28 February 2017
29 October 2018
Describes some of the risk categories, sources of information about risks and the techniques used to identify them. It also considers how a business can determine its appetite and tolerance for risks.
This fact file was last updated by CII in-house editors in February 2017.
Risk management has become widely established as good practice. Its objective is to reduce all risks to a level that has been formally confirmed as being acceptable. Risk identification is one of the first steps in the risk management process and involves understanding what threats exist and how they may make it more difficult to achieve stated objectives, or even prevent them from being achieved altogether.
- Summary »
- Understanding and applying risk identification and prioritisation processes »
- Sources of information for identifying risks »
- Techniques used to identify risks »
- Risk categories »
Risk identification is one of the first steps in the risk management process and involves understanding what threats exist and how they may make it more difficult to achieve stated objectives, or even prevent them from being achieved altogether. Every business will have its own sector-specific risk exposures. Risk managers need to gain industry knowledge to ensure they understand these risks.
Risk managers can use a variety of techniques to identify risks, including organisation and flow charts, checklists and questionnaires, physical inspections, brainstorming and workshops, fault trees, HAZOPS and their own experience.
The risk management process includes the following steps:
- risk identification
- risk quantification and analysis: quantifying the impact and the consequences of the risk (either downside or opportunistic value) to the organisation;
- risk control: the measures being taken (or that could be taken) to mitigate the risk; and
- risk transfer: deciding whether the risks can be retained or transferred to another party.
Before any of these steps can be taken, it is important to understand what the risk is and what format it takes. Risk identification is the fundamental start point for those engaged in risk management and supports the above activities that comprise a sound risk management.
Risks can be constant factors that arise as a routine part of business activity, or 'curve balls' that take businesses by surprise. Examples of routine and ongoing risks include economic issues (such as rates of exchange), weather factors (such as rain and snow) and business-specific risks (such as the cost of fuel to operate a vehicle fleet).
The 'curve ball' risks are usually much greater in size and severity than routine risks and often fall entirely outside the reasonable capability of a business to treat them as routine events. Examples include fire, earthquake or acts of terrorism and war.
Every business will have its own sector-specific risk exposures. Risk managers (and others responsible for identifying risks) need to gain industry knowledge to ensure they understand these risks - often this only comes with experience.
Additionally, many risks are location-specific and will require detailed knowledge of the region and features of the risk. Using an earthquake risk example, it is clear this will usually occur in earthquake-prone regions so the business must take steps to specifically identify the risk if it plans to commence operations in an affected zone.
Research is essential to ensure risks are identified. Here we consider some typical sources of research material:
- Online encyclopedias and search engines (e.g. Wikipedia and Google) can provide valuable information; however, all material should be cross-referenced and validated.
- Proprietary software is pre-populated with risk categories that users can select or delete.
- Those researching risk types often intend to compile a risk register. It can be helpful to examine risk registers compiled by others.
- Operational teams within businesses may have experienced some of the most common risk categories first-hand, so a good start is to access the knowledge of these team members.
- Experience is by far the most superior source of knowledge and those seeking to gain experience have many opportunities to learn, including apprenticeships, mentoring, job shadowing, and simple learning and development.
The most common use of the gathered risk information is to compile a risk register, which contains information that an organisation needs to manage risks. Essential data, such as risk description, probability and impact assessment, is supplemented by information about existing risk controls, ranking, priorities and risk ownership. The register is then monitored and maintained as a data source for the business to review and prioritise action on risk matters.
Information can also be valuable for negotiation purposes; for example, when buying insurance or evaluation and when managing risks in a contract where it is important to know the risks to be negotiated and the price appropriate for those risks.
This ensures 'no surprises' and allows the business to be better managed.
Risks need to be researched carefully to ensure they are adequately identified and that sufficient information is available to assess the potential exposures they may cause. Risk managers can use a variety of techniques to identify risks.
Organisation charts are useful as a demonstration of the organisation's activities and structure. They allow the reviewer to focus on the company, its business structure and geographies, and the shape of its management team. The downside of these charts is that the reviewer must then overlay this with their own knowledge of people, business and geographic risks - even then, significant exposures could be missed. For example, the business may import large quantities of materials from China, which would not be apparent from the charts. Doing this would be a potential source of risk should the materials be of inferior quality and are incorporated into the company's own products.
A flow chart will look at an organisation differently from an organisation chart. It pictures the route taken by all crucial ingredients of the final product through to completion and final delivery. These processes could apply whether that 'final delivery' is a supermarket building, settlement of an insurance claim, a piece of furniture or a credit approval at a bank.
