Analysing Risks

The likelihood of risk is the probability of a given risk occurring. Risk likelihood needs to be determined so that the organisation can evaluate the relative priority of each risk (Hopkin, 2017). There are a number of ways to determine the likelihood of a risk occurring. The likelihood of a risk occurring can be determined through the following:

• History
• Forecasting
• Mathematical modelling
• Expert opinion
• Gut instinct

The next step is to establish a likelihood rating system. Most systems use terms like very unlikely, unlikely, possible, likely, very likely and almost certain. Each term then needs to be defined for consistency. In the extract below Hopkin defines four common terms for risk likelihood. Hopkin (2017) also points out that it is a good idea to use an even number of terms on the scale to reduce the bias of central tendency, whereby assessors are more likely to select a middle option if given the choice.

Unlikely: Can reasonably be expected to occur, but has only occurred 2 or 3 times over 10 years in this organization or similar organizations

Possible: Has occurred in this organization more than 3 times in the past 10 years or occurs regularly in similar organizations, or is considered to have a reasonable likelihood of occurring in the next few years

Likely: Occurred more than 7 times over 10 years in this organization or in other similar organizations, or circumstances are such that it is likely to happen in the next few years

Almost certain: Has occurred 9 or 10 times in the past 10 years in this organization, or circumstances have arisen that will almost certainly cause it to happen

^{(Hopkin, 2017)}

The impact or consequences of a risk occurring refers to the significance of the outcomes if a risk were to occur. Risk impact in conjunction with risk likelihood is used to determine the relative priority of each risk for treatment. Risk impact can be measured on a scale from small to catastrophic (Hopkin, 2017). According to Ostrom and Wilhelmsen (2019) when determining the relative impact of a risk, the risk professional should consider the following:

• What will happen if the risk occurs?
• How severe are the consequences of the risk occurring?
• Who will be affected by the risk occurring?
• How many people will be affected?
• How large an area will be affected?
• Will it be possible to repair the damage?
• How long will it take to repair?
• How much will it cost to repair?
• Who will have to pay for the repairs?

As is the case with risk likelihood, risk impact can be determined using history, forecasting, mathematical modelling, expert opinion, or gut instinct. In the following extract, Hopkin (2017) provides generic definitions for some commonly used risk impact terminology.

Small - no impact on patient health; minor reduction of reputation in the short run; no violation of law; negligible economic loss which can be restored.

Moderate - minor temporary impact on patient health; small reduction of reputation that may influence trust for a short time; violation of law that results in a warning; small economic loss that can be restored.

Severe - serious impact on health; serious loss of reputation that will influence trust and respect for a long time; violation of law that results; large economic loss that cannot be restored.

Catastrophic - death or permanent reduction of health of patient; serious loss of reputation that is devastating for trust; serious violation of law; considerable economic loss that cannot be restored.

^{(Hopkin 2017)}

The relative priority of a risk is determined by its likelihood and impact. Risks which are unlikely to occur and would have a small impact are a low priority. Conversely, risks which are almost certain to occur and have a catastrophic impact would obviously be a very high priority for any organisation. Priority can be determined using a matrix like the one following (Hopkin, 2017). In this matrix impact is represented on one axis and likelihood represented on the other. Essentially, the relative priority of risks will determine the order in which they are treated and the amount of time, money and resources that will be spent on treatment (Hopkin, 2014).

Once you have determined the likelihood and impact of each risk, you can then use this information to determine their overall priority and determine which risk to treat first. One common way of risk evaluation is to calculate their level of risk by using the following formula:

Level of risk = consequence x likelihood

The calculated level of risk will then be compared against the level of risk table as shown below (Business Queensland, 2022). For example, you wish to evaluate the level of risk of flood. You decide that the likelihood of a flood to occur in your business premise is likely (i.e., a score of 3) and that it may have a severe consequence (i.e., a score of 3) on your business. Therefore, flood has a risk rating of 9 (i.e., 3 x 3 = 9), which has a high priority.

As you can see, risks with low likelihood and impact will have a low priority and risks with a high likelihood and impact will have a high priority. The relative priority of risks will determine the order in which they are treated and the amount of time, money and resources that will be spent on treatment.

On top of the risk itself, you should also keep in mind how important the activity is to your business and how much control do you have over the risk. And of course, you can also consider the other side of the coin – think about whether there are any potential benefits or opportunities presented by the risk. While risk evaluation is effective in helping you to prioritise risks so you could appropriately distribute your time and resources to treat risks, there are some urgent risks such as accidents and injury that you need to attend to immediately.

We will now return to our case study of Wendy Olsen, the production manager of a small manufacturing business, as she assesses the likelihood and impact of various risks and prioritises those risks for treatment.

Case Study

Stella Shoes

The operations manager of Stella Shoes, Wendy Olsen recently identified a number of risks in her department. Next, she had to prioritise each risk based on its likelihood and impact. Wendy used the generic definitions identified in this section to assess the likelihood and impact of those risks. Finally, she prioritised the risks for treatment using the matrix above. Her results can be seen in the table below.

