What is risk analysis?

All organisations are exposed to risk.

However, too many organisations only realise the risk that they were exposed to after an event occurs. It is a shame then that a few simple steps of analysis may have prevented the event occurring or have removed the source of the risk.

In this second of a series of articles on risk, I will explore how to analyse risks which have been identified. From a risk description it is possible to evaluate the risk. Risk is evaluated for its probability of occurrence and the severity of its consequence.

Risk is the combination of a source of risk and an event that gives rise to a consequence which we might consider abnormal. Risks may be positive or negative.

A well written risk description will contain within it, as well as the source, event and consequence, when and where the event could occur.

If possible, a risk description will include a cause and any controls which exist. In all cases of risk analysis it is necessary to measure probability and severity using some scale. We have to use our resources to treat the highest priority risks first. Scales help us determine priority.

Four main types of scales are used:

1. Nominal - assigns data into categories e.g. heat, colour, shape.
2. Ordinal - comparative qualitative scales e.g. high, medium, low or ★, ★★, ★★★, ★★★★.
3. Interval - quantitative intervals where one unit is larger than another but not necessarily a multiple of another. For example 10, 20, and 30 degrees of temperature where zero degrees is not defined.
4. Ratio - quantitative intervals where the units may be mathematically combined.

 

Some examples of analysis of risk descriptions from the hospitality industry, with appropriate use of scales are:

1. Food being kept cool is served to customers by an inexperienced staff member. The thermostat unknowingly malfunctions. The temperature rises to an unsafe level for too long resulting in food poisoning. The probability of the occurrence is low and may be recorded as so (ordinal scale). Or there may be some statistics available that says this event happens once a year (ratio) in most restaurants. The severity is high and may be recorded as so (ordinal). Or it may be rated on a descriptive common ordinal scale built to measure severity for all events which have a consequence for the health treatment of customers. For example, treated with first aid > treated in hospital > stayed overnight in hospital > stayed an extended time in hospital > fatality.
2. Accepting overbooking when the method of reconciling bookings from different sales channels is incomplete. Customers compete for use of the same hotel room.

The probability is low and may be recorded as such (ordinal). The severity is low and may be recorded as such (ordinal). Alternatively, a scale of the number of people turned away i.e. 1, 2-3, 4-6 and >5 (interval) could be used.

A risk analysis for an organisation is usually completed against many different risk categories and sub-categories. For example:

1. Financial impacts relate to the direct or indirect costs associated with the particular risk.
2. Safety impacts relate to the associated risk to life or injury arising.
3. Operational impacts arise where risks threaten to undermine the functioning of the business itself.
4. Public Relations impacts arise where the publicity associated with a particular risk is sufficiently negative as to have an adverse effect on the business's performance or viability.

By the time we have completed the analysis of the risks in all the categories, we may well have ten or more scales of probability and severity.

It then is prudent, for ease of communication, to have combined scales of probability and combined scales of severity.

For example, a probability scale may be:

1. Rare: Not known in the industry. Less than 10% probable.
2. Unlikely: Known in the industry, but not in our organisation. 10-20% probable.
3. Possible: Known in our organisation. 20-40% probable.
4. Likely: Occurs most of the time. 40-90% probable.
5. Almost certain: Occurs almost all the time. 90-100% certain.

A severity scale may be:

1. Insignificant: No medical treatments, minor localised publicity, financial impact<$10k, minor environmental effects, minor social impacts.
2. Minor First aid injury, media attention, local community concern, financial impact $10k-$30k, short term minor environmental impact.
3. Moderate Adverse state media coverage, serious injury, serious community concern, financial impact $30k - $100k.
4. Major Sustained adverse national media coverage, permanent disability, financial impact $100k - $1m, sustained environmental impact.
5. Extreme Public outrage and high profile media coverage, litigation, class action, major environmental damage, threat to business viability, financial risk >$1m.

Combining the risks by means of a risk matrix allows us to combine the probability and severity of a risk to prioritise our actions.

For example, in the case of a risk source /event /consequence combination that was rare but had an extreme severity level would be given the same priority as something which was almost certain to happen with a severity rated as minor.

A risk rated as likely but moderate risk would be given lower priority over either of the above two risks.

Risk analysis is not as easy as it first may seem as we have to juggle completely unlike risk sources, events and consequences and analyse them relative to one another.

However, it need not be difficult if we have established the context of the risks and identified and described our risks well.

Watch for the next article when I will describe what risk evaluation is.