Checklists and Questionnaires
Pre-populated checklists are useful as a generic framework for data gathering as they reduce the hit-and-miss nature of starting with a blank sheet. However, these checklists are seldom exhaustive and tend to be too generic to cover all business sectors or geographic risks.
In some cases, where there is a large amount of information to be incorporated (and particularly where this information is sourced from a number of similar business activities) it is useful to consider questionnaires as a risk identification tool. Questionnaires need to be drafted carefully to ensure that information is consistently crafted and that all sources are tapped. However, when the data is collated the effort is worth it. The main concerns are lack of responses or inconsistent interpretation and answers to the questions. Good questionnaires and checklists will ask for simple answers that can be processed easily by computer, but will also allow sufficient space for the user to complement these answers with comments, opinions and suggestions.
Physical inspections allow not only a very clear and personal picture of the environment at risk, but also face-to-face conversations with people on site. Insurance companies often carry them out for underwriting purposes, often in the form of property or liability surveys. Internal audit teams may also perform physical inspections, but these are usually driven by specific issues such as financial irregularity. Internal health and safety teams also frequently inspect sites, particularly after accidents occur. All these surveys and inspection reports will contain useful information for risk identification - but they will not present a full picture of the risk landscape. Audits will, however, be very useful when identifying risks that are outsourced by the business or undertaken at remote sites.
Brainstorming sessions, sometimes called workshops, are where a group selects a topic for discussion and records as many ideas as it can as quickly as possible. They are very helpful for focused discussion around risk - particularly if the risk manager organises the workshop especially to discuss risk issues. They can be dedicated to identifying risk and will need the expertise of operational risk staff. If the topic is not specifically related to risk then there may be less value for the risk identification process, but attendance may provide deeper understanding into production processes.
Fault trees investigate what could cause supplies to cease and consider the likelihood of that happening. They use diagrams to highlight points of weakness in processes with alternative risk outcomes against each event that could occur. Fault trees need expert help as they are hard to craft without detailed knowledge and equally hard to interpret without any understanding of the process.
Hazard and operability studies (HAZOPs)
Originating from the oil and chemical industry, a HAZOP study identifies the risks facing personnel or equipment arising from specific operational activities. Complex HAZOP studies require significant computing resources. They are rigorous, detailed and usually contain computerised fault tree analyses of safety critical systems or system components, often conducted during their design. HAZOP studies are very specific and cover predefined risks and processes rather than offering a general start point.
In many cases, risk identification skills come from extensive knowledge and experience. For example, a lawyer who reviews a contract will be well-versed in spotting likely areas of risk and will be able to report this back in layman's language.
If the business already has a risk register that is a good starting point. Often these are under another guise (for example, as an audit checklist) so the risk manager may have to hunt around to find it. It may also be held by several "owners" so there will be a need to pull together registers identified (for example, by audit, health and safety, real estate and other teams). Sample risk registers can be viewed on the Internet and there are software packages that support the data collection process. Some organisations make their risk registers public documents (particularly those organisations where the public has an interest such as local authorities and charities).
A widely adopted approach is to first put risks into categories and then look within each category to determine which risks are important and which risks can be ignored. This is known as risk categorisation. Risk categorisation systems are important because they enable an organisation to identify accumulations of similar risks and clarify potential for applying common risk control strategies. For the purpose of this fact file, the main categories are listed below.
The term 'financial risk' covers a complex group of risks associated with the financing of business activities (e.g. using a bank overdraft to manufacture products in anticipation of selling them at a profit, or waiting for customers to pay for goods already delivered) and with specific financial transactions, including borrowing, lending and the issuing of insurance contracts. All organisations carry some form of financial risk, but it is a 'core risk' for the banking and insurance industries.
Financial risks are becoming increasingly important as these sectors find themselves under ever-stricter regulation. Some key areas where risk exposures need to be identified and analysed for those engaged in the financial services sector are described in this section.
- The banking and insurance sectors have been through a lengthy period of turmoil and uncertainty, beginning with the collapse of several major institutions in the USA - collapses that required Government intervention. A similar situation played out across Europe. The resulting economic slump put pressure on governments to impose regulatory reforms on the finance sectors in many countries. Interestingly, regulatory reform had been underway for many years, but largely on a self-regulatory basis; it took this crisis to escalate the issue and produce more potent regulation.
