How to Conduct a Risk Assessment

Developed by: Frank M Giannattasio, MBA, ARM

Senior Manager, Enterprise Risk & Business Continuity Management
ORIMS (Office of Risk & Insurance Management Services)

1
 Workshop Objective

 learn what risk is,

 how to classify risk,

 risk categories and characteristics,

 how to conduct a risk assessment.

2
 An interesting thought…
“The cost of responding to unanticipated problems is
always much larger than the cost of risk responses
planned well in advance.”
Author Unknown

“It ain’t what you don’t know that gets you into trouble,
it’s what you know for sure that just ain’t so.”
Mark Twain

3
 Risk Assessment Workshop

So what is the first step? Where do we begin?

 We need to start with an explanation of what we

mean by “risk.”

4
 Risk Assessment Workshop

 What is a risk?

 Any ideas?

 What do you think it is?

5
 What is Risk?

According to Merriam Webster, risk can be identified as:

 Possibility of loss or injury

 Someone or something that creates or suggests a

hazard

 The chance of loss or perils in an insurance contract

6
 What is the IEEE Definition of Risk?

 IEEE definition of risk include:

 The combination of the probability of an event and its

consequences

 The opportunities, uncertainties, threats, and barriers

to which IEEE must respond in order to achieve its
objectives

7
 Where Can We Find Risk?

 Risk is inherent in all types of undertaking and may

carry the potential for benefit or be a threat to success

8
 How Do We Classify Risk?

Risk can be defined as:

 The combination of the probability of an event and its

consequences
 The opportunities, uncertainties, threats, or barriers to
which IEEE must respond in order to achieve its
objectives

9
 Risk in the Business World
Let’s review where we find risk in the business world
 External
 Exposure to uncertainty affecting the communities served by
IEEE (Members, Volunteers)
 Financial risks
 Exposure to uncertainly regarding the management and control
of the finances of the organization (Conference Banking, Cash
Reserves)
 Exposure to loss arising from damage to property or from
fortuitous acts typically include the perils covered by insurance
(Fire in Building, Injury to Visitors in Offices)

10
 Risk Categories
 Human Assets: Exposure to uncertainty related to compliance with
personnel policies and procedures, employee morale, and organizational
culture
 Legal/Regulatory Compliance: Exposure to uncertainty related to laws,
statues, and administrative regulations that govern how IEEE operates.
(PCI compliance issues, State and Federal Laws)
 Operational: Exposure to uncertainty related to day-to-day business
activities (Reduced membership, Loss of sales of publications)
 Reputational: Exposure to uncertainty related to brand, perceived value,
organizational status, and public perception and trust (Media related
issues)
 Strategic: Exposure to uncertainty related to long-term policy directions
of the organization. These are ‘big picture’ risks (Electronic publishing,
handheld delivery of products)

11
 Characteristics of Risk

There are two characteristics of risk:

Probability and severity

 Probability ranges from Unlikely to Definite

 Severity ranges from Insignificant to Catastrophic

12
 Risk Probability
A risk can be classified under one of the five categories:

 Definite: Almost certain, high probability

 Likely: Something that may happen, better than 50/50
 Occasional: Risks which have a near 50/50 chance
 Seldom: Risks that have a low chance of occurrence but still can
not be ruled out completely
 Unlikely: Rare and exceptional risks, less than 10% chance.

13
 Risk Severity
The consequences of a risk define its severity and can
fall into five categories:

 Catastrophic: highest level, deal breakers, priority #1

 Critical: Significantly large consequences
 Moderate: Not a great threat, but considerable
 Marginal: Some risk, not too significant
 Insignificant Near negligible

14
 Risk Management Matrix
Using the estimated probability and severity,
we are able to identify potential risk impact

15
 The Risk Universe

The Risk Universe was designed to present the

IEEE risk portfolio in the form of risk statements,
grouped by major categories: Strategic, Operations,
Financial/Reporting and Legal/Compliance.
 
The Risk Universe was revised to include a visual
indicator of the estimated probability & severity and the
Heat Map was developed.

16
 How to perform a risk assessment?
 Review the Risk Universe

 Are there any risks to the business that could

negatively impact the achievement of our strategic
goals?

 Are those risks identified in the Risk Universe?

 Is there a risk that is not identified?

 What is that risk?

