Risk identification and analysis ..........................................................
The next step is to identify and analyze all of the risks to the business. For each
risk, the goal is to analyze the impact of the particular risk occurring and quan-
tify the risk, both in terms of likelihood (probability) and in terms of potential
loss (impact). It is important in this phase to collaborate and aggregate across
the enterprise to ensure that all risks are identified, as well as ensuring an
understanding of the impact of the risks and any associated loss event.
You should consider two key attributes when analyzing risk:
Probability:How likely is it to happen? Think about the weather as an
example. A popular weather site includes an hour-by-hour probability of
precipitation. But some possible weather conditions are, well, less possi-
ble than others. On a dry July day in Washington, D.C., for example, the
risk of heavy rain is characterized as minimal. But the risk of heavy snow
and ice buildup is also said to be minimal. In D.C., rain is far more likely
than snow in July, but these events are categorized as being equally prob-
able. Assign a probability to your risks as accurately as you can. (Perhaps
because of its sensitivity to the issue of quantifying risks, this same
weather site now assigns a percentage probability to various weather
events, listing a 0 percent chance of snow in July in Washington, D.C.)Impact:What will happen if this risk becomes reality? What will be the
consequence? It could be significant; it could be catastrophic. Where
possible, estimate the risk in terms of monetary value. Bear in mind that
some risks, like possible loss of human life, are qualitative instead; you
can’t put a price on someone’s life (unless you’re an insurance company).By quantifying the risks and determining a probability of their occurrence,
management can see what risks are either most likely or are associated with
the highest potential loss. Identification and analysis yields a short list of
your most critical risks, the ones that really have an impact. If those risks can
be reduced or mitigated in some way, the bottom line will look a lot healthier.
Risk response is the next step to consider.
Risk response
After you know what the risks are and what the potential losses could be, you
have to think about what you can do about them. The risk response phase
primarily deals with balancing the cost of risk avoidance and opportunity.
Risk response allows you to develop and manage resolution strategies for
critical risks that could significantly impact the business. Part of this is being
able to identify interdependencies between risks across the organization. For