Now that you have a good fundamental knowledge of risk, we can look at the risk assessment process in detail. This section of the module looks at the first part of the risk assessment process which is understanding the context of a risk assessment, communicating with stakeholders, and then the various strategies and techniques you can use to identify the risks to an organisation.
By the end of this chapter, you will understand:
- How to identify the context or scope of a risk assessment
- The importance of communicating with stakeholders
- How to identify and communicate with stakeholders during risk assessments
- Various techniques and processes you can use to identify internal and external risks to an organisation.
Tip
The 'scope' or context means identifying the basic assumptions and environment in which you need to conduct the risk assessment.
Sometimes a risk assessment is carried out on a whole organisation and sometimes it’s carried out on a project, or a division, procedure or business operation. Whatever the risk management process is for, it’s always important that the context, or ‘scope’ of the risk management process is established first. The ‘scope’ or context means identifying the basic assumptions and environment in which you need to conduct the risk assessment. This means you must have a comprehensive understanding of the internal and external environment of the organisation on which the risk assessment is to be carried out.
The Internal Environment
This includes:
- Key market drivers
- Internal stakeholders
- Organisational structure
- Organisation’s resources – people, systems, processes
- Goals and objectives
- Strengths, weaknesses, opportunities and threats to the organisation.
The External Environment
This involves understanding:
- The external factors that influence the business – financial, political and legal factors
- Social and cultural conditions
- External stakeholders.
Setting the Risk Management Context
Setting the risk management context means defining the organisation, project or process on which the risk assessment is to be carried out. It also means defining the full scope of the risk management activities.
Communication with stakeholders is an integral part of all risk assessment processes and ideally all stakeholders should be involved from the start of the process.
Communication with stakeholders helps to ensure that the outcomes, significance and limitations of the risk assessment are clearly understood by all parties. Many stakeholders will have information they can provide to you that will help to inform the risk assessment process. For example, an internal stakeholder may have data in work in progress that could contribute greatly to the outcomes of the risk assessment that you otherwise would not have known.
Communication Plan
Decisions on how stakeholders will be communicated with throughout the risk assessment process is something that will need to be planned based on the types of stakeholders you are working with.
Your communication plan should include what, who, how and when you will communicate processes and outcomes. Communication about risk assessment is most effective if it is conducted throughout the entire process.
Early communication about the issues of concerns and potential concerns need to generate stakeholder input which may elicit feedback in a number of ways. This may be through
- Surveys
- Meetings
- Emails
- Memos
- Website updates
- Press releases
Once initial feedback has been gathered and used in the risk assessment, then preparation and communication of the outcomes of the risk assessment is required. This should be followed by the opportunity for feedback, amendments, additions and corrections from stakeholders before the risk assessment is finalised.
Identifying Stakeholders
When identifying and assessing risks in an organisation or business process, it is important to identify the varying stakeholders that have an interest in the risk assessment process.
Tip
A stakeholder has a vested interest in a company and can either affect or be affected by a business' operations and performance. Typical stakeholders are investors, employees, customers, suppliers, communities, governments, or trade associations.
Stakeholders in risk management include:
- Shareholders
- Board of Directors
- Managers
- Employees
- Clients
- Suppliers
- Industry Groups
- Peak Bodies
- Financiers or Sponsors
- Government Organisations
- Unions
- Environmental Groups
- Community
Stakeholder Mapping
A great way to understand who your stakeholders are and how to identify them is to conduct a stakeholder mapping process.
Tip
Stakeholder mapping is the process of identifying key stakeholders (i.e. individuals or groups with a vested interest in your product or project) and understanding their relationships with each other. This helps you to develop an informed strategy for managing stakeholders throughout the product development process.
Watch the following videos below to learn more about Stakeholder Mapping.
Gathering Information from Stakeholders Using the Delphi Method
The Delphi Method is a structured communication and information-gathering technique used to arrive at a group opinion or decision by surveying a panel of experts. Experts respond to several rounds of questionnaires, and the responses are aggregated and shared with the group after each round.
Note
The Delphi Method is a good way of ensuring your stakeholders are consulted and engaged in the process of risk assessment. It is suitable when you have a large number of stakeholders to consult with, or stakeholders that might be difficult to contact or engage in another way.
This method is named after the oracle of Delphi, a priestess of Apollo who provided prophecies. The basic steps in the Delphi method are as follows:
Step 1
A group expert is formed.
Step 2
Questionnaires are sent to the panel of experts and the experts provide their responses which are often anonymous.
