Risk Identification Chapter 6

RM Identification Traditional RM - Seeks to employ methods of identifying specific loss exposures that could interfere with achieving an organization’s primary goals. Committee of Sponsoring Organizations (COSO) ERM – calls this step “event identification” defined as management identifying “potential events affecting an entity’s ability to successfully implement strategy and achieve objectives.”

Risk Identification Tools Checklists, questionnaires, surveys Personal Interviews Performance standards checks Process flow analysis – routine inspections and quality control measures Audits – both internal and external Specialized Computer software Team approaches – brainstorming Claims history Insurance records

Holistic Risk Identification Most risks are concentrated in a specific area which makes it difficult to identify how a risk may impact the entire organization. Examples: Financial risks are found in accounting and financial areas Products liability risk are found in manufacturing areas Example, failure to recognize the financial problems of a supplier could cause production problems that lead to product defects loss of revenues Easier said than done.

Holistic Risk Identification Quadrants See p. 6.7 Risks are identified within the quadrants of strategic, financial, operational, and hazard risks After risk has been identified in each quadrant, then the RM must perform a scenario analysis and assign event likelihoods and consequences Eg., a fire risk should be developed in scenarios ranging from a fire in a warehouse that stops production for six weeks vs one that is put out in three hours

COSO ERM Identification Approach Requires categorizing risks; Suggests using a cascading hierarchy, beginning with high-level objectives and cascading down to risks related to the objects of a particular business unit’s function

Top-Down and Bottom-Up Approaches Top-down: Senior Mgmt decides which risks pose the most problematic threat to meeting the organization’s objectives; Depends on reports from middle and senior mgmt Provides limited view of risks that may be in the organization Bottom-up: the views of employees are included Provides a realistic observation of the operational environment Takes time to compile and analyze risk and does not provide holistic approach

Use of Teams to Identify Risks Workshops facilitate discussions to identify potentially negative outcomes Delphi technique uses opinions of a specific group of experts to identify risks by responding to a survey Scenario analysis helps prioritize risks and potential consequences using an internal cross-functional team

HAZOP Team approach to Risk ID Hazard and Operability Study Uses a study team in a facilitated workshop to: Subdivide the project into small components Review each component to identify risks Identify cause and potential outcomes for each risk Develop a solution for each risk

SWOT Strengths, weaknesses, opportunities, and threats Team approach that is useful in analyzing a new project Strengths and weaknesses are internal factors to examine Opportunities and threats are external factors to consider Useful when there is a specific goal, such as the feasibility of launching a new product; if goal is too general, this method is less helpful. (See p. 6.11)

Risk Registers A matrix to identify risks according to their likelihood and potential consequences Developed at the risk owner level; designed to link activities, processes, projects, or plans to a list of identified risks and results of risk analysis and evaluation and that is ultimately combined at the enterprise level. Helps identify key risks in order of priority Used mostly with scenario models (eg., page 6.13-16)

Risk Maps Uses risks identified in a risk register and provides a matrix of the likelihood and impact of an exposure Different colors represent different levels of risk, secluding the difference in combinations of impact and likelihood. (called heat mapping) Time dimension risk maps help define the urgency or different risks The difference between the residual or (current) level or sisk and the optimum risk (based on organization’s risk appetite) represents the risk treatment opportunity to continue to reduce risk

Identifying Loss Exposures – Internal Documents: How may an organization use each one? Financial statements Accounting records Contracts Insurance policies Policy and procedure manuals Flowcharts and organizational charts and loss histories (E.g., p. 6.27)

Identifying Loss Exposures – External Documents: How may an organization use each one? Questionnaires Checklists and surveys Websites News releases Reports from external organizations

Application How can each of these documents be used in your company project?