- High-level fraud has continued to plague the financial sector, even after the introduction of new regulation. As an example, UBS, a financial services company, reported a £1.3 billion loss in September 2011 due to a rogue trader. Identifying fraud in this sector is tough, despite the introduction of strict regulation and the need for vigilance where derivative and other financial instrument trading is concerned (first prompted by the actions of Nick Leeson that led to the collapse of Barings Bank).
- Reserve funding.The insurance industry has had to conform to new levels of reserve funding brought about by regulation such as the EU Solvency II protocols. Essentially, these protocols aim to ensure banks are adequately capitalised to protect end customers. This also imposes additional requirements on banks and insurance companies to identify emerging risks within their businesses.
- External factors such as investment market movement, exchange rate fluctuations and credit risk, can place strains on a business, with the risks often shifting dramatically and at a fast pace. Managing such exposures is often entrusted to the Treasury function, which hedges the exposures to mitigate the impact on the balance sheet. Identifying these risks requires a detailed knowledge of how the business undertakes its large financial transactions, because the sums involved can be substantial.
Corporate governance and regulatory compliance have become hot topics for businesses since the advent of the financial crisis; the management of financial and regulatory risks are closely interlinked.
In the UK, new regulation was introduced by the Financial Services Authority (now the Financial Conduct Authority and Prudential Regulation Authority).
Following attempts at self-regulation in the financial services industry, the emphasis has shifted to formal regulation (although this is still a strongly political issue that has created tension between the financial services sector and the UK Government.
For businesses generally, corporate governance controls have been introduced to reduce risks of fraud or corruption at the senior level within organisations and also to place additional responsibility on boards of companies to be accountable for such failures. This includes communicating with stakeholders - employees, customers, shareholders and corporate investors - on a more open basis. In the USA, legislation arising from the Sarbanes-Oxley reforms in 2002 has provided a benchmark that many other countries are emulating.
Large corporations must now embed the regulatory and corporate governance compliance in their risk identification analyses. Fortunately, most reforms are taken seriously and are seen as examples of best practice; so (for the most part) it is simply a case of auditing compliance rather than identifying risks from scratch.
As businesses rely more and more on technology, identifying risks becomes harder. The reason is that downside risks associated with technology tend to be treated less seriously than the upside opportunity to roll out new innovative products. Product development and speed of operation are still the major product selling points; risk management features such as virus protection are usually 'bolt on' technology items, often purchased as separate features by the end user.
While hackers and other activists see technology as a source of exploitation (for mainly spite-driven business inconvenience rather than personal financial gain), identifying risks tends to be driven by the need for a response to actual risk events rather than proactive risk monitoring.
The process for identifying technology risks needs to be separated between the main platforms around which technology is built:
- Hardware - the physical equipment (including periphery devices) that is used to input/ output data
- Software - the programmes used by the hardware to ensure a friendly interface between the user and the complex processing-driven hardware
- Communications - allowing the technology to be widely shared - for example the Internet, emails etc.
Each area needs careful scrutiny to ensure the process is understood, which in turn flushes out the risks. Given the detailed nature of computing and ever-emerging new risks, such as cloud technology, it is necessary to bring in some expertise in each area. This expertise may be made up of a mixture of internal staff and external suppliers.
Often, a kick-off workshop is useful to set the criteria. Reviewing processes in detail can expose areas of risk that become a checklist for a more detailed review. Ideally, identifying risks should be driven by someone with strong computing knowledge and experience within the business - possibly the Chief Information Officer; a role that often incorporates information security.
Physical risks are often the easiest to flush out. The trick is to ensure that the person in charge of risk identification knows a little of the business processes, but (more importantly) has the ability to confidently identify housekeeping and management standards. This person should also have wide industry knowledge so they can make some benchmark comparisons.
Identifying physical damage risks is best undertaken through a mixture of site inspections and regular independent or self audits.
Some common areas of risk that will be identified through these methods include:
- Location risk exposures. Some sites are located in built-up areas where the threat of damage from surrounding buildings is increased - for example, by fire. Also, the risk of burglary will be increased in a low-income neighbourhood with a poor record of social facilities. Location may also dictate some natural hazards such as flooding, high temperatures etc.
- Building-related risk exposure. The construction of a building is often a risk factor that needs to be considered. Poor construction standards or use of materials that are unsuitable for the stock stored within may influence the level of risk. So, for example, a production site for volatile materials (such as fireworks) should not feature any wooden material unless it is fully fire-protected.
- Business activity. The nature of a particular business activity may present physical hazard. For example, consider a plastic extrusion process that generates products at high temperatures - the risks to site personnel, the building fabric and neighbouring premises should all be factored and appropriate measures taken to manage any heat build-up or fire risk.
