Identifying and assessing risk is an important tool for any business

17 May 2022 Thought Leadership Special Features Archive Comments Off on Identifying and assessing risk is an important tool for any business
Robin Nicholson
Director: Corporate-911

A few weeks ago, I discussed the role of business forecasting and how it is often wrong. In the editorial, I pointed out that businesses should rather use independent business reviews (IBR) and SWOT analysis as it gives an indication of where the business currently is and how it is equipped to respond to the challenges that it faces.

While this is reactive as opposed to proactive, I feel that it serves a company well as there is less guess work when it comes to possible outcomes. The third tool that companies can use to formulate a plan to address their challenges is risk management.

I recently read an interesting article which points out that the 4 essential steps of the Risk Management Process are:

  • identify the risk;
  • assess the risk;
  • treat the risk; and
  • monitor and Report on the risk.

We will discuss the first two in this article. The final two will be discussed next week.

Risk identification
The first step in the risk management process is to identify all the events that can negatively (risk) or positively (opportunity) affect the objectives of the project:

  • project milestones;
  • financial trajectory of the project;
  • project scope.

These events can be listed in the risk matrix and later captured in the risk register.

A risk (or opportunity) is characterized by its description, causes and consequences, qualitative assessment, quantitative assessment and mitigation plan. It can also be characterized by who is responsible for its action. Each of these characteristics are necessary for a risk (or opportunity) to be valid.

In order to be managed effectively, the Risks and Opportunities (R&O) identified must be as precise and specific as possible. The title of the risk or opportunity must be succinct, self-explanatory and clearly defined.

All members of the project can and should identify R&O, and the content of these is the responsibility of the Risk (or Opportunity) Owners. Risk Managers are responsible for ensuring that a formal process for identifying risks and developing response plans are conducted through exchanges with risk owners. We will explain each of these roles in further detail in our next article on Risk Management Team Roles.

Below are examples of tools to help identify R&O:

  • analysis of existing documentation;
  • interviews with experts;
  • conducting brainstorming meetings;
  • using the approaches of standard methodologies – such as Failure Modes, Effects and Criticality Analysis (FMECA), cause trees, etc;
  • considering the lessons learned from R&Os encountered in previous projects; and
  • using pre-established checklists or questionnaires covering the different areas of the project (Risk Breakdown Structure or RBS).
South Africa’s coal export terminals present significant risk
Photo By: RBCT

Risk assessment
There are two types of risk and opportunity assessments: qualitative and quantitative. A qualitative assessment analyzes the level of criticality based on the event’s probability and impact. A quantitative assessment analyzes the financial impact or benefit of the event. Both are necessary for a comprehensive evaluation of risks and opportunities.

When it comes to qualitative assessment, the risk owner and the risk manager will rank and prioritize each identified risk and opportunity by occurrence probability and impact severity, according to the project’s criticality scales.

Evaluating occurrence probability (P); this is determined preferably based on experience, the progress of the project, or else by speaking to a risk expert, and is on a scale of 1 to 99%.

For example, suppose the risk that: “the inability of supplier X to conduct studies on a modification Y by the end of 2025” is 50% probable. This could be determined from feedback and analysis of the supplier’s workload.

Evaluating impacts severity (I); to assess the overall impact, it is necessary to estimate the severity of each of the impacts defined at the project level. A scale is used to classify the different impacts and their severities. This ensures that the assessment of the risk and opportunity is standardized and reliable.

The criticality level of a risk or opportunity is obtained by the equation: Criticality = P x I

The purpose of the qualitative assessment is to ensure that the risk management team prioritizes the response on critical items first.

When it comes to quantitative assessment; in most projects, the objective of the quantitative assessment is to establish a financial evaluation of a risk’s impact or an opportunity’s benefit, should it occur. This step is carried out by the Risk Owner, the Risk Manager (with support of those responsible for estimates and figures), or the management controller depending on the organizational set up in the company. These amounts represent a potential additional cost (or a potential profit if we are talking about an opportunity) not anticipated in the project budget.

For this, it is therefore necessary:

  • to evaluate the additional costs incurred by financially reviewing:
    • hours of internal engineering;
    • hours of subcontracting;
    • additional work to do; and
    • amendments and/or claims made to contracts
  • To calculate the cost of the undesired event’s consequences by adding these values.

This step will make it possible to estimate the need for additional budget for risks and opportunities of the project.

The role of the BRP
If companies consider doing risk management at the level that we discussed above, there may be a skills issue. Not many executives will be skilled enough to do a thorough evaluation of the risks that they face or equate them in the way that I have point out above.

Supply chain management is a risk that needs to be managed
Photo By: Canva

Companies do carry out risk management analysis. It is a corner stone of any SWOT analysis where the strengths and weaknesses are internal to the business while the opportunities and the threats are external to the business. Responding to risk may be as simple as a slight adjustment to an operating model or increasing the price of a product or service.

However, it can become complicated and that is where the skills of a BRP or a turnaround professional becomes important. When implementing a rescue, BRPs are often required to consider a number of different operating models that would benefit the company. These are obviously considered with the company’s risk appetite in mind. This also goes hand-in-hand with a thorough independent business review as this kind of assessment can only be conducted when a full view of the company’s current operational structure is taken into account.

In my next editorial, we will look at how companies can respond to the risks that they face.

Robin Nicholson is the Director of Corporate-911 and is a Senior Business Rescue Practitioner

Related Articles