Step 3
Responses are collated and analysed. These are shared with the rest of the group to get feedback on.
Step 4
Another questionnaire may be created based on previous feedback asking whether the group agrees with other comments. This involves several rounds until the group reaches agreement on key issues.
Step 5
A decision is reached by consensus.
Note
Obtaining Support
It is important to obtain support for risk management activities within the organisation. This may mean obtaining support from senior management but may also involve getting the team who will be assisting with the implementation on board, too. To obtain support for risk management, become a risk champion.
What do Risk Champions do?
A risk champion is someone who handles parts of the risk management process on behalf of the business and ensures the business sees and gains the value risk brings in driving success.
Risk champions:
- Aim to change the mindsets of individuals or an organisation’s culture from a compliance burden to a vital part of driving excellence and decision making.
- Strive to change the level of engagement from disengaged or compliant to active or even compelled.
- Strive to improve organisational outcomes from defenceless, vulnerable, or exposed to adaptive and resilient.
There are many approaches you can use to identify the risks in a business, or the area that you are focusing your risk assessment on, which may be a project, or a small part of the business such as a business team or division. The important thing to remember in the initial stage of the risk identification process is that you need as much data as you can gather so you have a broad picture of all the risks the business is facing. You can refine and analyse the risks further, later on in the process.
Here are some of the techniques you can use to identify risks.
SWOT Analysis – An organised process to identify the business’s strengths, weaknesses, opportunities, and threats. This also helps you to gain insight into the organisation’s context as well.
PESTLE Analysis – An approach to identifying the external factors that influences the environment in which an organisation operates. This helps to understand the organisation’s context as well as identifying risks.
Ask ‘What If’ Questions – A simple way to identify risks is to ask ‘what if’ questions. Imagine the worst-case scenarios of what the business could possibly face if things didn’t go according to plan.
Brainstorming – This may be on your own or as part of a team. There are many techniques for brainstorming which we’ll discuss further in this chapter.
Cause and Effect Diagrams – Sometimes called Fishbone Diagrams, these useful diagrams help you think through any problems that are faced within a business and get to the root cause of the problem, which will in turn help you identify your risks.
Consultants – Consult an external consultant who has expertise in the industry, or in risk management and consulting.
Assumption Analysis – Make use of an assumption analysis, assumptions pose risk that should be analysed.
Documentation and Data Review – Review data and documentation from recent business events.
Market Research – Gather information on common risks in the marketplace for organisations in your industry area.
Lessons Learned – Previous risks and failings from the past can inform future planning.
Think
Ask What-If Questions
- Lost electricity for a whole day?
- Had no internet access?
- Important documents were destroyed or not accessible?
- The premises for the main office, shop or site were damaged, or you were unable to access them?
- One of your key staff members quit giving no notice?
- A key supplier went out of business?
- There was a natural disaster or lock-down due to national health emergency (such as COVID-19)?
- The services you need such as main roads were closed
Record Your Risks
As you identify the risks using the techniques described in this topic, you can document them in a table such as the following, along with the event or trigger that causes the risk, as well as the potential impact of the risk. This will form part of your Risk Register and your Risk Management Plan which we discuss further in the next topic.
| Risk Assessment | ||
|---|---|---|
| Risk Identification | ||
| Risk Identified | Event or Threat Triggers | Potential Impact |
Next watch a video explaining ways to improve risk reporting.
A SWOT analysis reviews the strengths and weaknesses of the businesses operating environment while also giving you insight into the internal and external context of the organisation. It identifies factors impacting on the organisation which in turn will help identify risks.
S - Strengths
The strengths section of SWOT analysis allows a company to consider its competitive advantages in the marketplace. These advantages in the marketplace are typically a focal point of the company’s operation and strategic planning. They also often coincide with the way the company markets.
W - Weaknesses
Understanding the weaknesses helps to make them easier to manage. Generally, companies have two approaches to dealing with weaknesses. They can either seek to improve them if those weaknesses restrict the company from implementing its strategies to achieve objectives. Or they realise that their weaknesses are simply a part of the overall business approach and company leaders try to downplay those weaknesses in marketing their brand.
O - Opportunities
The opportunities section is critical to the development of company strategies as it helps the company identify ways to improve and grow. Constantly reviewing market opportunities helps companies take advantage of emerging markets or changes in the marketplace that the company has strengths to match.
T - Threats
Analysing threats helps the company insulate itself from possible external threats. The environment, regulations, technology, and trends are among the possible factors that can threaten the viability and ongoing success of a business. By assessing these risks and challenges, company leaders can better prepare them or decide how to respond from a strategic standpoint.
