Risk Identification and Classification

Risk Identification

 Risk identification is the initial stage of risk management.

 This stage is concerned with the discovery of risks that may
occur in an activity.
Risk identification consists of determining which risks are
likely to affect the business and documenting the
characteristics of each
 should be performed on a regular basis
 should address both internal (can be controlled or influenced
by management) and external risks (beyond the control or
influence of the management)
 also concerned with opportunities (positive outcomes) as well
as threats (negative outcomes).
Risk identification may be accomplished by identifying
causes-and-effects (what could happen and what will
ensue) or effects-and-causes (what outcomes are to be
avoided or encouraged and how each might occur).
 Risk Identification Methods

 Historical data analysis

 Use various information and data available in the company regarding everything that has ever
happened
 Examples: based on the historical data, the company faces the risk of losing important
employees
 Financial report method  Loss statistics
 Observation, inspection, and survey
 Conduct investigations or search data directly on the location
 For example: the worse lighting on the shop floor showed that the shop floor is facing the risk
of the lights going out
 Reference (benchmarking)
 Looking for information about risks in other places or companies
 For example: the research result on a company XYZ showed that employees without wearing
personal protective equipment will face high risk on shop floor
 Expert opinion (neutral outside parties) and questionnaire for risk identification
 Looking for information from experts in specific risk areas
 For example: according to the expert of occupation health and safety, the employee of
chemical factory will have higher risk for having lung diseases than the employee of non-
toxic factory
 Environmental Analysis (strength, weakness, threat, opportunity)
►Cause and Effect Diagrams
 Also known as Ishikawa or fishbone

Testing Inadequate BusinessPriori

Time tization

Product
Delivered
Late

Personnel Materials Insufficient Bad Specs

Resources

Potential Causes Effect

 Risk Identification Output
(Risk Register)
List of Identified risks  including their root causes and
uncertain business assumption
List of Potential responses
List of Root causes
Updated risk categories (if required)
 Risk Analysis

 The assessment of the probability and magnitude of the risk is carried out
then each identified risk is analyzed.
 The analysis relies on the judgment and experience of the activity manager
 The probability of risk can be rated very low (<10%), low (10-25%),
moderate (25%-50%), high (50%-75%), or very high (>75%).
 Risk effects can be rated as catastrophic (expenditures greater than
income), serious, tolerable, or insignificant.
 Methodologies of Risk Analysis
Probability and Impact Matrix
 Based on Failure Modes and Effects Analysis (FMEA)
 From 1950’s analysis of military systems
 Define Probability Scale & Impact Scale

Impact Scale Probability Scale

Consequence Health and Safety Likelihood of Occurrence
Likelihood Class (events/year)
Fatality or multiple fatalities
Extreme expected <0.01% chance of
Not Likely (NL) occurrence
Severe injury or disability likely; or
High some potential for fatality 0.01 - 0.1% chance of
Low (L) occurrence
Lost time or injury likely; or some
potential for serious injuries; or 0.1 - 1% chance of
Moderate small risk of fatality Moderate (M) occurrence

First aid required; or small risk of 1 - 10% chance of

Low serious injury High (H) occurrence
Negligible No concern Expected (E) >10% chance of occurrence
Probability and Impact Plots

Rate each
risk on
scales
then plot
on matrix
Develop
mitigation
technique
for risks
above
tolerance
 Output of Qualitative Risk Analysis
(Risk Register Update)
Relative ranking or priority list of risks  Risks may be
listed by priority separately for cost, time, scope, and
quality since organizations may value one objective over
another.

Risks grouped by categories.

 can reveal common root causes of risk areas requiring
particular attention.
 improve the effectiveness of risk responses.

List of risks requiring response in the near-term

List of risks for additional analysis and response

Risk Register
 Decision Making

 Identify alternative decision-making for the risk problem.

 There are 4 possible scenario of decision making:
1. Certainty
2. Uncertainty
3. Risk
4. Conflict
Decision Making under Certainty
 The person in charge of making the decision knows for sure the consequence of each
alternative, strategy, or course of action to be taken.
 In these circumstances, it is possible to foresee (if not control) the facts and the results.
 The decision-making process will be relatively simple: the one that maximizes utility
and responds better to the objectives set will be chosen.

 Example:
 Which business of fruit chips is more profitable if we have 1 ha land? Apple and jackfruit
chips?
 Compare the productivity results
 Decision Making under Uncertainty
 Each course of action has several possible consequences and the person in charge
of making the decision does not know the probability of each of them.
 Poor in information.
 The decision is complicated because past experiences do not make it possible to
predict the future and there are many uncontrollable variables.
 Anticipate conditions of uncertainty:
 looking for more information
 research
 use of subjective probability
 Decision Making under Risk

 Presents an intermediate situation between the certainty and

uncertainty
 Each alternative, strategy, or course of action has several possible
consequences, but the person in charge of making the decision
knows the probability of each of them.
 Although the choice will not be as easy as in the case of decisions
under certainty, it will be possible to apply a decision-making
model that facilitates it.
 The decision maker has more than 1 alternative course of action
(under bad, normal, and good condition)
 Decision Making under Conflict

