Scribd Logo
Upload

Welcome to Scribd!

  • Risk Identification Made Simple - 10 Ways To Identify New Risks

    Uploaded by

    Ashok
    63 views3 pages
    RIMS

    Original Title

    Risk Identification Made Simple _ 10 Ways to Identify New Risks

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    RIMS

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    63 views3 pages

    Risk Identification Made Simple - 10 Ways To Identify New Risks

    Uploaded by

    Ashok
    RIMS

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    12/23/2017 Risk Identification Made Simple | 10 Ways To Identify New Risks

            

    Type to search, then press enter

    HOME CAREERS CONTACT US

    ABOUT US SERVICES INDUSTRIES INSIGHTS CLIENTS PUBLIC TRAINING

    “Engaging InConsult
    to undertake a project
    implementation
    review proved to be
    an excellent choice.
    The knowledge and
    experience of their
    consultant made the

     
    Risk Identi cation Made Simple
    Whilst a SWOT Analysis is a good fast way to discover new opportunities and identify threats, many
    organisations have gone beyond this relatively simple approach and embraced more advanced forms of
    identifying and assessing risks and opportunities.
    The move by many organisations to adopt an Enterprise-wide Risk Management (ERM) approach has
    directed organisations towards a more structured approach to identifying and managing risk.  In this
    context,
    Tony Harb from InConsult explores the various risk identi cation and assessment approaches
    organisations can choose from.   

    ISO/IEC 31010:2009
    Did you know there is a whole standard dedicated to risk assessment techniques?  ISO/IEC 31010:2009
    Risk management – Risk assessment techniques is a supporting standard for ISO 31000 Risk
    management – Principles and guidelines and provides guidance on how to select and apply systematic
    techniques for risk assessment. It contains around 30 separate techniques…although some techniques
    do cross over.
    It’s not critical that managers know all 30, but knowing more about these techniques will help you better
    align the risk assessment process with your risk assessment objectives. 

    1. Brainstorming 
    Brainstorming involves a group of people working together to identify potential risks, causes, failure
    modes, hazards and criteria for decisions and/or options for treatment. Brainstorming should stimulate
    and encourage free- owing conversation amongst a group of knowledgeable people without criticising
    or rewarding ideas.

    It is one of the best and most popular ways to identify both risks and key controls and is the basis for
    most risk workshops.

    2. Interviews 
    During a structured interview, interviewees are asked a set of prepared questions to encourage the
    interviewee to present their own perspective and thus identify risks.
    Structured interviews are frequently used during consultation with key stakeholders when designing the
    risk management framework. As an example, structured interviews are good to gauge risk appetite and
    tolerance when developing risk appetite statements. 

    http://www.inconsult.com.au/risk-identification-made-simple/ 1/3
    12/23/2017 Risk Identification Made Simple | 10 Ways To Identify New Risks

    3. Checklists 
    Checklists are pre-populated lists of hazards, risks or control failures that have been developed usually
    from experience, either as a result of a previous risk assessment or as a result of past failures or
    incidents.
    Auditors often prepare checklists of key controls to aid in their assessment of control e ectiveness and
    the internal control environment.
    WARNING: We strongly recommend that risk checklists only be used as a secondary form of risk and
    control identi cation.  Relying entirely on checklists can restrict ‘risk thinking’.  Remember back to year 6
    when you used to look at the back of your maths book for the answers before attempting to solve the
    problem…it’s a bit like that! 

    4. Structured “What-if” Technique (SWIFT)  


    This is a systematic, team based exercise, where the facilitator utilises a set of ‘prompt’ words or phrases
    to stimulate participants to identify risks.
    One organisation was looking at reducing service levels in a number of areas to reduce its operating
    costs and SWIFT was used to analyse the impact of each reduced service level. Risks were then identi ed
    and assessed. Where risks could not be reduced to a tolerable level, the service level was maintained.

