The topic on risk analysis is always fraught with multiple dimensions and choices.
Each industry – and specific risks that are typical of those industries – are to be looked at differently and there is no one-approach-fits-all answer to risk analysis.
In the Banking industry – for example – the definition of Credit risk refers to the risk that a borrower may not repay a loan and that the lender may lose the principal of the loan or the interest associated with it. Credit risk arises because borrowers expect to use future cash flows to pay current debts; Read more at //www.investopedia.com/terms/c/creditrisk.asp#ixzz5GtGVzh7Q
In this article, I am not dealing with industry-specific practices of risk analysis, but generic operational risks that are common to all industries or organizations.
Risks could be analysed through multiple approaches – at the end of the risk analysis you would have calibrated and possibly arrived at the probability of outcome of each material risk that you had defined (see earlier article on identifying and defining risks).
Quantitative – putting a rupee or dollar impact based on the probability of occurrence of the risk event happening.
Qualitative – not able to estimate a financial number right away – but assessing the damage that could happen – for example – customer dissatisfaction, damage to reputation, product bill of material or recipe stolen by competitors, key personnel poached by competition, insiders leaking information, etc. These types of risks ultimately would result in a financial loss, but are hard to quantify right at the beginning of risk assessment, but at a later stage.
Three point analysis – you want to take a measured approach and take a ‘best case’, ‘worst case’ and ‘most likely case’ and calculate a weighted average approach to rank your risk.
Speed of onset of the risk – a very important factor that influences prioritization of responding or treating the risk.
Use advanced statistical methods, monte carlo analysis, scenario modelling to analyze the risk on several factors.
Use Machine Learning (ML) on past data and predict possible outcomes in areas where risk is expected to be trending.
How does one start with risk analysis?
You may want to conduct a workshop or a collaborative survey with key stakeholders in different functional areas to arrive at inherent risk analysis – which is basically saying what do they understand as the risk drivers or causes, what are the possible consequences or impacts, where does this risk stand at present? What is the probability of its occurrence and impact.
This becomes the starting point for conducting continuous or periodic risk assessments by risk owners or groups responsible. Risk owners or managers may be more comfortable giving qualitative rankings for probabilities or impacts in understandable terms rather than as percentages or scores. Have a mapping mechanism to convert them for arriving at impact measurement in quantitative or qualitative terms.
Have easily understandable measures of impacts to the business and its effect on strategic objectives. Impact measures should not be limited to only direct financial losses, but should include qualitative measures such as loss of production hours, time delays in hours, productivity measurements, media exposure time, geopolitical factors, customer satisfaction index, vendor reliability, customer credit rating, etc. These would ultimately be converted into financial numbers once you start assessing the risks.
Risk assessments would set targets for each risk on what is the acceptable level the organization can live with – this is sometimes referred to as ‘planned risk’.
Response treatments, remediation or mitigation measures are put in by the risk owners to lower the risk from the observed “inherent risk level” to the “planned risk level”.
Sometimes the response treatment or mitigation normally takes some time to implement or become effective and periodic assessments during the interim usually can be shown as a “residual risk level” which is nothing but the difference between the current assessed risk level and the planned risk level.
Typically risk prioritization is shown visually through “heat maps” that buckets the various risks into critical / high, medium and low impacts on one axis and the probability of occurrence on the other. The third dimension – time or the speed of onset of the risk – can throw up very useful insights for actionable decisions to avert the risk event.
More on risk assessments and response treatments in my next article.