Convert and Match
Internal weaknesses should be converted into strengths and external threats into opportunities. The identification of weaknesses and threats can be used to identify risks.
Some of the most effective ways you can turn business weaknesses into business strengths include:
- Recognising and accepting your weakness
- Getting guidance from someone you trust
- Be very prepared
- Hire the skills you lack
- Look for ways to serve people with the same problem
This is where the SWOT Analysis is used to help business build, evolve and grow.
How can you turn strengths into opportunities in business?
- Define your strengths. Before you can leverage your strengths, you need to understand your unique abilities
- Set professional goals (using SMART goal techniques)
- Show evidence of your strengths
- Strengthen your strengths
- Choose strength-building behaviours
Next watch this Ted Talk by David Rendall about turning weaknesses into strengths.
A PESTLE analysis is a framework used to conduct an environmental scan to analyse key external factors and risks that could have a direct or long-lasting impact on an organisation. The analysis is flexible, so organisations can use it in a range of different scenarios.
This method is often used as part of strategic planning or risk management processes and provides oversight to the team about the risks in their environment and what should be considered in light of these factors. By grouping the external factors into the six areas of P, E, S, T, L and E, it helps businesses ensure they think about the six areas they need to prepare themselves for in their planning.
| Political Factors |
Political or politically motivated factors that could affect the business. This could include:
|
| Economic Factors |
Economic factors that could affect the business. This may include:
|
| Sociological Factors |
Social attitudes and trends that influence the organisation, staff and the target market. This includes shared beliefs about customer service, value, work, leisure, culture, demographics and so on. Consider: For example, Australians are living longer leading to a larger population of older people.
|
| Technological Factors |
Information technology and biotechnology change people's physiological needs, broadening marketing opportunities, and more platforms are available. Technology affects the way a business distributes, makes and communicates its products and services and the way it does business. Consider:
|
| Legal Factors |
Current and future legal and regulatory forces affecting the business. This might include consumer protection laws, health and safety, employment laws, intellectual property, safety standards, specific industry quality standards and so on. Consider:
|
| Environmental Factors |
The environmental factors that impact the organisation and the natural resources used. This includes considering the organisation's carbon footprint, pollution, recycling and waste, energy usage, environmental regulations and so on. Consider:
|
gThe following articles will help you learn about the basics of brainstorming and why brainstorming is a useful tool in a business environment as well as some of the basics of running a good brainstorming session. Brainstorming the possible risks in the different areas of your business is a common approach to identifying risks in an organisation or business area.
Websites
Key Points: Basic Rules of Good Brainstorming
1. Never go in with an empty slate.
A structured brainstorming session always drives more outcomes. That’s why there are lots of brainstorming techniques around you can choose from.
2. Go for quantity.
Get the ideas out quickly during the session. The idea is to get as many ideas out as possible and to assess whether they are viable or ‘good’ ideas later.
3. Make it a judgement-free zone.
Let the ideas flow during the brainstorming session. Ideas should be assessed after the session for their viability.
4. Build on the ideas of others.
Make ‘but’ a no-no word in the brainstorming session and encourage your team to build on the ideas of others.
5. Stay focused on the topic.
Sometimes brainstorming may go a little off-track. Bring it back to the topic at hand if you find the ideas have lost focus.
6. Be visual.
Use a whiteboard, coloured markers to group ideas, and/or post-it notes for each idea.
Next look at the following videos to explain what is Brainstorming, and some of the best ways to do this.
Below please find an example of a Brainstorming session that CBSA managers had recently in a board meeting. The managers were identifying current issues that need to be addressed and worked on for the growth of the company and to move forward.
Mind Mapping
You may know this common technique of brainstorming called mind mapping. It works like the branches of a tree that keep forming as new ideas are generated.
- Key words are written around one, or a few key topics.
- As new sub-ideas arise out of a key word, they are written around the words with a link to the original word.
- This process keeps repeating, creating many branches.
Brainstorming is simply thinking aloud and suggesting as many ideas as possible, no matter how mad they seem, without analysing or criticising them.
Mind mapping is a way to get all of the ideas in your head down onto paper - a visual representation of your ideas.
Note
Thinking back to the Types of Risk in the beginning of the module, a strategy for mind-mapping on risk could be to have the types of risk as the key words written around the word Risk on your whiteboard. Remember, you need to use words that are going to spark ideas for your team. If you use the Types of Risk – Operational, Strategic, Compliance Risk and so on, these might not make sense for your team. However, if you use the internal and external risk factors, these words might help your team come up with ideas. Your team could then start mind mapping all the risks that come out of those categories.
