What risk is your organization willing to accept?
What risk is your organization willing to accept? A scenario that gives your management ‘sweaty palms’ is probably a ‘high risk’ and a situation your management is willing to put some effort in to change for the better. In other words, ‘high risk’ is a scenario that threatens the very existence of your organization or threatens strategic targets.
Before starting risk analysis, consider the definitions used and make them concrete for your organization. Everybody in the organization must have the same mindset. Therefore, top management and the different risk stakeholders should be involved in this discussion. It is crucial to create a common ground in the definition of risk. We can not have a situation where all risks are equal, but some are more equal than others.
A risk analysis is a process that identifies and evaluates potential threats to a business or organization. Each threat's likelihood of occurrence is determined, and an estimate is made of the impact of any damage that might occur if the threat materializes. This information is then used to assign a risk class that helps management determine how urgent the threat is and what action should be taken.
In addition to identifying threats, opportunities can be identified using the same process.
The main goal of a risk analysis is to determine how risks can be controlled or reduced to an acceptable level. This can be done by implementing measures to mitigate the risk, accepting the risk, outsourcing the risk to a supplier, or avoiding the activity that poses a risk altogether.
The demarcation line between risks that need action and those that can be left for acceptance is called ‘Risk appetite.’
Management often faces multiple risk analyses on different topics, such as financial, image, health and safety, environment, information security, privacy, and patient safety. These topics have different methods and definitions, challenging comparing risks and prioritizing actions.
To overcome this challenge, management could align the most crucial risk management parameters for all topics, such as probability, impact, and risk class. This allows management to compare risks from different topics, make consistent policy choices, and prioritize actions. Ultimately, this approach helps organizations work towards integrated risk management, where all risks are considered holistically.
Here you can find some sample definitions; please adapt them to make them your own.
The classification for probability or likelihood of an incident or threat is occurring.
| Class | Description |
|---|---|
| High | Daily, weekly, or multiple times per month. |
| Medium | One to several times per year. |
| Low | Less than annually. |
The classification for the impact or consequences of an incident or threat. It is categorized by different themes to better align with the perception of those in the workplace. The theme with the highest class is used as the basis for analysis. The impact class is specific to each organization. An example from the healthcare sector can be found below.
| Impact Class | Financial | Image | Legal and Regulatory Compliance | Organizational | Patient Safety |
|---|---|---|---|---|---|
| High | Affects over 5% of annual turnover. | Heavy reputation damage. Customers seek alternatives and avoid the organization. | Parts of the organization or processes may need to be closed by supervisory authorities. | Threat to strategic goals. | (Multiple) fatal incidents. |
| Medium | Affects 1% of annual turnover | Serious customer happiness issues, loss of some customers. | Issues with supervisory authorities. | Threat to tactical goals. | Medium Incidents resulting in permanent or temporary disability. |
| Low | Efficiency issues, and financial damage stays within exploitation borders | Issues with small impact | Notifications in the quality systems, internal and external audit findings. | Impact on operational areas. | Wrong treatment or near misses on patient safety. |