 Each alternative, strategy, or course of action has several

conflicts
 Feasibility study should be done
 Risk Classification

• The classification of risks into short, medium and long term helps to
identify risks as being related (primarily) to operations, tactics and
strategy, respectively  This distinction is not clear-cut, but it can assist
with further classification of risks.
• In fact, there will be some short-term risks to strategic core processes and
there may be some medium-term and long-term risks that could impact
operational core processes.
 Short term Risk

• Has the ability to impact the objectives, key dependencies, and core
processes with the impact being immediate.
• Cause disruption to operations immediately at the time the event
occurs.
• Predominantly hazard risks, although this is not always the case.
• Normally associated with unplanned disruptive events, but may also be
associated with cost control in the organization.
• Usually impact the ability of the organization to maintain efficient core
processes that are concerned with the continuity and monitoring of
routine operations.
 Medium-term Risk

• Has the ability to impact the organization following a (short) delay

after the event occurs.
• The impact would not be apparent immediately, but would be apparent
within months, or at most a year after the event.
• Usually impact the ability of the organization to maintain effective core
processes that are concerned with the management of tactics, projects,
and other change programmes.
• Often associated with projects, tactics, enhancements, developments,
product launch, and the like.
 Long-term Risk

• Has the ability to impact the organization some time after the event occurs.
• The impact could occur between one and five years (or more) after the
event.
• Usually impact the ability of the organization to maintain the core
processes that are concerned with the development and delivery of
efficacious strategy.
• Related to strategy, but they should not be treated as being exclusively
associated with opportunity management.
• Has the potential to undermine strategy and the successful implementation
of strategy can destroy more value than risks to operations and tactics.
 Purpose of Risk Classification System

• Formalized risk classification systems enable the organization to

identify where similar risks exist within the organization.
• Classification of risks also enables the organization to identify
who should be responsible for setting strategy for management of
related or similar risks.
• Appropriate classification of risks also will enable the
organization to better identify the risk appetite, risk capacity, and
total risk exposure in relation to each risk, group of similar risks,
or generic type of risk.
 Examples of Risk Classification Systems
A summary of the main risk classification systems of the COSO, IRM standard, BS31100,
FIRM risk scorecard, and PESTLE.
• Operational risk is referred to as infrastructure risk in the FIRM risk
scorecard.

• COSO takes a narrow view of financial risk, with particular emphasis on

reporting.

• British Standard BS 31100 sets out the advantages of having a risk

classification system include helping to define the scope of risk
management in the organization, providing a structure and framework for
risk identification, and giving the opportunity to aggregate similar kinds
of risks across the whole organization.
• The British Standard states that the number and type of risk categories
employed should be selected to suit the size, purpose, nature, complexity
and context of the organization. The categories should also reflect the
maturity of risk management within the organization.
• The most commonly used risk classification systems are those offered by
the COSO ERM framework and by the IRM risk management standard..

• The COSO risk classification system is not always helpful and it contains
several weaknesses. For example, strategic risks may also be present in
operations and in reporting and compliance.
• Despite these weaknesses, the COSO framework is in widespread use,
because the reporting component of the COSO internal control framework
is specifically concerned with the accuracy of the reporting of financial
data and is designed to fulfil the requirements of the Sarbanes–Oxley Act
(.(a federal law that established sweeping auditing and financial
regulations for public companies in USA))
 FIRM Risk Scorecard
• The four headings of the FIRM risk scorecard offer a classification system for
the risks to the key dependencies in the organization.
• The FIRM risk scorecard builds on the different aspects of risk, including
timescale of impact, nature of impact, whether the risk is hazard, control or
opportunity, and the overall risk exposure and risk capacity of the organization.
• The headings of the FIRM scorecard provide for the classification of risks as
being primarily Financial, Infrastructure, Reputational or Marketplace in nature.
The classification system also reflects the idea that ‘every organization should be
concerned about its finances, infrastructure, reputation and commercial success’.
• Financial and infrastructure risks are considered to be internal to the
organization, while reputational and marketplace risks are external to the
organization. Financial and marketplace risks can be easily quantified in
financial terms, whereas infrastructure and reputational risks are more difficult to
quantify.
• The FIRM risk scorecard can also be used as a template for the identification of
corporate objectives, stakeholder expectations and, most importantly, key
dependencies.
• The scorecard is an important addition to the currently available risk
management tools and techniques  compiled by analyzing the way in which
each risk could impact the key dependencies that support each core process.
• Facilitates robust risk assessment by ensuring that the chances of failing to
identify a significant risk are much reduced.
Attributes of the FIRM Risk Scorecards
PESTLE Risk Classification System
• PESTLE is an acronym that stands for political, economic, sociological, technological,
legal and environmental risks.
• In some versions of the approach, the final E is used to indicate ethical considerations
(including environmental).
• This risk classification system is most applicable to the analysis of hazard risks and is
less easy to apply to financial, infrastructure and reputational risks..
• The PESTLE risk classification system is often seen as most relevant to the analysis of
external risks. the external context that is not wholly within the control of the
organization, but where action can be taken to mitigate the risks.
• The PESTLE risk classification system should be used in conjunction with an analysis
of the strengths, weaknesses, opportunities and threats (SWOT) facing the
organization.
• The PESTLE approach may be most applicable in the public sector, because the
external factors analyzed by the PESTLE approach are particularly relevant.
Thank You