Risk	Likelihood	Impact	Priority
Burns	Likely	Severe	High
Broken bones	Likely	Severe	High
Lacerations	Likely	Severe	High
Fire	Likely	Catastrophic	High
Respiratory disease	Unlikely	Catastrophic	Medium
Wastage	Almost Certain	Small	Medium
Sprains/ strains	Almost Certain	Moderate	Medium

There is no point of understanding risks and managing them if it is not communicated or discussed amongst the staff and key stakeholders. Let’s take a look at how we can communicate and the next steps to take when a risk to the organisation has been identified.

Risk reporting

Risk reporting is a key method of communicating risk across business units and between multiple layers of an entity. Risk reporting generally informs stakeholders of the following:

• Risk events which have occurred and near misses - this can include an analysis of the cause of risk events and near misses and, where appropriate, identify expected versus unexpected risk events or losses.
• The current status of the risk profile - this type of reporting is the most common and includes information about the entity’s risks and how they are being managed. It is important to consider who this information will be reported to (i.e., who needs to know).
• The current risk exposure - this is a succinct analysis of how much risk you are exposed to. Reporting risk exposure generally involves Key Risk Indicators (KRIs) across all categories of risk. KRIs are a mix of qualitative and quantitative measures that provide insight into how the underlying risk profile of the entity might be changing before the risk occurs.

• Emerging and future risks - this type of reporting is forward looking and often involves scanning the external environment. Scenarios may also be used to demonstrate the potential consequence should emerging risks occur and drive discussion about the entity’s strategic options. This reporting may also include existing risks which are potentially impacted by emerging or future risks.

These approaches to communicating risk will enable the entity to understand if it is operating within its risk appetite and tolerances as well as providing a greater understanding of potential threats and opportunities.

Risk reporting will be most effective where it is embedded in management level discussions and linked to broader management reporting. However, formal risk reporting regimes are only one form of risk communication and, while they are important, they cannot be relied upon alone. It is also important to continually communicate what you’re doing in relationship to risk management and why you’re doing it

Communication channels for risk

There are a number of channels to communicate risk in your entity, both formal and informal. Some common channels are outlined below.

• Risk forums and committees - risk forums provide oversight of risk through discussion of key issues by a group with appropriate representation. Whilst multiple risk committees can exist, most commonly there is a primary risk and/or audit committee which has oversight of risk, compliance and audit matters. The nature and type of forums and committees will depend on the underlying nature of an entity’s responsibilities and operations. When considering additional risk forums, consider whether internal communication is required to manage shared risk more effectively. Additionally, where the entity is exposed to specialised risks, consider establishing a separate risk forum or committee to enable a more robust discussion on that particular area of risk. Common specialised risk forums include project and program risk; safety and environmental risk; security risk management; and technology risk.
• Face-to-face meetings - where possible, meeting with key officials is the best way to start the risk management process and to communicate key risks. Informal meetings can also give officials the opportunity to ask questions and can make them feel more involved in the risk process.
• Internal reporting channels - where sensible, consider embedding the risk conversation into your entity’s existing communication channels. This can be through newsletters, intranet pages, emails or even flyers and posters. This can help to inform officials about the risk management program as well as communicating key risks.

Practical steps for developing a risk communicating plan

Risk communication and consultation plans are a way of identifying and formalising the approach the entity will take to communicate risk issues both internally and externally. It details the key stakeholders involved and the approach to be taken to communicate risk information, changes and concerns with each party.

When developing a risk communication plan, consider the stakeholders involved, communication method, purpose, content, timing and required frequency of communication.

Step 1 - Identify and understand stakeholders

Let’s consider the ‘RACI’ approach – Responsible, Accountable, Consulted and Informed – to identify key stakeholders and what their roles will be throughout this process. Once established, these may be incorporated into the risk management plans of the entity, division and/or specific risk owner, as appropriate. This discipline is particularly useful for shared and complex risk where stakeholders may be distributed and not immediately apparent.

Step 2 - Determine communication type and method

Once stakeholders have been identified, their expectations and information needs can be determined. Think about what each stakeholder needs to know in order to assist with implementing decisions, and what is the best method to communicate this with them? The manner in which risk information is exchanged will vary depending on the role of stakeholders in managing risk.

Step 3 - Establish a common language

It is common for large entities to operate multiple risk activities or programs, each tailored for specialist types of risk within different areas of the entity. However, a single overarching risk framework provides the basis for a common risk management approach, language and terminology to encourage consistency in the understanding and communication of risk.

Step 4 - Define the specific purpose of the communication

Stakeholder consultation can be used to raise the awareness and perceptions of risk management. Engagement with stakeholders allows for a greater understanding of the diversity of stakeholder needs as well as perceived gaps in existing communications approach. This will enable communication to be increasingly targeted and increase the value of risk discussions.

Step 5 - Determine the frequency of communication

For each stakeholder and type of communication, an appropriate frequency needs to be determined depending on the nature and impact of the content. This should take into consideration the status of the risk in the context of risk appetite, threat to objectives, the severity of risk and when the risk is expected to occur. Consider the availability of relevant information when determining the appropriate frequency of communication. Ideally, information communicated will raise awareness and provide sufficient time to drive both proactive and corrective actions.

Step 6 - Assign responsibility for communication

For each stakeholder and communication channel, consider who the most suitable person(s) is for providing the communication in a timely manner, as per the risk communication plan.

This section of the module has focused on analysing the likelihood and impact of risk. You have learned how to determine the likelihood and impact of risk using a risk matrix, as well as how to evaluate and prioritise risks for treatment based on their relative likelihood and impact.