mastering risk assessment for health and safety

7/29/2019 Mastering Risk Assessment for Health and Safety

1/23

Rejecting risk

is the

head-in-the-sand approach

Friday, 20 September 20131 QHSE office [ www.qhseoffice.com ]


2/23

INTRODUCTIONThe recent news headlines related to subprime mortgage crisis, rogue

traders, and corporate fraud have highlighted that despite investment in

risk assessment and risk management disciplines, significant risk failures

persist. While isolated incidents of onetime governance failures are bound

to occur, long term systemic failures are more than just an isolated

anomaly.

The failures may be the result of a clutter of risk information caused by

many risk assessments from many perspectives. The process of organizing

these risk assessments to provide organizations with a more holistic view

of enterprise risk is fundamental to mastering risk assessments. This

whitepaper explores approaches to risk assessment, offers some bestpractices for conducting risk assessments and provides practical guidance

on mastering this business process.



3/23

RISK ASSESSMENTS

THE BASICS

Risk assessments fall into the overall discipline of risk management. Risk is

defined as the uncertainty of an event occurring that could have an impact

on the achievement of objectives. The definition of risk assessment then

follows as the identification, evaluation, and estimation of the levels of

risks involved in a situation, their comparison against benchmarks or

standards, and determination of an acceptable level of risk. A riskassessment should answer the following five questions:

1. What can go wrong?

2. How can it go wrong?

3. What is the potential harm?

4. What can be done about it?

5. How can we stop it from happening again?



4/23

THE EMERGENCE OF RISK:

BASED APPROACHES

To minimize the confusion of

varying risk information, risks

assessment efforts need to

converge. Risk convergence, the

ability to look across theorganization and to understand all

risk information from a single

perspective, is essential to be able

to understand and organize the

different types of risk informationin order to promote the

understanding and analysis that

will add value to the organization.

The following best practice approacheswill help an organization master riskassessment and minimize disjointedrisk information:

1. Use a risk-focused approach

2. Adopt a common categorizationof risk types

3. Parse the risk jumble

4. Perform scenario analysis

5. Use a risk table

6. Monitor risks

7. Increase self assessment

8. Achieve risk convergence



5/23

USE A RISK-FOCUSED

APPROACHRisk-based approaches can be

described as those that provide a

ratio of at least 2:1 of risks to

controls and generally have the

opposite bias; producing significant

amounts of information about riskevents, their type, frequency, level,

impact and root cause. With the

capture of proper risk information,

risk-based approaches provide

management a better perspective

on significance and likelihood of

risk events and enable

management to prioritize the

materiality of mitigating controls.

One of the major reasons for theineffective execution of riskassessments is the significant focuson controls. The control-basedapproach is used to identify andassess controls, or morespecifically the risk of missing orbroken controls; the risk-basedapproach is used to identify andassess risk events, or risks thatcould impact the achievement of

business objectives. Riskassessments are much moreeffective when using a true risk-based approach.



6/23

A COMMON CATEGORIZATION

OF RISK TYPES

To assist in the discipline of risk assessment, it is important to have a

common taxonomy and categorization of risk types.

The risk management community has provided numerous risk models to

categorize risks into types for reporting and analysis purposes.

With a library of common sets of risk categories, risk assessment

practitioners are better able to identify the organization's risks and can

pull together risk information in a concise profile that helps users

understand and monitor identified exposures.



7/23


OF RISK TYPESENVIRONMETAL RISKS

Business continuity

Business market environment

Environmental

Liability lawsuits

Natural disasters/weather

Pandemic

Physical damage

Political risk

Regulatory/legislative

Terrorism

FINANCIAL RISKS

Capital availability

Credit counterparty

Financial market risk

Inflation

Interest rates

Liquidity



8/23


OF RISK TYPES

SUPPLY RISKS

Commodity prices

Supply chain

MANAGEMENT RISKS

Corporate governance

Data security

Employee health and safety

Intellectual property

Labor disputes

Labor skills shortage

Managing complexity

Outsourcing problems

Project management

Technology failure



9/23

PARSE THE RISK JUMBLE

Risk information must be organized to be understood and managed. In the

jumble of risk information that is currently being gathered, some of theinformation is about controls or more accurately missing or broken

controls, some of it is about risk events (the events the controls were

designed to mitigate) and some of the information describes the primary

or secondary consequences of the risk events if they occur. The result is a

mass of information that is described as risk, but it is not all risk.



10/23

PARSE THE RISK JUMBLE



11/23

SCENARIO ANALYSIS

The discipline of scenario analysis is critical to effective risk assessments

because it forces one to ask, What could go wrong in the future?

Scenario analysis is the process of analyzing a number of possible futureevents and focuses attention on all possible outcomes of an event

occurring and the associated impacts. Proper scenario analysis improves

decision-making by allowing management to more completely consider

various outcomes and their implications to an organization.

