CHAPTER 6 – RISK IDENTIFICATION

ERM PROCESS AND RISK IDENTIFICATION

DEFINITION OF RISK IDENTIFICATION

Event (risk) identification (COSO ERM)

 identify potential events that may affect
ability to successfully implement strategy
and achieve objectives

Organizations should identify:

 known risks that previously affected the
organization
 emerging risks that have greatest potential
effect on the organization’s ability to meet
objectives
Each organization needs to define how it will
identify risks and what tools it will use
RISK IDENTIFICATION TOOLS

 Checklists
 Interviews and workshops

 Escalation or threshold
triggers
 Process flow analysis

 Audits

 Computer software

 Team approaches Picture courtesy of: http://www.clipartkid.com

RISK IDENTIFICATION HOLISTIC VS. SILO
APPROACH
Holistic Approach Silo Approach
 Looks at the overall  Can prevent or delay
big picture of all risks risk identification
that could impact the  Ignores the
organization interdependencies
 Fits with Enterprise- between departments
wide risk  Looks at specific risks
management applying only to specific
areas e.g. financial risk
only applies to
accounting dept.
HOLISTIC APPROACH TO RISK ID
Risk Quadrants
 Risks are identified in each quadrant
(hazard, operational, strategic and
financial), and then the effects on
each quadrant’s risks are identified
for the other quadrants
COSO ERM
 Risks are first categorized by type of
risk and then by hierarchical level
(organizational level to business
function)
Top Down
 Senior management decide which
risks pose threat or opportunity
Bottom Up
 Employee views on risks in operating
environment are captured
Picture courtesy of: https://www.pinterest.com

Top Down and Bottom Up approaches

can be combined for a global view
 TEAM APPROACH TO RISK ID

Facilitated Workshops

 Brainstorm to initiate discussion

and free flow of ideas;
moderated by a facilitator
 Meet with organization’s leaders,
key employees and other
stakeholders
 Assemble representatives from
diverse groups in the
organization which provides
information on level of risk and
priority
 Identify opportunity and
negative risks Picture courtesy of: http://stewartcoopercoon.com

 Used for project, process and

those risks that affect overall
objectives
TEAM APPROACH TO RISK ID
Picture courtesy of: https://en.wikipedia.org
Delphi Technique
 uses the opinions of select
experts to identify risks
 Experts do not meet but
respond to surveys or
inquiries
 Responses are anonymous
and combined
 Question is posed again and
experts are ask to revise
response based on group
results
 Process is repeated until
consensus or for a
predetermined # of rounds
 Generally the process is used
for projects and processes
TEAM APPROACH FOR RISK ID
Scenario Analysis
 Identifies various risks
and looks at potential
consequences for each risk
 Useful in identifying a
range of potential risks
and prioritizing the risks
 An internal cross-
functional team should be
assembled to obtain a
multi-dimensional view of
the consequences of the
potential risks
 Disadvantage – the Picture courtesy of: https://ca.linkedin.com
possibility of missing key
risks and limits in the
imagination of the team
conducting the analysis
 TEAM APPROACH TO RISK ID
HAZOP
 Name derived from
hazard and operability
study
 Comprehensive review of
a process or system
 Uses a team of
appropriate experts and
stakeholders
 Level of expertise and
time involved in the
process make it
appropriate for projects
and systems where
Picture courtesy of: http://topsy.one virtually all risks must be
eliminated.
 TEAM APPROACH TO RISK ID

SWOT Analysis Helpful Harmful

 Name is acronym for
I
Strengths, Weaknesses, n
STRENGTHS
Technology
WEAKNESSES
High Cost Structure

Opportunities and Threats t

e
Distribution Channels
Customer loyalty
Absence of key skills
Staff turnover

 Strengths and Weaknesses r Product Quality Brand recognition

n
are internal; Opportunities a
l
and Threats are external SWOT
E
 Useful when there is a x
specific goal t
e
OPPORTUNITIES
New technology
THREATS
Shift in customer tastes
r
 Ideally concludes with “go”
New distribution
Emergence of
channels
n Unmet customer needs
competitors

or “no go” recommendation a

l
Change in
demographics
New regulations
Tax increases
 RISK REGISTERS

 A tool developed at the risk owner level that links

specific activities, processes, projects or plans to a
list of identified risks and results of risk analysis
and evaluation and that is ultimately consolidated
at the enterprise level.
 A matrix to record the likelihood of a scenario and
its associated risks along with their probability,
consequences and impacts for the organization

Example of Risk Register:

Scenario Risk Risk Likelihood Consequences Level Improvement Review
Description Owner of Risk Action Date
PURPOSE AND USE OF RISK REGISTERS
 Can be used for specific
projects, departments,
business units and
processes
 Displays key risks in order
of priority
 Risk register must be a
dynamic matrix rather than
a compilation of documents
 Risk registers should be
designed with parameters
that adequately reflect the
organization’s risks
 Can be used to depict all of
the organization’s risk
scenarios and can be
combined into 1 risk
register for the entire
Picture courtesy of: https://www.linkedin.com/pulse/risk-register-you-
familiar-hasan-murad

organization
CHARACTERISTICS OF A RISK REGISTER

 However an organization decides to design its

risk register, risk management professionals
should ensure the risk register has these
characteristics:

