risks that might happen only once within the time period being considered.
  • Frequency: This is shown as a frequency measurement, like, “A critical component failure in KGOC’s offshore drilling rigs in the Divided Zone occurs once every 10 years on average” To convert this frequency into a probability, we calculate the chance of it happening in a given year: 1 event ÷ (10 years × 365 days per year) = 1 ÷ 3,650 days, which is approximately a 0.027% chance of failure on any given day. For a year, it’s 1 ÷ 10 = 10% chance per year.. Frequency is typically used for risks that might happen more than once in the given time period.

It’s important to watch out for misunderstandings that can come from poor numerical risk analysis. For example, if a likelihood is stated as one in two million, does that mean two million years or two million events? You need to be clear about what the numbers actually represent.

Prioritizing techniques – impact and likelihood

Organizations often combine their impact and likelihood scales to form a “risk matrix.” An organization can have multiple risk matrices and design them however they prefer. It doesn’t matter which axis is used for impact or likelihood. About half of the organizations using this method put impact on the x-axis, while the other half place it on the y-axis. Some organizations use separate matrices for opportunities and threats, while others combine both by ensuring the descriptions of potential impacts can be positive or negative. Some keep their risk matrices simple, with no gridlines and few metrics. Others make them more detailed, numbering each position on the grid and using different colors for cells to prompt specific reactions. When rating risks, organizations can consider: the risk with no controls in place; its current position; its position if all planned controls were fully effective; and the desired position after management. This will be covered more later. The placement of risks on the impact versus likelihood matrix helps prioritize them. This shows the organization where to focus efforts in actively controlling and managing the risks.

Simple risk matrix

Impact and Action

A new way to prioritize risks is becoming popular in the risk management field. Rating risks based on likelihood is getting harder because our internal and external environments keep changing. Plus, understanding and predicting likelihood is very tricky. There are examples where even experts struggle to explain the chances of events in a way that their audience—or even they themselves—can understand. This issue can happen for many reasons, like the illusion of uncertainty or how people interpret numbers. One solution is to stop focusing on likelihood, or only use it when it’s really helpful, like for engineering risks. Instead, you can use other scales alongside impact, such as the amount of action needed to make the risk “acceptable.”

This approach is called “Impact versus Action” and is used because it:

  • Avoids pointless arguments about likelihood.
  • Focuses on risks that need attention right away.
  • Encourages strong discussions and steps to decide how much a risk really needs to be managed.

The Impact versus Action method ranks risks by looking at their potential impact on the organization (or project/task) compared to the level of action needed to manage them to an acceptable point. It clearly shows where action is needed. This visual tool highlights risks that go beyond the acceptable level (sometimes called the organization’s appetite or tolerance) and points out risks that need immediate action or have weak controls.

Proximity

Risk proximity means how close we are to a risk happening or how soon it might occur. For example, if we’re talking about a key staff member getting sick, especially during the Covid pandemic, the risk could be very close. But if we’re looking at project risks for shutting down a nuclear power plant, the risk might be far off. Using proximity helps organizations prioritize risks in a new way. However, this method can create issues. For instance, a risk with a distant proximity might seem less urgent, but if managed now, it could lower the chance of it happening and reduce its impact—or increase the benefits for opportunities. Take climate change: if action had been taken earlier, the effects we see now and those expected in the future might be less severe. Another timing concept for risk is risk velocity. Risk velocity measures how quickly a risk can affect an organization after it happens. Risk velocity is the “timescale of risk impact.”

Risk Clockspeed

Another timing term is risk clockspeed. Risk clockspeed refers to how quickly the information needed to understand and manage risk becomes available. There are two main types:

  • Slow Clockspeed Risks: These are risks where there’s enough time to think and plan (what’s “enough” depends on the situation).
  • Fast Clockspeed Risks: These happen in or near real-time, leaving little time to react.

The Risk Clockspeed Window is the range between how well an organization can handle Fast Clockspeed Risks and Slow Clockspeed Risks while still operating effectively.One last point: some organizations use these timing terms interchangeably.

