Risk management - Part 1 exploring risk
Categorise the level of risk
Likelihood vs Impact
So how do we know how likely our risks are to occur and if they do occur, what the impact would be to us?
Once you have defined your risks, you should look at the likelihood and the impact. Let’s look at how we would do that.
Risks should be assessed by impact and likelihood, whilst issues and events are normally only classified by impact.
- The classification criteria for Impact should include:
- Both financial and non-financial considerations
- It should be determined on the basis that the risk or issue has crystallised or an event has occurred
- The overall rating should be based on the highest impact from individual financial or non-financial criteria
- In terms of the classification, the parameters for minor, moderate, major, and critical are defined. For example, Moderate would be between 3 and 5% of colleagues unable to perform their role effectively, specific actions needed at a local management level, short term re-allocation of resource etc
- The classification criteria for Likelihood should include:
- An assessment of how frequently the risk is expected to occur
- An assessment of internal / external data loss, adequacy and effectiveness of key controls, and split of automated v manual controls
- A management judgement, considering all relevant internal and external experience
- Likelihood should be assessed within 4 frequencies:
- Once in 10 years (unlikely) – or 10% chance of occurring in any year
- Once in 5 years (possible) – or 20% chance of occurring
- Once in 2 years (likely) – or 50% chance of occurring
- Once in 12 months (almost certain) – or almost certain of occurring
How do we know what the impact is?
Let’s look at impact classification in a bit more detail.
For each business, a different set of criteria may be used – and this can be specific to your organisation but must have clear parameters and fit in with your risk appetite, for example, what you have defined as being acceptable levels of risk in your business.
If a risk sits across a number of these ratings, for example, it may be moderate/low for customer and people, but medium for financial and regulatory, and critical for management, then the highest risk category is used. This would be categorised as Critical/High.
|Category||Moderate (Low)||Major (Medium)||Critical (High)|
|People||3-5% of workforce is impacted||5-10% of workforce is impacted||In excess of 10% of workforce impacted|
|Customer||1%-3% of customer base impacted||3%-5% of customer base impacted||More than 5% of customer base impacted|
|Financial||1%-5% of profit||5%-10% of profit||More than 10% of profit|
|Regulatory||Escalation is required to regulator||Investigation required by regulator||Sanctions / enforcement by regulator|
|Management||Business Unit level involvement||Leadership Team involvement||Significant LT remediation/ actions|
|Summary||Moderate impact, relative to profit or capital. Unlikely to require revisions to financial or strategic plans||Major financial impact, relative to profit or capital. May require some revision to financial or strategic plans||Critical financial impact, relative to profit or capital. Likely to require revision to financial or strategic plans|
Overall Risk Classification
Once we have defined our rating for ‘Impact’ and our rating for ‘Likelihood’, we can plot our risks and give them a classification.
For example, a risk that we define as being likely to happen and the impact of it happening being major would be given a rating of 'High'.
So which risks are the 'riskiest'?
Which risks sit within the upper right hand quadrant of the chart? Those are the risks that you should address first – they are not necessarily where the business focus needs to be however they should be looked at as the ones that could cause the biggest impact if they materialise. These risks very often have a significant financial cost to control and therefore the cost to the business if they happened, can sometimes be less than the cost to control.
Look at each of the risks and identify what the plan to address would be. The plan will most likely take one of the following forms:
- Avoid: Take steps to ensure that the risk does not happen. This is the preferred option but is not always the available option
- Transfer: Find someone outside the team who is better positioned to take care of the risk or transfer the risk to a 3rd party, for example, a supplier
- Accept: Recognise that you have done all you can to address the risk, or there are no controls that can be taken. Take no action and be comfortable with the results if the risk happens.
- Mitigate: Take steps to reduce the impact and/or probability of the risk. This is most often the response.
The important bit to note is that the ones that you think your effort should be focused on ie the most costly risks, are not always the ones you should be looking at. The ones that are normally where the focus is, are those with moderate impact and moderate likelihood. These are the ones that we should look at most often.
So which are the riskiest risks that we have identified in our matrix?
Putting it all together
Think about a project that you are working on just now, or have worked on in the past.
- Identify a Risk to the project
- Document the Risk, Cause and Impact
- Define the Probability of the risk happening
- Think about the Cost to the business or the client if the risk materialised
- Identify appropriate Controls you could put in place to reduce the likelihood
- Determine if you can reduce the level of Risk as a result of the controls