    5. Scenario Analysis  
    Closely related to SWIFT.  Here a scenario is a short story or description of a situation of how a future
    event or events might turn out or look like.  For each scenario, participants re ect and analyse the
    potential consequences and potential causes when analysing risk.
    Scenario analysis can be used to identify opportunities for fraud. For example, a scenario could be “A
    sta member has just admitted to defrauding or company of $50,000 over 8 years through ctitious
    expense claims…how can this happen?” 

    6. Fault Tree Analysis (FTA) 


    This method is similar to a form of creative thinking called reverse brainstorming. This technique is used
    for identifying and analysing factors that can contribute to a speci ed undesired event (called the “top
    event”). Causal factors are then identi ed and organized in a logical manner and represented pictorially
    in a tree diagram.
    For example, if you want to improve customer service, state the objective in reverse e.g. “How can we
    really annoy our customers?” and from this statement, use brainstorming to identify causes that could
    annoy customers. 

    7. Bow Tie Analysis 


    They say “a picture is worth a thousand words” and this method is a perfect example.   Bow tie analysis
    is a diagrammatic way of describing, linking and analysing the pathways of a risk from causes to
    e ects/consequences. 
    Unlike the risk register, there are no numbers in this analysis i.e. there is no risk or control evaluation
    involved. This keeps the focus on understanding the relationships between the causes, event and
    consequences.
    TIP: After a brainstorming session, bow tie analysis is a great way to clean up the ideas generated and
    consolidate the results into more appropriate risk statements. 

    8. Direct Observations 
    Simply looking out for risks and being situationally aware is not included in ISO/IEC 31010 as a risk
    identi cation technique.  This relatively simple technique is used daily in the workplace by sta who may
    observe risky situations and hazards regularly. It is also used by emergency services when attending to
    an emergency and is a form of dynamic risk assessment.  It is also heavily used by Workplace Health &
    Safety professionals during inspections and audits.
    A risk aware culture and well trained sta will improve people’s ability to observe potential risks and
    implement controls before the risk eventuates into an incident.

    9. Incident Analysis 
    Incidents are risks that have now occurred.  Recording incidents in a register, conducting root cause
    analysis and periodically running some trend analysis reports to analyse incidents, can potentially
    enable new risks to be identi ed. In addition, a high frequency of like incidents can be a lead risk
    indicator to a potentially larger problem.

    10.  Surveys 
    This method is also not included in ISO/IEC 31010 as a risk identi cation technique, however, it is similar
    to structured interviews but involves a larger number of people. It can be used to collect a broad set of

    http://www.inconsult.com.au/risk-identification-made-simple/ 2/3
    12/23/2017 Risk Identification Made Simple | 10 Ways To Identify New Risks
    ideas, thoughts and opinions across a range of areas covering risks and control e ectiveness.
    One of the best ways for risk managers to use surveys is to assess the organisation’s risk culture.
    Internal auditors can use surveys to assess the internal control environment. Some organisations use
    annual sta surveys to gauge sta understanding of key risk and governance policies and procedures. 

    The Bottom Line 

    Risk assessments need not be boring workshops.


    Risk identi cation techniques vary in complexity and each method has advantages and
    disadvantages.   
    Whilst understanding all 30 plus risk assessment techniques outlined in ISO/IEC 31010:2009 Risk
    management – Risk assessment techniques is ideal, for most situations, having a tool kit of 5-8
    di erent techniques that can be used at the appropriate time is su cient.

    So, now that you know the di erent methods…it’s time to leave your comfort zone and try something
    new.

    Tony Harb B. Bus, FCA, MBA, MIIA (Aust) has over 20 years’ experience in risk management, nancial
    control and audit. He can be contacted on 02 9241 1344 or tonyh@inconsult.com.au. 

    Share this:

    Copyright © InConsult Pty Ltd 2013 • Website design & construction by Highland Creative

    http://www.inconsult.com.au/risk-identification-made-simple/ 3/3

    You might also like