Identifying risks is the first step in building the risk profile of an organisation and documentation is critical to effective management of risk. It can be separated into two distinct phases. Before a risk can be managed, the operations staff must clearly and consistently express it in the form of a risk statement.
The Risk Statement is split into to two parts
The first part of the risk statement is called the condition and provides the description of an existing state of affairs or attribute that operations feels may result in a loss or reduction in gain. It should:
- identify new risks which did not previously arise
- changes in existing risks
- risks which did exist ceasing to be relevant to the organisation
The second part of the risk statement is a second natural language statement called the consequence and describes the undesirable attribute or state of affairs.
The two statements are linked by a term such as “therefore” or “and as a result” that implies an uncertain (less than 100 percent) but causal relationship. The two-part formulation process for risk statements has the advantage of coupling the risk consequences with observable (and potentially controllable) risk conditions early in the risk identification stage.
In stating risks, care should be taken to avoid stating impacts which may arise as being the risks themselves
- Avoid stating risks which do not impact on objectives
- Avoid defining risks with statements which are simply the converse of the objectives.
A statement of a risk should encompass the cause of the impact, and the impact to the objective (“cause and consequence) which might arise.
Objective – to travel by train from A to B for a meeting at a certain time
- An example of a statement of the impact of the risk, not the risk itself would be – being late and missing the meeting
- A statement that there is no buffet on the train so you get hungry does not impact on achievement of the objective
- Missing the train causes you to be late and miss the meeting, this is an example of a risk which can be controlled by making sure to allow plenty of time to get to the station
- Severe weather prevents the train from running and getting to the meeting is an example of a risk which cannot control, but
- against which you can make a contingency plan
Identified individual risks will typically will not be independent but form natural groupings
There may be a number of risks which can be grouped together as “resources” and whilst other risks can be grouped together as “environmental” or will be relevant to several of the organisation’s objectives.
These groupings of risks will incorporate related risks at strategic, programe and operational levels
It is important not to confuse a grouping of risks with the risks themselves.
- Risks should be identified at a level where a specific impact can be identified and a specific action or actions to address the risk can be identified.
- Once identified, should be assigned to an owner who has responsibility for ensuring that the risk is managed and monitored over time.
- A risk owner, in line with their accountability for managing the risk, should have sufficient authority to ensure that the risk is effectively managed; the risk owner may not be the person who actually takes the action to address the risk.