How to identify where the risks in your business are right now and use them to make your business safer and more resilient in unprecedented times.
Once you have defined your risks, you should look at the likelihood and the impact. Let’s look at how we would do that.
Risks should be assessed by impact and likelihood, whilst issues and events are normally only classified by impact.
Let’s look at impact classification in a bit more detail.
For each business, a different set of criteria may be used – and this can be specific to your organisation but must have clear parameters and fit in with your risk appetite, for example, what you have defined as being acceptable levels of risk in your business.
If a risk sits across a number of these ratings, for example, it may be moderate/ low for customer and people, but medium for financial and regulatory, and critical for management, then the highest risk category is used. This would be categorised as Critical / High.
|Category||Moderate (Low)||Major (Medium)||Critical (High)|
|People||3-5% of workforce is impacted||5-10% of workforce is impacted||In excess of 10% of workforce impacted|
|Customer||1%-3% of customer base impacted||3%-5% of customer base impacted||More than 5% of customer base impacted|
|Financial||1%-5% of profit||5%-10% of profit||More than 10% of profit|
|Regulatory||Escalation is required to regulator||Investigation required by regulator||Sanctions / enforcement by regulator|
|Management||Business Unit level involvement||Leadership Team involvement||Significant LT remediation/ actions|
|Summary||Moderate impact, relative to profit or capital. Unlikely to require revisions to financial or strategic plans||Major financial impact, relative to profit or capital. May require some revision to financial or strategic plans||Critical financial impact, relative to profit or capital. Likely to require revision to financial or strategic plans|
Once we have defined our rating for ‘Impact’ and our rating for ‘Likelihood’, we can plot our risks and give them a classification.
For example, a risk that we define as being likely to happen and the impact of it happening being major would be given a rating of 'High'.
Which risks sit within the upper right hand quadrant of the chart? Those are the risks that you should address first – they are not necessarily where the business focus needs to be however they should be looked at as the ones that could cause the biggest impact if they materialise. These risks very often have a significant financial cost to control and therefore the cost to the business if they happened, can sometimes be less than the cost to control.
Look at each of the risks and identify what the plan to address would be. The plan will most likely take one of the following forms:
The important bit to note is that the ones that you think your effort should be focused on ie the most costly risks, are not always the ones you should be looking at. The ones that are normally where the focus is, are those with moderate impact and moderate likelihood. These are the ones that we should look at most often.
So which are the riskiest risks that we have identified in our matrix?
Think about a project that you are working on just now, or have worked on in the past.