Risk assessment is often the point at which people enter the risk management process for the first time. Some of the language that is required to make a formal process clear and effective can be confusing. The basic ideas are straightforward though and the questions here can help you begin to see your way from start to finish and appreciate some of the important issues along the way.
A short note cannot cover every important detail and you might find expert guidance useful. These questions will help you start to understand the path you are about to take. Look at the resources on our web site and speak to us if you want more help.
What are you trying to achieve – how do you define success?
When you are not familiar with it, risk assessment can be confusing. Thinking about what you are trying to achieve and what success will mean, for the performance of a business or organisation or the planning and implementation of a project, can help to clarify your thoughts about the whole process.
Being clear on objectives and the meaning of success is the first part of what is called establishing the context, which lays the foundation for the risk assessment process.
If you find it difficult to answer this question or the people you are working with cannot agree, you need to resolve this before you can proceed. If you cannot reach a consensus, you will have a major problem that must be resolved before you go any further. There are ways to do this systematically.
What is the scope of this assessment?
It is easy to let a risk assessment expand to include everything in sight. To make sure it is effective and efficient, it is important to be clear about what is in and what is out of scope. The way to do this is to be clear on why you need the risk assessment output and what decisions you are going to use it to support.
As with the previous point, if it is difficult to make the scope clear, or if people disagree, preliminary work will be required.
Where are the major sources of risk?
Inside your organisation and in the surrounding environment, there will be people and organisations trying to achieve their own goals as well as processes at work and other matters that could affect your objectives. You need to make sure you understand who and what these are. They will affect the risks you face and how you deal with them.
Do you have a scheme to help you plan your time?
Unless you are careful, when you start to think about risks, it is almost certain that you will dwell on whatever happens to be at the front of your mind and on familiar issues while other matters may be overlooked. Making a list of topics that you need to cover can help to ensure that you pay attention to everything important and balance the amount of time each topic gets. You can think of the topics as an agenda for risk identification.
Who can help you identify risks?
Blind spots and bias are a real danger in risk identification. There should always be several people involved.
Preferably, some of the participants should be people with experience of similar work. They will know what they are talking about but, having no direct stake in what you are doing, they should not mind speaking up if they see something they think is important.
How will you work out which risks matter?
Two people might see the same risk quite differently and the immediate reaction to a particular risk can be emotional. You need a way to make the assessment less subjective and at the same time enable you to understand more about the risk including what is controlling it and how well controlled it is at the moment.
This can be done several ways but the most common for straightforward initial risk assessments is to use a set of scales for control effectiveness, consequences and likelihoods.
These scales are specific to your organisation and must be developed carefully to reflect your objectives. Normally there will also be a matrix diagram that allows you to combine consequence and likelihood levels into an overall level of risk.
How will you work out which risks to treat?
We tend to assume that the highest level risks should receive the most attention but there may be some high level risks that we cannot change and other high level risks that we can modify easily. You will need a means of exploring options for modifying risks and deciding which ones offer more benefits than costs.
How will you make sure acceptable risks stay that way?
When you analyse a risk, you need to think about what controls are associated with it. There will usually be some controls where the consequences would be serious if the controls failed. Information you gather when you are analysing risks, about the risks and the controls, can be used to identify these key controls so that you can make sure they remain effective.
Monitor and review
How will you ensure your assessment stays up to date?
The sources of risk you have taken into account when preparing for a risk assessment will almost certainly change and your assessment can become out of date. Not only will risks themselves change over time but your best options for dealing with risks can shift as well.
You need to have a plan to review your assessment and update it regularly as well as whenever major changes occur.