Level of risk rating

The three main terms for rating risk levels are:

  • Inherent: This is the risk level before any controls or actions are applied to change its likelihood or impact. It shows the true risk exposure if controls fail and helps identify if risks are over- or under-managed. It’s also called “raw,” “gross,” or “total.”
  • Current: This is the risk level after considering the controls currently in place and their effectiveness. It’s sometimes called “net” or “residual.”
  • Target: This is the desired risk level to make the risk acceptable. Many organizations overlook this, but it’s key to understanding how much effort is needed to manage risks to an acceptable level.

The inherent rating is useful for assessing major or principal risks in an organization but less helpful for risks deeper within the organization.

To summarize the risk rating terms:

  • Inherent is the same as total, gross, raw, or initial.
  • Current is the same as net or some versions of residual.
  • Target is closely tied to risk appetite.

The most important ratings for most parts of an organization are the current (where the risk is now) and the target (where the risk needs to be to be acceptable).

Some warnings about rating levels:

  • The term “residual”: Some organizations see residual as the risk level with current controls at their current effectiveness—we’ll call this residual (current). Others see residual as the risk level if current controls were fully effective or after planned actions—we’ll call this residual (design).
  • The term “target”: Hopkin and Thompson say this is the level achieved after adding more controls, which aligns with what we called residual (design).
  • The term “initial”: Some organizations keep the first rating a risk was given as its initial rating. This helps track how much a risk has changed, but it’s not always needed for reporting or reviews.

Rating levels are often mixed up during risk prioritization sessions. For example, one person might rate at the inherent level, another at the current level, and another at residual (design). To avoid confusion, it must be clear at the start of any risk prioritization which level is being used for rating.For an auditor it is generally more useful for them to know about the inherent and current risk rating as it is their job to ascertain if the controls in place to move the risk from inherent to current are truly effective and risk manager are more interested in the current and target risk ratings as they want to ascertain how much work is needed to manage a risk to the desired level.

RISK HEAT MAP

A risk matrix helps analyze a risk’s likelihood and impact. The matrix design and the best scoring system depend on the organization’s specific needs and characteristics. A typical risk matrix uses five levels for both impact and likelihood. In a colored version, it would use red (top right corner), amber (middle), and green (bottom left corner) to show the size of risks. Color coding is a popular way to display a risk matrix, which is why it’s sometimes called a “risk heat map”—red signals the danger zone. It’s also called a “risk map” or “RAG diagram,” where RAG means red, amber, and green. In this example, the scores aren’t multiplied, so 1 x 5 doesn’t equal 5. The scoring is simple and gives more weight to impact than likelihood. For instance, a “rare” likelihood with a “major” impact scores 15, while an “almost certain” likelihood with an “insignificant” impact scores 11. If the scores were multiplied, both would be 5, making it hard to decide which risk needs more attention.

The second example risk matrix includes risk numbers plotted on it. For instance, the risk in the top right box is risk number 32, while the top left box has risks 18 and 27—Risk Matrix with Risks Plotted. The main benefit of a risk matrix is that it visually shows which risks need the most attention, which is why it’s widely used. However, be cautious about accepting these risk ratings as they appear. This view doesn’t clearly show if action is needed to manage a risk. For example, risk number 32 might be in the top right corner, but that could be its target level, meaning it’s already at an acceptable level. On the other hand, risk number 19 might have a target to reduce it to “unlikely” with a “moderate” impact, meaning it needs a lot of attention to reach an acceptable level. So, risk number 19 should be the focus, not risk number 32, because it requires more action. While the typical matrix uses five levels for likelihood and impact, some organizations use different sizes like 4×4, 5×5, or 6×4. Some also use more detailed ratings to help with decision-making in their organization.

A risk can have multiple impacts. Take the example of a vehicle crashing into a road maintenance site, damaging assets and personnel, despite existing safety measures. If this risk happens, the impacts might be rated as:

  • Safety: High (one fatality)
  • Financial: Moderate ($100k to $1m)
  • Production: Minor (3 hours to 1 week of lost time)
  • Reputation: Insignificant (less than 50 negative social media comments)

As you can see, the impacts vary depending on the risk and its context. When a risk has different impact levels, use the highest impact score to plot it on the risk matrix. Averaging the scores hides the true effect of the risk. Risk registers that capture these different impact levels and use the highest score to plot on the matrix provide useful data. This helps focus management efforts. In the example above, the priority would be reducing the safety impact. Without this detail, the focus might wrongly shift to the financial impact.

