Analysing Risks In Your Organisation
Analysing risks
This is the fourth step in a seven-stage process of successfully tackling risk management in your organisation. The first step in the process is communication and consultation and this needs to occur regularly if you are to continue to keep risk management at the front of everyone’s mind. In this regard you need to continually communicate throughout the process with your organisation and others who may be impacted.
Before you can do anything about the risks that face your organisation – and you should now have a long list of them – the risks must be analysed to determine their potential to cause harm This will give you a basis for determining which risks are the most serious, which are treatable and which can be accepted.
If you haven’t followed the process as outlined above you may want to revisit these steps to ensure that you are not missing the whole context. This will give you a framework to assess your risk management priorities.
Otherwise, you could try to tackle the risk posed by a falling piece of space junk before replacing the heater that is throwing sparks into the wastepaper bin in the warehouse.
Depending on the size of your organisation, the job of analysing risks is probably best performed by your committee or a person responsible for risk management. It may be worthwhile getting the person or committee responsible to outline their reasons behind the analysis to a wider audience.
The analysis should also be open to review and the results circulated to staff as part of the communication and consultation process.
Analysis is based can best be undertaken on two simple criteria:
- Likelihood – how likely is it the risk will occur
- Severity (or Consequence) – How bad is it if the risk if it is realised
How seriously you take each risk is based on a combination of these factors. For instance, an outbreak of the Ebola Virus in your organisation would be disastrous if it happened, but isn’t all that likely. On the other hand, the consequences of banging your head on a low door frame aren’t so bad but may be much more likely to occur.
Whether the frequency and severity of potential losses is classed as high or low will depend on the size of your organisation and the activities that you are involved in. A foundry may have a serious injury every three months and may not regard this as frequent, but this same number would be unacceptable for a retail store.
Frequency
Estimating frequency is reasonably straightforward for risks that occur on a regular basis, but is more complicated for losses that occur rarely or may never have happened at all. But even with regular risks, you should consider any changes in your organisation or the environment in which it operates that could impact on how often the risk will arise.
For instance, looking at how often accidents have occurred in the past will help a scaffold erection company estimate how often they will happen in the future. However, bear in mind that the growth of the business and the techniques used might suggest that the incidence will increase or decease as the contributing factors change.
Look at situations from more than one point of view; who could be affected by your activities Ensure that you discuss, consult and check with your staff throughout this process.
For less frequent risks, you may be able to draw on specialist advice from federal, state or local government agencies, insurers, a similar organisation to yours, or someone with a connection to your organisation who has expertise in a particular field, such as a fire fighter, risk consultant etc.
You may also want to check with your local Occupational Health and Safety Authority who may have advice.
Questions that may assist you when estimating frequency include:
- How often do people encounter the risk
- Has it ever happened before – in your organisation or another one How often
- Has this hazard caused any near-misses
- Is there any level of training required to perform the risky activity If so, have people done it How complex is the training
- Has the industry group experienced any similar problems
Severity or Consequences
Several factors need to be taken into account when assessing the severity of a potential risk and, again, many will be specific to your organisation and the work you do. For example, fire damage to a part of a building would be a bad thing for any company, but how bad it is will depend on how often you used that particular facility, whether other facilities are available to continue your activities and if it is adequately covered by insurance.
The public relations impact of a risk should also be considered, if people are falling off buildings or electrocuting themselves it is not the best advertisement for your organisation. An organisation with a poor safety record is regarded as a poor employer.
You should also look at the number of people likely to be affected by a risk. A large number of people getting cuts and bruises during a manufacturing process may be worse than one person breaking their arm.
The worst risks are those that result in death or severe harm to individuals or threaten your organisation’s ability to work profitably or, in a worst-case scenario, cause it to close down altogether. So how do you work out the severity and likelihood of risks
There are two main methods:
- Quantitative analysis applies a numerical value to the level of risk. This method usually depends on reliable data and is best used when specific figures are available, such as accident or injury statistics. This method can be extremely accurate but is best suited to large organisations where there is enough evidence to provide useful analysis. Smaller organisations should avoid this like the plague.
- Qualitative analysis is the easiest, and most commonly used, method of analysing risks, especially for smaller organisations. It applies a descriptive word to the level of risk and is based on knowledge, experience and anecdotal evidence. This method does have limitations, including a risk of subjectivity, but is useful in indicating which risks may be disregarded, those that require further attention, and management priorities.
Analysing a lot of the risks will involve estimation; even detailed police statistics will not tell you how likely it is that your company’s truck will be run off the highway during a road rage incident. But don’t be afraid to guess; it is better than waiting until you know for sure because then it could be too late.
A simple method of analysis is to draw up a simple grid:
|
High probability Low impact |
High Probability High Impact |
|
Low probability Low impact |
Low Probability High Impact |
Assign each of the risks to one of the four categories – the ones that you give highest priorities are the ones in the top right corner. A more detailed approach can be followed by scoring or rating on a scale. An example is provided below:
Likelihood rating
A – Frequent – Likely to occur frequently
B – Probable – Would occur but not frequently
C – Occasional – Could happen occasionally
D – Remote – Rare; not likely, but possible
E – Improbable – Highly unlikely but still possible
Severity/Consequence rating
A – Catastrophic – May result in death or loss of bodily functions
B – Critical – May cause severe injury, illness
C – Marginal – May cause injury or illness resulting in, for example, missing work
D – Negligible – May cause minor injury or illness
A rating table can then be developed that will assist in evaluating your risks in the next step. The table will look something like this:
|
Frequent |
Probable |
Occasional |
Remote |
Improbable |
|
|
Catastrophic |
High |
High |
High |
High |
High |
|
Critical |
High |
High |
High |
Medium |
Low |
|
Marginal |
High |
Medium |
Medium |
Low |
Low |
|
Negligible |
Medium |
Low |
Low |
Low |
Low |
Placing each risk into its category will give you a good starting point from which to approach the management of risks in some order.
Some examples of risk analysis might include:
|
Risk |
Frequency |
Severity |
|
Packer receiving cuts to hands from staples in packing cartons. |
Frequent |
Marginal |
|
Packer injured when struck by a forklift truck. |
Occasional |
Critical |
|
Warehouse being broken into resulting in loss of computer equipment and files. |
Remote |
Critical |
|
CEO and senior management being involved in fatal air crash on way to conference. |
Improbable |
Catastrophic |
|
Slip on tiles in laboratory |
Occasional |
Critical
|
Remember that the frequency and severity of particular hazards will be different for different organisations. The idea is not to detail all the potential losses that may result if a risk does occur, but simply to assign a level of estimated risk that will provide a basis for managing those risks.
The frequency and severity you assign to each risk can be entered on your risk register, which might now look like this (you may want to give each of the levels of likelihood and frequency a letter-based rating. e.g: Frequent = A, Probable = B, Occasional = C, etc. These can be combined to give a risk rating. For example, Frequent and Catastrophic = A, Frequent and Critical = B, etc)
|
What have you Identified as a |
Likelihood |
Severity |
Risk Rating |
|
Lights in car park not working |
B |
C |
H |
Analysing risks in your organisation is the fourth step in a seven-stage process of successfully tackling risk management in your organisation. The next stage is to evaluate your risks.
DISCLAIMER
While all care has been taken in the preparation of this material, no responsibility is accepted by the author(s), Cornstalk Software P/L or its staff, for any errors, omissions or inaccuracies. The material provided in this document has been prepared to provide general information only. It is not intended to be relied upon or be a substitute for legal or other professional advice.
No responsibility can be accepted by the author(s) or Cornstalk Software P/L for any known or unknown consequences that may result from reliance on any information provided in this publication