mastering risk assessment for health and safety
TRANSCRIPT
-
7/29/2019 Mastering Risk Assessment for Health and Safety
1/23
Rejecting risk
is the
head-in-the-sand approach
Friday, 20 September 20131 QHSE office [ www.qhseoffice.com ]
-
7/29/2019 Mastering Risk Assessment for Health and Safety
2/23
INTRODUCTIONThe recent news headlines related to subprime mortgage crisis, rogue
traders, and corporate fraud have highlighted that despite investment in
risk assessment and risk management disciplines, significant risk failures
persist. While isolated incidents of onetime governance failures are bound
to occur, long term systemic failures are more than just an isolated
anomaly.
The failures may be the result of a clutter of risk information caused by
many risk assessments from many perspectives. The process of organizing
these risk assessments to provide organizations with a more holistic view
of enterprise risk is fundamental to mastering risk assessments. This
whitepaper explores approaches to risk assessment, offers some bestpractices for conducting risk assessments and provides practical guidance
on mastering this business process.
Friday, 20 September 20132 QHSE office [ www.qhseoffice.com ]
-
7/29/2019 Mastering Risk Assessment for Health and Safety
3/23
RISK ASSESSMENTS
THE BASICS
Risk assessments fall into the overall discipline of risk management. Risk is
defined as the uncertainty of an event occurring that could have an impact
on the achievement of objectives. The definition of risk assessment then
follows as the identification, evaluation, and estimation of the levels of
risks involved in a situation, their comparison against benchmarks or
standards, and determination of an acceptable level of risk. A riskassessment should answer the following five questions:
1. What can go wrong?
2. How can it go wrong?
3. What is the potential harm?
4. What can be done about it?
5. How can we stop it from happening again?
Friday, 20 September 20133 QHSE office [ www.qhseoffice.com ]
-
7/29/2019 Mastering Risk Assessment for Health and Safety
4/23
THE EMERGENCE OF RISK:
BASED APPROACHES
To minimize the confusion of
varying risk information, risks
assessment efforts need to
converge. Risk convergence, the
ability to look across theorganization and to understand all
risk information from a single
perspective, is essential to be able
to understand and organize the
different types of risk informationin order to promote the
understanding and analysis that
will add value to the organization.
The following best practice approacheswill help an organization master riskassessment and minimize disjointedrisk information:
1. Use a risk-focused approach
2. Adopt a common categorizationof risk types
3. Parse the risk jumble
4. Perform scenario analysis
5. Use a risk table
6. Monitor risks
7. Increase self assessment
8. Achieve risk convergence
Friday, 20 September 20134 QHSE office [ www.qhseoffice.com ]
-
7/29/2019 Mastering Risk Assessment for Health and Safety
5/23
USE A RISK-FOCUSED
APPROACHRisk-based approaches can be
described as those that provide a
ratio of at least 2:1 of risks to
controls and generally have the
opposite bias; producing significant
amounts of information about riskevents, their type, frequency, level,
impact and root cause. With the
capture of proper risk information,
risk-based approaches provide
management a better perspective
on significance and likelihood of
risk events and enable
management to prioritize the
materiality of mitigating controls.
One of the major reasons for theineffective execution of riskassessments is the significant focuson controls. The control-basedapproach is used to identify andassess controls, or morespecifically the risk of missing orbroken controls; the risk-basedapproach is used to identify andassess risk events, or risks thatcould impact the achievement of
business objectives. Riskassessments are much moreeffective when using a true risk-based approach.
Friday, 20 September 20135 QHSE office [ www.qhseoffice.com ]
-
7/29/2019 Mastering Risk Assessment for Health and Safety
6/23
A COMMON CATEGORIZATION
OF RISK TYPES
To assist in the discipline of risk assessment, it is important to have a
common taxonomy and categorization of risk types.
The risk management community has provided numerous risk models to
categorize risks into types for reporting and analysis purposes.
With a library of common sets of risk categories, risk assessment
practitioners are better able to identify the organization's risks and can
pull together risk information in a concise profile that helps users
understand and monitor identified exposures.