You can use the risk matrix to show different risk levels:

  • Inherent or gross risk: The risk before any controls are applied.
  • Current or net risk: The risk after considering existing controls.
  • Target risk: The level the risk needs to reach to be acceptable.

You can also plot inherent, current, and target risks on one matrix and draw a line between them to show the effect of risk management actions. Risk isn’t just about threats and negative outcomes. Managing risk can also lead to positive results and opportunities. Entrepreneurs often take bigger risks because they see the chance for big rewards, even though there’s uncertainty about achieving those benefits. Managing risks to increase the chance of positive outcomes can be as important as managing risks to lower the chance or severity of negative outcomes. When assessing risks, heat maps or RAG charts (red, amber, green) usually focus on threats. To include opportunities, some organizations use a double-sided matrix. This matrix can be shown in different ways. Sometimes, upside risks (opportunities) are on the right side, and downside risks (threats) are on the left. For upside risks, the goal is to move the risk to the top left corner of the upside risk matrix by increasing its likelihood and/or positive impact.

Risk Evaluation

We now turn to the last part of risk assessment: risk evaluation. The main idea of risk evaluation is that after analyzing a risk to understand its effect on our goals, we decide whether to:

  • Take action to lower our exposure (for hazard risks), reduce uncertainty (for control risks), adjust the investment (for opportunity risks); or
  • Accept the risk level as it is without doing anything more.

So, risk evaluation is basically a decision point where we choose whether to act on the risk or not.

Risk appetite differs between organizations—some are more willing to take risks (risk-aggressive), while others avoid risks (risk-averse). Even within the same organization, different departments may have different risk appetites.

An Enterprise Risk Management (ERM) approach requires organizations to understand their overall risk appetite and apply it consistently across all areas. This helps them make uniform decisions about how to handle a specific risk. Risk appetite should be determined based on the organization’s overall business strategy, tactics, operations, and its need to follow laws and regulations. However, boards often focus on business goals and strategic priorities, which can lead to decisions that don’t fully account for the actual risk exposure or the organization’s willingness to accept that level of risk. In a typical risk matrix, the red, amber, and green zones often show whether risks are within the organization’s appetite or tolerance. These colored zones might shift depending on the organization’s risk appetite. However, using likelihood in scoring and colored zones on a matrix can create issues when deciding how much attention a risk needs. For example, some risks might have a high likelihood and high impact but still be within the organization’s risk appetite.

Consider an organization that maintains major road networks used by the public. They might face a risk of vehicles hitting their work zones, damaging assets, and injuring workers. They likely have many controls in place—like barriers, signs, speed limits, training, guidance, and equipment. But there’s still a high chance that a public vehicle could cause an accident in the work zone, affecting assets and workers. This risk and its controls are constantly monitored, reviewed, and improved, but the organization might not be able to do more and accepts it as part of doing business. On a traditional impact versus likelihood matrix, this risk would be in the red zone, yet it’s within the organization’s risk appetite.

On the other hand, risks with a very low likelihood but very high impact—called High Impact Low Probability (HILP) risks—are often ignored. Because they’re seen as unlikely, they don’t get much attention. An example of a HILP risk is Covid-19. A low likelihood doesn’t mean a risk won’t happen. The impact versus action map we discussed earlier offers a different way to focus on risks. In this approach, risks (both opportunities and threats) are plotted on a slightly different matrix. The plotting is based on the potential impact of the risk compared to other risks and the amount of additional action needed to manage it to the desired level. If no further action can be taken to manage the risk, it’s placed at the bottom of the axis, marked as “no action needed.”

Impact vs Action Map

The tolerance line marks the point where more action is needed beyond what’s already being done to manage the risk. If a risk is below this line, it means no extra action is possible or wanted. If a risk is above the line, it shows that action is needed to bring the risk back into the tolerance zone. Using the impact versus action map helps focus on risks properly. Risks that would usually be in the red zone of a traditional matrix—and seen as “unacceptable”—can be given the right attention. Meanwhile, risks with a big impact on the business that need a lot of action can be highlighted. For example, a risk like Covid-19 would get more focus because it would show as having a major impact on the organization and, in most cases, would require significant action to manage it to an acceptable level.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply