The risk identification process identifies and classifies the various risks that could affect an organisation. Its endeavour is to list the risks and the likely impact which can then be tracked all along. Vikash Khandelwal writes the first of a series of articles on the various steps in risk management.
Let me start with an article that I had read in a newspaper recently. The roof of a newly constructed mall had collapsed. Some of its tenants and the shoppers were injured, others buried under the debris. Only a lucky few escaped unhurt. Many businesses today could face with a similar situation or something even worse given the fact that they are operating in complex environments spread across different geographies and governed by diverse regulations. One of the solutions to prevent or avoid the assumption of such unintended liability is to employ a strategy where some¡one else agrees to assume the risk or indemnify you. Transferring risk is a strategy that involves the contractual shifting of risks from one party to another. Buying insurance is the most common form of transferring risks. Other methods of transferring risk to another party or entity include contractual agreements or requirements and hold harmless agreements. It’s important to have a structured approach towards the insurance programme for the organisation.
Identify the risks to business
Identification of the risk is the first step and one of the most important aspects of the risk management and transfer strategy. An organisation must be aware of all the potential threats to its normal functioning. The outcome will be a list of risks that the team will feel vulnerable to. Most risk identification exerc¡ses involve the following:
- Interaction with the employees on possible risks and resultant losses based on their experience
- Identification of risks by way of an in-depth analysis of financial statements
- Identification of risky activities
- Inspection of the activities
- Historical records of occurrence
- Benchmarking of risks and threats faced by other players in a similar industry, country or geography etc.
The risks thus identified then become a part of the process of assessment, analysis, mitigation and planning at various stages of the organisation. Once listed, risks should be ranked based on financial impact and likeli¡hood of occurrence. This assessment will place risk events in one of the following four risk response categories:
- Activities with a high likelihood of occurring, but financial impact is small – Mitigate risk – The best option here is to use management control systems to reduce the risk of potential loss.
- Activities with a high likelihood of loss and large financial impact – Avoid risk – The best response is to avoid the activity.
- Events with a low probability of occurring, but a large financial impact – Transfer risk – The best response is to transfer a portion or all of the risk to a third-party by purchasing insurance, hedging, outsourcing, or entering into partnerships.
- Retain risk – if cost-benefit analysis determines the cost to mitigate risk is higher than cost to bear the risk, then the best response is to accept and continually monitor the risk.
- Risks can subsequently be sub-classified into groups which will enable a more efficient management of risks. This will also subsequently aid in assessing the likely impact and the mitigation exercise.
- It’s imperative to note that for any risk identification and assessment exercise to be effective, the processes should encourage creative thinking and leverage the team’s experience and capabilities and should be in no manner a restricted activity.
In conclusion, the risk identification process identi¡fies and classifies the various risks that could affect the organisation. Risk identification is a continuous process and new risks should continually be included into the process. The people, like in all functions of the organisation will continue to hold the key.
Leave a Reply
You must be logged in to post a comment.