For example, in looking at the scenario of fraudulent trades occurring, the

following questions need to be evaluated:



12/23

SCENARIO ANALYSIS

1. Where does trading activity take place?

2. What kinds of trading takes place?

3. What are all the ways unauthorized trading could take place?

4. How up to date is our information?

5. Have we involved everyone with relevant knowledge in risk

identification?

6. Have we involved everyone with relevant knowledge in controlassessment?



13/23

SCENARIO ANALYSIS

7. What would tell us if, in fact, unauthorized trades are occurring?

8. How often do we formally analyze this scenario?

9. What issues have we identified in the past?

10. What losses have our industry competitors experienced?

11. How could trades be hidden?



14/23

USE A RISK TABLE

Risks and the corresponding risk assessments can be evaluated using

either a quantitative or a qualitative approach. Quantitative assessments

use actual dollar amounts to provide an financially-based risk value.

Qualitative assessments use scoring methods and the experience ofemployees and consultants to arrive at a risk score. Since determining an

actual dollar value of risk is often times a very resource intensive activity,

the qualitative risk assessment approach is used as a best practice by most

risk assessment groups. Although termed a qualitative approach, this

method typically involves assigning some numerical value that can be used

to stack rank or come up with some relative ratings on the assessment ofrisks.



15/23

USE A RISK TABLE



16/23

USE A RISK TABLE

Friday, 20 September 201316

Once the risk assessments are scored using a risk table, they should be

sorted from highest to lowest. This allows organizations to address the

highest risks first. Once identified, there are essentially four ways to deal

with each risk:

Reject the risk: Rejecting risk is the head-in-the-sand approach. Somemanagers tend to ignore difficult challenges with the hope that they

will simply disappear. This approach will rarely result in a successful

defense against the risk event occurring.

Accept the risk: A common action to take is to accept the stated risk.

For example, if the controls necessary to eliminate or mitigate keyvulnerabilities are a greater financial burden to an organization than

the actual risk impact, then its probably a good idea to use the budget

dollars in other areas.

QHSE office [ www.qhseoffice.com ]


17/23

USE A RISK TABLE


Transfer the risk: An alternative to accepting a higher than reasonable

risk when the cost of controls is too high is to purchase insurance tolower the business impact of an incident. This is a common risk

management step.

Mitigate the risk: Risk mitigation typically focuses on managing the

areas where the organization is most vulnerable. Risk mitigation

involves the identification and management of risk mitigating controls.



18/23

MONITOR RISKS


A best practice in mastering risk assessments is to establish standard

metrics for the consequences and outcomes that will drive business

decisions. Common metrics are classified as key performance indicators

(KPI) and key risk indicators (KRI).

A KPI is part of a measurable objective and helps an organization

measure progress towards goals, especially toward difficult to quantify

knowledge-based processes. KPIs are made up of a direction,

benchmark, target and time frame.



19/23

MONITOR RISKS


A KRI measures how risky an activity is. It differs from a KPI in that the

KPI is meant as a measure of how well something is being done. A KRI

is an indicator of the possibility of a future adverse impact. The ideabehind the KRI is to provide a set of agreed indicators, which can range

from the simple, such as staff turnover, to the more sophisticated, such

as the a complex calculation for measuring operational performance.

The behavior of KRIs should signal how well or how badly a firm is

managing potentially costly operational hazards such as fraud, legal

risk, technology failure and trade settlement errors.



20/23

INCREASE

SELF ASSESSMENT


Using risk self assessment drives the responsibility and accountability of

risk management to process owners by reinforcing their responsibility andaccountability for the risk areas that they own. Companies embracing risk

self-assessment often view it as a cost-effective technique for establishing

touch points with the right people, enabling management to communicate

as well as educate. An effective risk self-assessment program reports risk

assertions from process owners upward in the organization and identifies

matters requiring follow-up and possible disclosure.



21/23

ACHIEVE

RISK CONVERGENCE


Risk convergence is the integration of discrete risk assessment information

into a unified framework in order to dramatically:

Streamline processes

Increase assurance reliability

Increase information quantity/quality

Decrease operational cost

Contribute directly to better business performance



22/23

ACHIEVE

RISK CONVERGENCE


Risk-based approaches to management hold significant promise. If risks

are understood in terms of cause/effect relationships, governance failuresand losses should be prevented. If variance in expected business or

process performance is viewed from a risk perspective as unmanaged

risks, then business performance should improve or at least become less

volatile. Risk assessment is the foundation of risk management. Organizing

the information produced through risk assessment will allow risk

convergence to fulfill its potential.



23/23

THOUGHTS


To minimize the confusion of varying risk information, risk assessment

efforts need to converge.

Risk information can be categorized as root cause, risk event,

consequence and downstream effect.

Effective risk assessments force one to ask, What could go wrong in

the future?

Rejecting risk is the head-in-the-sand approach.

Establish standards for the consequences.

QHSE office provide a common point of entry for audit, risk

management and compliance owners.

http://www.qhseoffice.com/http://www.qhseoffice.com/

mastering risk assessment for health and safety

Documents