OK .. so you have a structure by way of risk categories and sub categories, but now getting down to the task of identifying individual risk events that could occur and needs monitoring is another major step.
Let us break it into two parts –
identification and acceptance by stakeholders for monitoring, and,
defining and documenting all the characteristics, attributes, the impact of such risks on the strategic objectives of the business, the influence or cascading effect on other risks, etc.
Identification of risks
Set the bar right at the beginning – you do not want to have all and sundry incidents that happen on a day-to-day basis to figure as your top risks. That would be overwhelming, run into 100s or 1000s and impossible to tackle on a realistic basis.
Ask your stakeholders who are responsible for their respective areas what they consider as the most important risks that could affect strategic business objectives, hinder operations or even bring business to a standstill.
Lay out a prioritization plan, ranked in the order of the “highest risks” to the “can-live-with-for-the-moment” ones. In other words you are mentally preparing the participants to think about the probability of occurrence of these happening and the financial, physical or qualitative impact.
Finalize the list and slot it into the respective risk categories or sub categories that you have already defined.
Defining and documenting individual risks
Each risk that you identified in the above section has some unique information that needs to be documented. Documenting adds a lot of discipline and transparency for any authorized person evaluating that risk to understand the perspective. Make a short descriptive note on what risk is perceived and what business objective it impacts.
Every risky situation is triggered by some factors that “causes” it, and if left unchecked can result in a “consequence”.
List down the causes for that risk – these can become your “Key Risk Indicators” often referred to as KRIs in short. They are forward looking indicators that helps you monitor the risk and warn you about certain breaches that may make the risk trend upwards.
Each “consequence” has an impact – may be qualitative (may not be able to put a financial number to it immediately) or physical (say damage to property or loss of assets that could become quantifiable) or purely financial (example – working capital loss, irrecoverable dues, fines, etc.).
Once step 4 is done, identify who would own this particular risk – in terms of periodic monitoring and taking steps for mitigation or resolution plans so that the risk event does not occur. This person may (depending on the complexity of the risk) decide to involve or collaborate with other people who can logically contribute to the assessment, so that extreme opinions or biases can be eliminated.
Initial opinions would form the basis for the first assessment of what is the inherent risk value at the identification stage and then agree upon the “planned residual risk value” which is nothing but the extent to which you can live with the risk without further efforts on mitigation.
In further articles we would examine further steps on how you can go about assessing risks.