Risk Assessment: A Practical Guide to Assessing Operational Risk Chapter 17: Assessing Risks at an Organizational Level

Risk Assessments: Assessing Risks at an Organizational Level Objectives Introduce Organizational Risks Examine Elements within Organizational Risks Provide Guidance on Conducting Organizational Risk Assessments

Introduction In the globally connected and interdependent market place, risks are no longer isolated to a single location or entity. Risks that threaten the market, supply or distribution chains for an organization, affect all parties. Some risks are known and accounted for in an organization’s risk management plan. But many risks remain hidden and unquantified, creating uncertainty and a potential for disruption and loss to an organization. Some of these risks left untreated can destroy key assets of an organization, damage its reputation or prevent the successful achievement of business goals and objectives. The bottom line is, management needs adequate information to make the best decisions concerning risks.

Risks to an Organization The purpose of an organizational risk assessment is to identify plausible risks scenarios capable of business interruption, damage to an organization’s reputation, or other catastrophic level consequences. In essences, it is the management of risks to the organization itself. This is sometimes referred to as total risk or enterprise risk management (ERM). Risks come from internal sources as well as those outside the organization.

Risks to an Organization Internal Sources of Risk Risks impacting organizational effectiveness arise from both internal and external sources. Examples of internal sources are issues such as financial stewardship, personnel reliability, and systems reliability. Organizations across government and the private sector are all subject to these types of internal risks. These internal risks have the potential to derail effective operations and adversely affect mission accomplishment. A comprehensive approach to risk management serves to identify weaknesses and assists in creating internal systems and processes that minimize the potential for mission failure.

Risks to an Organization External Sources of Risk Many organizations have additional risks to manage that are caused by external factors. Examples include global, political, and societal trends, as well as hazards from natural disasters, terrorism, malicious activity in cyberspace, pandemics, transnational crime, and manmade accidents. It is these hazards and threats that caused the Nation to make a significant commitment in homeland security, and it is important that the risks from external threats remain at the forefront of consideration for homeland security organizations.

Risks to an Organization In this text, the term ‘operational risk’ is used to describe undesired risks resulting from hazards in the workplace. However, organizations faces risks that are derived from sources other than those presented by workplace hazards. To be clear, not all risks are negative. Some are desirable and necessary for the success of an organization. Investments, opportunities for growth through acquisitions and mergers, new product lines and services, expansion into global markets, and development of technology all present risks that have a potential ‘upside’ as well as downside. All things involve risk. The decision to take a specific risk is based on an organization’s desire to achieve an objective, the perceived likelihood and consequence of the risk, and management’s risk tolerance level.

Organizational Risk Management Risks come in all sizes ranging from those that have the potential to impact an entire organization, individual divisions, facilities, systems or processes, operations and projects, down to individual workers. An Operational Risk Management System (ORMS) should encompass all levels, especially at the organizational level, and requires senior management leadership, commitment, and involvement in the process.

Organizational Risk Management Most organizations purchase insurance or self-insure to cover their property (buildings, equipment, vehicles, aircraft, materials, product, and other assets) and casualty (worker compensation for employee injuries and illnesses, general liability, products liability, employer practices liability, directors and offices, etc.) losses. Many organizations consider the purchasing of insurance as their ‘risk management plan’. Insurance is only one option in the risk treatment (5.5) phase of risk management, and does not treat all risks.

Risk Assessment is at the Heart of the Risk Management Process Insurance is only one option in the risk treatment (5.5) phase of risk management, and does not treat all risks.

Key Definitions in Organizational Risk Organization - A public or private company, corporation, firm, enterprise, authority, or institution, or part or combination thereof, whether incorporated or not, that has its own management functions. This can consist of one or many sites or facilities. Operational risks are defined as the risk of loss resulting from inadequate or failed processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk.

Key Definitions in Organizational Risk Asset - Something valuable that an entity owns, benefits from, or has use of, in generating income or to provide a service to society. Examples include employees and management, customers and vendors, property and buildings, liability, income, technology and information, and reputation. Vulnerability - Degree to which an asset is susceptible to harm, degradation, or destruction by being exposed to a hazard. A weakness of an asset that can be exploited by one or more threat agents. Vulnerability refers to the security flaws in a system that allow an attack to be successful.

Key Definitions in Organizational Risk Exposure - State or condition of being unprotected and open to damage, danger, risk of suffering a loss in a transaction, or uncertainty. Hazard – Insurance context: Condition or situation that creates or increases chance of loss in an insured risk, separated into two kinds (1) Physical hazard: physical environment which could increase or decrease the probability or severity of a loss. It can be managed through risk-improvement, insurance policy terms, and premium rates. (2) Moral hazard: attitude and ethical conduct of the insured. It cannot be managed but can be avoided by declining to insure the risk. Workplace safety context: Dangerous event or situation that may lead to an emergency or disaster. It could also be a biological, chemical, or physical agent in (or a property of) an environment that may have an adverse health effect, or may cause injury or loss.

Assessing Organizational Risk

Assessing Organizational Risks As in more focused, localized or specific tasks and operations, a means of assessing and managing broader organizational risks is necessary. An organizational-level risk assessment is a coordinated effort of identifying critical process and assets in an organization, potential exposures and consequences, and needed controls. There are a number of methods used to analyze risks at an organizational level, most of which are based on scenario analysis.

Assessing Organizational Risks 1) Plan Organizational Risk Assessment (ORA) - The process begins with establishing the scope and context, the risk assessment team, and the organization's key participants.

Assessing Organizational Risks 1) Plan Organizational Risk Assessment (ORA) 2) Risk Categorization – Following the planning stage, the ORA team defines the specific ‘exposures’ which pose risk to company assets and the potential severity of consequences.

Assessing Organizational Risks 1) Plan Organizational Risk Assessment (ORA) 2) Risk Categorization 3) Risk Identification and Data Collection – The purpose is to identify scenarios and collect data which will help quantify probability and severity.

Assessing Organizational Risks 1) Plan Organizational Risk Assessment (ORA) 2) Risk Categorization 3) Risk Identification and Data Collection 4) Risk Analysis – The team analyzes the hazards to determine the risks for each scenario using the information gather.

Assessing Organizational Risks 1) Plan Organizational Risk Assessment (ORA) 2) Risk Categorization 3) Risk Identification and Data Collection 4) Risk Analysis 5) Risk Evaluation – The team evaluates risk levels for each scenario to develop a strategy for eliminating, reducing or transferring unacceptable risk.

Assessing Organizational Risks 1) Plan Organizational Risk Assessment (ORA) 2) Risk Categorization 3) Risk Identification and Data Collection 4) Risk Analysis 5) Risk Evaluation 6) Risk Treatment – The team develops action plans for the implementation of additional control strategies.

Assessing Organizational Risks 1) Plan Organizational Risk Assessment (ORA) 2) Risk Categorization 3) Risk Identification and Data Collection 4) Risk Analysis 5) Risk Evaluation 6) Risk Treatment 7) Re-assess Risks – The ORA team continues to re-assess risks to as conditions change, new risks introduced, and control measures change to ensure risks remain acceptable to the organization.

Conclusion The need for organizations to understand the broader range of risks that threaten their existence is real. This requires a coordinated effort among key stakeholders to identify their critical operations and assets and the types of potential risks that they face. The organizational risk assessment should be a beginning step to more in-depth and detailed analyses and assessments of these critical functions. Organizations that successfully identify, assess and manage plausible risks that are capable of major disruption or severe damage will succeed. Safety and risk professionals able to guide their organizations in such efforts will undoubtedly increase their own value.