 Adequately identifies the organization’s risks

 Prioritizes risk according to the potential effect on
the organization
 Provides interactive use for risk owners
 Forms a matrix to manage risks

See the example on page 6.16 of a risk register

RISK MAPS

 Risk mapping is a technique that can be used to

provide a visual perspective of an organization’s
risks and to prioritize those risks
 A basic risk map translates the risks identified in
the risk register into a risk matrix.
 Matrix can then be used to analyze the risks that
are within or outside an organization’s risk
appetite
Examples of Risk Maps are found on pages 6.18 and
6.19
BASIC RISK MAP

Picture Courtesy of: https://www2.viu.ca/riskmanagement/appliedriskmap.asp

RISK MAPS
 Translates risks identified in risk register into a risk
matrix (chart)
 Categorizes risks in relation to organization’s risk
appetite; consequences can be positive or negative
 Colour indicates level of impact from combination of
likelihood/consequence; referred as “heat mapping”

Adding other dimensions

 Can add time dimension to assist in design and
implementation of risk management process by
setting monthly, quarterly or annual priorities
 Can identify inherent residual (current) and optimum
level of risk, which provides measure of necessity and
effectiveness of current risk treatment
 IDENTIFYING LOSS EXPOSURES
 Identifying loss exposures
for organizations is more
complex and requires variety
and sources of information
 Methods of information that
allow a systematic approach
when identifying loss
exposures:
 Document review
 those that are specific to
the organization
 those that are
standardized and
originate outside the
organization Picture courtesy of: http://blog.willis.com

 Compliance review
 Inspections
 Expertise within and beyond
the organization
IDENTIFYING LOSS EXPOSURES
Document Analysis:
 Questionnaires and Checklists
 Documents produced outside the organization
broadly categorize loss exposures
 Questionnaires are more descriptive than checklists
 Can be addressed to key property, liability, net
income and some personnel loss exposures
 RM or Risk assessment questionnaires have a
broader focus and address insurable and uninsurable
loss exposures
 No standardized questionnaires can be expected to
uncover a the loss exposures
IDENTIFYING LOSS EXPOSURES
Document Analysis:
Financial Statements
 Identify current loss exposures as well
as future plans that could lead to loss
exposures
Balance  Reveals financial risks
Sheet
Balance Sheet
 Asset entries indicate property
values that could be reduced by loss
Financial  Liabilities indicate liabilities that
Cash Income
could be increased by loss and
Flows
Statements Statement
obligations that must be fulfilled
event when temporarily closed
Income Statement
 Identifies loss exposures that reduce
Equity
revenue or increases expenses
Statement of Cash Flow
 Identifies amounts of case subject to
a loss or available to meet
continuing obligations
IDENTIFYING LOSS EXPOSURES

Contracts and Insurance Policies:

Contracts
 Identify loss exposures generated or reduced by an
organization’s contracts
 Ensure that organization is not assuming liability
that is disproportionate to stake in contract by:
1. accepting loss exposure of another party
2. failing to fulfill a valid contract
Insurance Policies
 Reveals many insurable loss exposures that
organization faces
 May indicate that organization is insured for more
loss exposures than it faces or may not show all loss
exposures
IDENTIFYING LOSS EXPOSURES
Organizational Policies and Procedures Records
 Identify current loss exposures or impending changes to
loss exposures
Flowcharts and Organizational Charts
 Can help identify loss exposures, especially critical ones,
because diagram depicts sequence of activities performed
by particular process or function
Organizational Chart
 Identifies key personnel for whom organization may
have a personnel loss exposure
 Assist in identifying bottleneck of information flow
through organization
 Loss History
 Provides information on organization’s past losses which
may recur unless there has been a fundamental change
in operations or property owned
 IDENTIFYING LOSS EXPOSURES
Compliance Reviews:
 Determine
organization’s
compliance with
municipal, provincial
and federal statutes and
regulations
 Minimizes or avoids
liability loss exposures
because non-compliance
is liability loss exposure
 Requires legal and Picture courtesy of: https://m.yourstory.com/2016/04/business-india-compliance-requirements/

accounting resources,
either internal or
external
 IDENTIFYING LOSS EXPOSURES
Personal Inspections:

 Information gathering
visits to critical sites both
within and outside an
organization
 Reveal loss exposures that
would not appear in
written descriptions of
organization’s operations
 Conducted by individuals
Picture courtesy of: https://www.transitionsassistedliving.com whose experience and skills
equip them to identify
possible loss exposure
 Include discussions with
front-line personnel who
are best place to identify
less obvious loss exposures
IDENTIFYING LOSS EXPOSURES
Expertise Within and
Beyond the Organization:
 Interviews with
employees to gather
information about jobs
and departments or
external practitioners
from various fields
 Complete hazard
analysis
 Obtain more complete Picture courtesy of: https://zeltser.com/experts-overstate-expertise/

and objective picture of

organization’s loss
exposures