Triaster partner, Terry Giles, from Terry AG Consulting (previously Information Risk Analyst for Barclays Direct amongst others) has a great deal of experience with the risk management process and process risk analysis.
Terry has kindly decided to share his years of experience on risk management in our new blog providing us with two risk matrix examples and 4 actions to reduce risk...
There is a lot of discussion about risks and how to deal with them, ensuring that risks are either minimised or in some cases eliminated - generally by looking from the perspective of high level processes. There is however some benefit to be had by looking at the risks associated with the individual activities that go into making the process flow, as these tend to be overlooked when carrying out a process risk analysis. However, prior to going into more detail there are two terms worth looking at:
The following definitions are taken from ISACA’s IT Risk Practitioner.
Risk Appetite - can be defined as the amount and type of risk that an organisation is willing to take in order to meet their strategic objectives.
Risk Tolerance - is the tolerable deviation from the level off-set by the risk appetite and would be based upon the individual circumstances associated with a risk.
Quite often the risk appetite is set across the whole of the organisation by default based upon the culture inherent within the organisation, without much thought being put into why a certain level of risk is selected. Two very similar organisations can have widely differing risk appetites depending upon the people making the decisions and the history of any previous risks being realised. Most organisations are far more conservative (risk adverse) with their risk appetite than they need to be and therefore spend more on risk reduction than they need to.
The most common way of depicting risk is by using a risk assessment matrix based upon the probability of a risk occurring against the impact that risk will have if it is realised and then positioning the activities on the risk matrix to provide a heat map for the organisation. Controls can then be put in place to either reduce the probability of it occurring or minimise the impact should it happen. A typical risk matrix example for a risk neutral organisation is shown below...
Of the four risks shown above:
It may be that although it sits within the yellow range Risk 3 is very close to the green zone and may be considered in the risk tolerance zone - it will be monitored, but no action taken. If however there is a low risk tolerance in place then it would need controls to be put in place for this risk.
In a more risk adverse organisation the following risk matrix example would apply...
If you would like a more in-depth analysis on capturing your current business processes to model and reduce risk in your organisation, download the Business Analysis White Paper...
However, life is not always as simple as we think and a lot of money can be wasted in applying inappropriate responses to risks. Risks are generally incurred as the result of one or more activities within a process. It is therefore worth looking in more detail at activities that occur within the processes and understanding which are the activities that give rise to high risks - this is a great basis for creating your risk management process. There are four main actions that can be taken to overcome high risks:
One other factor that needs to be taken into account when dealing with risk is...time. Some risks are time bound, by which I mean that after a certain period of time the risk will either have been realised or it will no longer be a risk. Maintaining controls after the risk has expired is a waste of money. Other risks will be a constant threat, whilst a third group will vary according to conditions. For example, the risk of snow disrupting an event will only be high or very high during the winter months and can effectively be ignored during summer. Therefore, actions to mitigate the risk need only be put into effect at certain times of the year; thus reducing costs.
Understanding the processes used within an organisation and where the risks lie within those processes can help you create a more efficient risk management process model that will reduce running costs and at the same time reduce the probability or impact of an undesirable event occurring.
Not understanding and managing the risk in your organisation can be a risky business.
If you would like to know more about effective risk management, take a look at some of our other blogs below or if you are looking for a way to reduce risk and increase quality in your organisation, download our guide to Achieving ISO 9001:2015 written by ISO expert and co-author of the quality standard Mark Braham...
How to Manage Risk and Comply With the Senior Managers Regime
Linking Governance and Assurance to improve Quality
How to Develop and Implement a Risk Management Process in Your Business