Back to courses

Risk management - Part 1 exploring risk

Categorise the level of risk

Likelihood vs Impact

So how do we know how likely our risks are to occur and if they do occur, what the impact would be to us?

Once you have defined your risks, you should look at the likelihood and the impact. Let’s look at how we would do that.

Probability Impact

Risks should be assessed by impact and likelihood, whilst issues and events are normally only classified by impact.

The classification criteria for Impact should include:
  • Both financial and non-financial considerations
  • It should be determined on the basis that the risk or issue has crystallised or an event has occurred
  • The overall rating should be based on the highest impact from individual financial or non-financial criteria
  • In terms of the classification, the parameters for minor, moderate, major, and critical are defined. For example, Moderate would be between 3 and 5% of colleagues unable to perform their role effectively, specific actions needed at a local management level, short term re-allocation of resource etc
The classification criteria for Likelihood should include:
  • An assessment of how frequently the risk is expected to occur
  • An assessment of internal / external data loss, adequacy and effectiveness of key controls, and split of automated v manual controls
  • A management judgement, considering all relevant internal and external experience
  • Likelihood should be assessed within 4 frequencies:
    • Once in 10 years (unlikely) – or 10% chance of occurring in any year
    • Once in 5 years (possible) – or 20% chance of occurring
    • Once in 2 years (likely) – or 50% chance of occurring
    • Once in 12 months (almost certain) – or almost certain of occurring

Likelihood

How do we know what the impact is?

Let’s look at impact classification in a bit more detail.

For each business, a different set of criteria may be used – and this can be specific to your organisation but must have clear parameters and fit in with your risk appetite, for example, what you have defined as being acceptable levels of risk in your business.

If a risk sits across a number of these ratings, for example, it may be moderate/low for customer and people, but medium for financial and regulatory, and critical for management, then the highest risk category is used. This would be categorised as Critical/High.

Category Moderate (Low) Major (Medium) Critical (High)
People 3-5% of workforce is impacted 5-10% of workforce is impacted In excess of 10% of workforce impacted
Customer 1%-3% of customer base impacted 3%-5% of customer base impacted More than 5% of customer base impacted
Financial 1%-5% of profit 5%-10% of profit More than 10% of profit
Regulatory Escalation is required to regulator Investigation required by regulator Sanctions / enforcement by regulator
Management Business Unit level involvement Leadership Team involvement Significant LT remediation/ actions
Summary Moderate impact, relative to profit or capital. Unlikely to require revisions to financial or strategic plans Major financial impact, relative to profit or capital. May require some revision to financial or strategic plans Critical financial impact, relative to profit or capital. Likely to require revision to financial or strategic plans

Overall Risk Classification

Once we have defined our rating for ‘Impact’ and our rating for ‘Likelihood’, we can plot our risks and give them a classification.

For example, a risk that we define as being likely to happen and the impact of it happening being major would be given a rating of 'High'.

Risk Table

So which risks are the 'riskiest'?

Riskiest table

Which risks sit within the upper right hand quadrant of the chart?  Those are the risks that you should address first – they are not necessarily where the business focus needs to be however they should be looked at as the ones that could cause the biggest impact if they materialise. These risks very often have a significant financial cost to control and therefore the cost to the business if they happened, can sometimes be less than the cost to control.

Look at each of the risks and identify what the plan to address would be. The plan will most likely take one of the following forms:

  • Avoid: Take steps to ensure that the risk does not happen. This is the preferred option but is not always the available option
  • Transfer: Find someone outside the team who is better positioned to take care of the risk or transfer the risk to a 3rd party, for example, a supplier
  • Accept: Recognise that you have done all you can to address the risk, or there are no controls that can be taken. Take no action and be comfortable with the results if the risk happens.
  • Mitigate: Take steps to reduce the impact and/or probability of the risk. This is most often the response.

The important bit to note is that the ones that you think your effort should be focused on ie the most costly risks, are not always the ones you should be looking at. The ones that are normally where the focus is, are those with moderate impact and moderate likelihood. These are the ones that we should look at most often.

So which are the riskiest risks that we have identified in our matrix?

Putting it all together

Think about a project that you are working on just now, or have worked on in the past.

  • Identify a Risk to the project
  • Document the Risk, Cause and Impact
  • Define the Probability of the risk happening
  • Think about the Cost to the business or the client if the risk materialised
  • Identify appropriate Controls you could put in place to reduce the likelihood
  • Determine if you can reduce the level of Risk as a result of the controls

Summary

Summary