Below see an example of what a Maind Map looks like. Here we have used the CBSA as our example. In the Mind Map, we have looked at CBSA and all the services they offer. Under the services they offer, we have broken down to the individual tasks each role has to help present to stakeholders in the business.
An affinity diagram is the outcome of a brainstorming session. It organises a large number of ideas into groups or categories. After ideas are generated, the ideas are grouped by their affinity or similarity.
To create an Affinity Diagram:
- Record each idea during a brainstorming session on a separate sticky note or piece of card.
- During the brainstorming session, the team might spark new ideas from other similar ideas and those sticky notes can be placed next to each other.
- Organise ideas that are related and place them next to each other.
- Create a heading for each group that assimilates each grouping.
Find below an example of what an Affinity Diagram looks like.
Think
Thinking back to the Types of Risks in the beginning of the module, your Affinity Diagram could be organised into the Types of Risks – Strategic, Operational, Compliance, and so on. If you don’t have any or enough risks under one category, you could brainstorm more for this area.
See an example below using the previously reviewed CBSA work samples on the progression of a Brainstorm to a Mind Map to creating an Affinity Diagram.
A Cause-and-Effect Analysis is a way of identifying the potential causes of problems within a business. It is sometimes called a Fishbone Diagram as the resulting analysis usually looks like a fishbone. It is used to identify the potential root causes of a problem, discover bottlenecks in processes and identify where and why processes aren’t working, how they can be improved as well as future proof against risks.
When identifying risks, it can be useful to think about the business and any problems or large challenges the business has faced recently or over the last 12 months, as an example. To conduct a Cause-and-Effect Analysis, complete the following steps:
Step 1
Identify the problem.
Step 2
Brainstorm the major factors that lead to the problem. These become the major stems of the diagram.
Step 3
Identify possible causes for each factor. These become the smaller stems of each branch.
Example
Henry Thomas from CBSA has had numerous issues with projects at CBSA over the past twelve months. Numerous clients have had their projects delivered late and project expenditure had gone through the roof. He has been finding that their project management system hasn’t been kept up to date with key milestone dates promised to clients and the internal team are confused about what’s been promised to clients and when. The Chief Finance Officer has reported higher costs than expected because tasks have not been managed properly requiring considerable rework at times. He creates the following Cause and Effect Diagram.
Next watch a video explaining the process and how to create a Cause and Effect Diagram.
Another way to find out about risks is to look back on past records. You can look into what has gone wrong in projects, where budgets have creeped, where clients were dissatisfied with outcomes, where managers and staff gave poor feedback, where there were positive outcomes, but things could have been better and so on.
You may be able to gather useful data from:
- Continuous improvement records
- Lessons Learned Forms
- Completed project debriefing forms and meeting minutes
- Feedback from clients and staff
- Staff exit interviews.
Example
Once you get to the end of your risk identification process, you may have a list that looks something like the one down below.
| Risk Identification | ||
|---|---|---|
| Risk Identified | Event or Threat Triggers | Potential Impact |
| Fire or flood | Arson, storm, electrical fault | Potential for injury, risk to buildings, assets, shutdown operations |
| Loss of power for more than one day | Storm, electrical faults | Shutdown operations, inability to service customers |
| Loss of water for more than one day | Storm, electrical faults | Staff unable to attend offices, loss of wages |
| Invoices not paid for more than 60 days | Bankruptcy of clients | Unpaid invoices, profit and loss margins affected, cashflow affected |
| Brand fatigue | Customers are bored by marketing content | Lack of engagement by customers, failure to attract new customers |
| Poor cashflow | More expenses than income | Not able to meet supplier payments and pay obligations when they become due |
| Non-compliance with legislation | Poor quality assurance processes | Risk to business continuity |
| Low customer satisfaction | Low product or service quality | Loss of business, fail to attract repeat business |
| Staff not providing the right information to customers | Lack of staff training, poor induction, poor communication channels | Low customer satisfaction |
| Machinery failure or breakdown | Breakdown or failure of machinery | Unable to continue work for the entire department, loss of wages and productivity |
Q1. What, when and how would you communicate with stakeholders about a risk assessment?
Q2. What is a PESTLE analysis and how can it be useful in risk assessment?
Q3. What do you need to understand in order to know the scope and context of a risk assessment?
Q4. Explain in your own words that previous records might be able to assist you in understanding future risks of an organisation?
Q5. How does brainstorming help to ensure you understand the risks of an organisation?