17
 How to complete the Risk Universe
 Review each statement in the risk universe and decide
if it is a risk to your unit
 For each statement that is a risk, determine the
severity of the risk
 Apply the heat map color to signify the risks that pose
the greatest impact to your unit versus those have the
least impact
 Not every statement may apply to your unit
HEAT MAP  
mission critical, high risk impact  
 
significant impact, requires attention  
moderate impact, needs attention  
18 least impact, lower priority than top 3  
 IEEE Risk Universe for (unit name here)
IEEE RISK UNIVERSE
CONFIDENTIAL WORK PRODUCT
STRATEGIC
Strategy & Initiatives
*Succession Planning
Voluteer Engagement
*Timely and robust communications with
MGA/Region leadership
Communications & Stakeholder
Relations (L&C)
*Loss of brand value
*Unmoderated social media
*Misuse of IEEE brand
*Creation of unauthorized IEEE domains
*Misrepresentation on the IEEE site
*Copyright infringement on the IEEE site
*Communications regarding Conference
cancellations
*Web content
Market Dynamics
*Political unrest
*Declining global economy
*General economic conditions
*General loss of membership
*Dilution of IEEE message
19
OPERATIONS
Marketing & Business Development
*Compliance with contract terms (L&C)
*Loss of brand value (L&C)
*Inadequate investment in new products
*Including competition's IP in IEEE content
*Lack of products for practicing engineers
*Organizers choose alternate partners for conferences
People (Human Assets)
*Generational and cultural differences
*Loss of strategic partnerships
*Hiring of employees by sections & conferences
*Unexpected/inappropriate human behavior (L&C)
*Succession planning not defined
*Use of temporary services (L&C)
*Use of consultants (L&C)
Emergency Preparedness (L&C)
*Civil disturbance
*Testing of BCM/DR plan
*Conference cancellations
*Effect of emergency conditions
*Safety at large gatherings
*Crisis communication plan not tested
* Pandemic response
Billing & Collections
*Foreign currency exchange rate volatility
*Customer defaults on accounts receivables
Supply Chain (Business Partners)
*Management of third party vendors
*Disruption of services due to external vendors
*Ability to conduct business internationally (L&C)
*Third party service delivery
Information Technology
*Use of cloud computing providers (L&C)
Data security (non IEEE hosted sites)
*security of web content
*hacking/breach of IEEE unit
*cyber attack
*unauthorized access
*loss of data, theft of data
*inadequate equipment, applications
*system/service failures
Physical Security
*Testing of BCM/DR plan
*global (non US) offices
*Safety at large gatherings
FINANCIAL/REPORTING
Market (Interest Rate)
*Foreign currency exchange rate volatility
*Impact/Effect on business internationally (L&C)
*Value of investments (IEEE)
Liquidity & Credit
*Local unit cash balance not reported/remitted
*Use of CB accounts when possible
*Banking relationships/Line of credit
Accounting & Financial Reporting
*Accounting for US and non US entities
*Exposure to net income loss
*Lack of timely/accurate financial reporting
*Geographically dispersed (local) cash accounts
*Proper controls on expenditures
*Conference cancellations
*Unauthorized purchases by volunteers (L&C)
*Applicable accounting changes
Tax and related issues
*Taxes for US and non US entities (L&C)
*Proper collection & remittance of taxes
*Applicable accounting changes
*Independent contractors
HEAT MAP
mission critical, high risk impact
significant impact, requires attention
moderate impact, needs attention
least impact, lower priority than top 3
LEGEND
(L&C) denotes that the risk statement includes a Legal/Compliance element
Risk Statements developed from RIAG Risk Assessment
Risk Statements may appear in more than one category
LEGAL/COMPLIANCE
Governance
*Development and enforcement of policies & procedures
*Use of MOU's
*Transparency and accountability in communications
with elected leadership
*Management of executive sessions
Hierarchy of IEEE and MGA policies and procedures
Code of Conduct
*Education, training, monitoring and auditing compliance
*Governance, reporting and investigation of Code of Ethics,
Principles of Business Conduct/Conflict of Interest violations.
*Enforcement and discipline under Code of Ethics, Principles
of Business Conduct/Conflict of Interest and related policies.
Legal
*Creation of non US entities/subsidiaries/offices
*Compliance with applicable laws of 160+ countries
*Compliance with written and oral contract terms
*Intellectual Property protection
*Enforcement of Privacy Laws
*Violation of government rules or regulations
*Major contract negotiations
*Records retention/data retention
Regulatory
*Compliance with applicable domestic regulations
*Compliance with OFAC and related regulations
 QUESTIONS?

If you have any questions or wish to discuss this

in greater detail, please contact:

orims@ieee.org

20
21