Friday, 20 September 20136 QHSE office [ www.qhseoffice.com ]
-
7/29/2019 Mastering Risk Assessment for Health and Safety
7/23
A COMMON CATEGORIZATION
OF RISK TYPESENVIRONMETAL RISKS
Business continuity
Business market environment
Environmental
Liability lawsuits
Natural disasters/weather
Pandemic
Physical damage
Political risk
Regulatory/legislative
Terrorism
FINANCIAL RISKS
Capital availability
Credit counterparty
Financial market risk
Inflation
Interest rates
Liquidity
Friday, 20 September 20137 QHSE office [ www.qhseoffice.com ]
-
7/29/2019 Mastering Risk Assessment for Health and Safety
8/23
A COMMON CATEGORIZATION
OF RISK TYPES
SUPPLY RISKS
Commodity prices
Supply chain
MANAGEMENT RISKS
Corporate governance
Data security
Employee health and safety
Intellectual property
Labor disputes
Labor skills shortage
Managing complexity
Outsourcing problems
Project management
Technology failure
Friday, 20 September 20138 QHSE office [ www.qhseoffice.com ]
-
7/29/2019 Mastering Risk Assessment for Health and Safety
9/23
PARSE THE RISK JUMBLE
Risk information must be organized to be understood and managed. In the
jumble of risk information that is currently being gathered, some of theinformation is about controls or more accurately missing or broken
controls, some of it is about risk events (the events the controls were
designed to mitigate) and some of the information describes the primary
or secondary consequences of the risk events if they occur. The result is a
mass of information that is described as risk, but it is not all risk.
Friday, 20 September 20139 QHSE office [ www.qhseoffice.com ]
-
7/29/2019 Mastering Risk Assessment for Health and Safety
10/23
PARSE THE RISK JUMBLE
Friday, 20 September 201310 QHSE office [ www.qhseoffice.com ]
-
7/29/2019 Mastering Risk Assessment for Health and Safety
11/23
SCENARIO ANALYSIS
The discipline of scenario analysis is critical to effective risk assessments
because it forces one to ask, What could go wrong in the future?
Scenario analysis is the process of analyzing a number of possible futureevents and focuses attention on all possible outcomes of an event
occurring and the associated impacts. Proper scenario analysis improves
decision-making by allowing management to more completely consider
various outcomes and their implications to an organization.
For example, in looking at the scenario of fraudulent trades occurring, the
following questions need to be evaluated:
Friday, 20 September 201311 QHSE office [ www.qhseoffice.com ]
-
7/29/2019 Mastering Risk Assessment for Health and Safety
12/23
SCENARIO ANALYSIS
1. Where does trading activity take place?
2. What kinds of trading takes place?
3. What are all the ways unauthorized trading could take place?
4. How up to date is our information?
5. Have we involved everyone with relevant knowledge in risk
identification?
6. Have we involved everyone with relevant knowledge in controlassessment?
Friday, 20 September 201312 QHSE office [ www.qhseoffice.com ]
-
7/29/2019 Mastering Risk Assessment for Health and Safety
13/23
SCENARIO ANALYSIS
7. What would tell us if, in fact, unauthorized trades are occurring?
8. How often do we formally analyze this scenario?
9. What issues have we identified in the past?
10. What losses have our industry competitors experienced?
11. How could trades be hidden?
Friday, 20 September 201313 QHSE office [ www.qhseoffice.com ]
-
7/29/2019 Mastering Risk Assessment for Health and Safety
14/23
USE A RISK TABLE
Risks and the corresponding risk assessments can be evaluated using
either a quantitative or a qualitative approach. Quantitative assessments
use actual dollar amounts to provide an financially-based risk value.
Qualitative assessments use scoring methods and the experience ofemployees and consultants to arrive at a risk score. Since determining an
actual dollar value of risk is often times a very resource intensive activity,
the qualitative risk assessment approach is used as a best practice by most
risk assessment groups. Although termed a qualitative approach, this
method typically involves assigning some numerical value that can be used
to stack rank or come up with some relative ratings on the assessment ofrisks.
Friday, 20 September 201314 QHSE office [ www.qhseoffice.com ]
-
7/29/2019 Mastering Risk Assessment for Health and Safety
15/23
USE A RISK TABLE
Friday, 20 September 201315 QHSE office [ www.qhseoffice.com ]
-
7/29/2019 Mastering Risk Assessment for Health and Safety
16/23
USE A RISK TABLE
Friday, 20 September 201316
Once the risk assessments are scored using a risk table, they should be
sorted from highest to lowest. This allows organizations to address the
highest risks first. Once identified, there are essentially four ways to deal
with each risk:
Reject the risk: Rejecting risk is the head-in-the-sand approach. Somemanagers tend to ignore difficult challenges with the hope that they
will simply disappear. This approach will rarely result in a successful
defense against the risk event occurring.
Accept the risk: A common action to take is to accept the stated risk.
For example, if the controls necessary to eliminate or mitigate keyvulnerabilities are a greater financial burden to an organization than
the actual risk impact, then its probably a good idea to use the budget
dollars in other areas.
QHSE office [ www.qhseoffice.com ]
-
7/29/2019 Mastering Risk Assessment for Health and Safety
17/23
USE A RISK TABLE
Friday, 20 September 201317
Transfer the risk: An alternative to accepting a higher than reasonable
risk when the cost of controls is too high is to purchase insurance tolower the business impact of an incident. This is a common risk
management step.
Mitigate the risk: Risk mitigation typically focuses on managing the
areas where the organization is most vulnerable. Risk mitigation
involves the identification and management of risk mitigating controls.
QHSE office [ www.qhseoffice.com ]
-
7/29/2019 Mastering Risk Assessment for Health and Safety
18/23
MONITOR RISKS
Friday, 20 September 201318
A best practice in mastering risk assessments is to establish standard
metrics for the consequences and outcomes that will drive business
decisions. Common metrics are classified as key performance indicators
(KPI) and key risk indicators (KRI).
A KPI is part of a measurable objective and helps an organization
measure progress towards goals, especially toward difficult to quantify
knowledge-based processes. KPIs are made up of a direction,
benchmark, target and time frame.
QHSE office [ www.qhseoffice.com ]
-
7/29/2019 Mastering Risk Assessment for Health and Safety
19/23
MONITOR RISKS
Friday, 20 September 201319
A KRI measures how risky an activity is. It differs from a KPI in that the
KPI is meant as a measure of how well something is being done. A KRI
is an indicator of the possibility of a future adverse impact. The ideabehind the KRI is to provide a set of agreed indicators, which can range
from the simple, such as staff turnover, to the more sophisticated, such
as the a complex calculation for measuring operational performance.
The behavior of KRIs should signal how well or how badly a firm is
managing potentially costly operational hazards such as fraud, legal
risk, technology failure and trade settlement errors.
QHSE office [ www.qhseoffice.com ]
-
7/29/2019 Mastering Risk Assessment for Health and Safety
20/23
INCREASE
SELF ASSESSMENT
Friday, 20 September 201320
Using risk self assessment drives the responsibility and accountability of
risk management to process owners by reinforcing their responsibility andaccountability for the risk areas that they own. Companies embracing risk
self-assessment often view it as a cost-effective technique for establishing
touch points with the right people, enabling management to communicate
as well as educate. An effective risk self-assessment program reports risk
assertions from process owners upward in the organization and identifies
matters requiring follow-up and possible disclosure.
QHSE office [ www.qhseoffice.com ]
-
7/29/2019 Mastering Risk Assessment for Health and Safety
21/23
ACHIEVE
RISK CONVERGENCE
Friday, 20 September 201321
Risk convergence is the integration of discrete risk assessment information
into a unified framework in order to dramatically:
Streamline processes
Increase assurance reliability
Increase information quantity/quality
Decrease operational cost
Contribute directly to better business performance
QHSE office [ www.qhseoffice.com ]
-
7/29/2019 Mastering Risk Assessment for Health and Safety
22/23
ACHIEVE
RISK CONVERGENCE
Friday, 20 September 201322
Risk-based approaches to management hold significant promise. If risks
are understood in terms of cause/effect relationships, governance failuresand losses should be prevented. If variance in expected business or
process performance is viewed from a risk perspective as unmanaged
risks, then business performance should improve or at least become less
volatile. Risk assessment is the foundation of risk management. Organizing
the information produced through risk assessment will allow risk
convergence to fulfill its potential.
QHSE office [ www.qhseoffice.com ]
-
7/29/2019 Mastering Risk Assessment for Health and Safety
23/23
THOUGHTS
Friday, 20 September 201323
To minimize the confusion of varying risk information, risk assessment
efforts need to converge.
Risk information can be categorized as root cause, risk event,
consequence and downstream effect.
Effective risk assessments force one to ask, What could go wrong in
the future?
Rejecting risk is the head-in-the-sand approach.
Establish standards for the consequences.
QHSE office provide a common point of entry for audit, risk
management and compliance owners.
QHSE office [ www.qhseoffice.com ]
http://www.qhseoffice.com/http://www.qhseoffice.com/