- Contents. Stock and the layout of stock is an important factor. If the building is "shed construction", with large open-plan areas internally, then the risk of fire spread is high. The risks generated by storage and production must be identified at the outset. It is worth flagging here the risk of scope creep - where decisions are taken by production staff to realign the site layout, usually for sound economic reasons. Often, risk identification is not part of their business plan; this makes it important for business changes to be monitored from a risk perspective.
- Physical risk protection. Identifying risk protections often requires some expertise in risk control surveying. Physical protections should be purchased and installed to match the risks posed by the business or site activity. So, for example, a plastics warehouse with large open areas will need a higher level of protection than a warehouse containing metal garden furniture. The former may require sprinkler protection under building regulations or insurance company requirements, whereas the latter might require simple hosereels and fire extinguishers. The company's own attitude to risk will also be relevant as they may wish to set their own standards of protection to protect business profitability and continuity by ensuring a fire is swiftly discovered and extinguished. Other risks may be identified that require protection measures - for example security, flooding and so on. It is necessary to regularly review the risks in the business alongside the physical protections in place.
- Business interruption risks. Business interruption generally follows physical damage to assets and represents the lost profit and continuing overhead costs that the business suffers when it cannot operate normally. However, recent events have also shown that businesses are extremely vulnerable to events that have widespread impact but do not necessarily cause damage - such as volcanic ash grounding air flights and snow bringing all forms of transport to a halt.So, for risk identification purposes, a wide variety of potential risks that could impact on business continuity need to be considered. It is generally easier to identify those business interruption risks that follow physical damage, and useful sources of expertise will often be found in the insurance carrier risk engineering teams. The non-damage business interruption losses should be considered in conjunction with operational management teams who will have an appreciation of past events that have affected the business and potential impact from events that have occurred elsewhere.
- Housekeeping attitudes. Housekeeping attitudes can generally be identified through site inspections as this tends to provide an overview of tidiness, cleanliness and attitude in the workplace. However, other signs can be picked up from staff turnover, accident records and physical risks such as petty theft in the workplace. It is important to identify poor management or housekeeping as these are, inevitably, contributory factors to deeper risk issues such as major injuries at work or even (where site materials have been stored inappropriately) to fire damage.
Modern businesses invest hugely in their brands, in an endeavour to nurture a customer base that places trust in their business and would not purchase from a rival. Brand loyalty is secured by good customer service but also, bizarrely, by simple advertising and an assumed association with quality. Therefore, some companies spend many millions on advertising, often in high-end places, to add a sense of exclusivity to their products. Motor racing is a good example of expensive advertising; it is designed to make the product appear affordable to only the most privileged.
As a result, many companies put a financial value on their brand and report this in their accounts. Any unforeseen impact to the brand could potentially severely damage their reputation and any loss of sales would affect share price. Examples abound in this context: bottled water that had to be recalled after contamination, electrical appliances being recalled after causing injury, baby food containing glass shards and so on.
Identifying the reputational risk is therefore relatively straightforward for two reasons:
- the company is well aware of its best products and will fully understand (and be fearful of) anything that could impact negatively and
- the financial impact is so severe that the business will have assessed - in a positive way - the brand value; therefore the potential risk impact is potentially of equal value.
Businesses also often produce intellectual property such as patents, trademarks and copyright. These assets provide value to the company as they are saleable or tradeable and have a degree of uniqueness that the business wishes to retain. The risk identification process here requires close supervision of how these assets are supplied to third parties, which must be controlled and monitored to make sure they are not pirated or passed on. This is usually achieved through strict contractual clauses with high penalties for any breaches - penalties that are suitably enforced. Identifying the risk also requires assessing how the asset could pass into the wrong hands and when and how action is required to remedy this.
The risk of information being leaked should be identified across all stages of the design, registration and supply process; the greatest risk occurs during the design stage when the asset is being developed and rivals would be very keen to see (and possibly steal) the prototypes. Examples here include new technology such as designs for tablet devices and smartphones.
Liability arises from many causes, but most commonly as a result of the negligent acts of one party that cause injury or loss to another party. However, liability can also be simply the failure of one party to meet its contractual obligations. It can also apply where a design or formula fails to perform to specification, even though there may not be loss or damage.
So risk identification of liability exposures is highly complicated.
Perhaps the best way of explaining the array of risks that need to be identified is by taking insurable liabilities and outlining some of the exposures. This is appropriate as most liabilities are insurable so the insurance industry has some fairly robust risk mitigation measures available to businesses.
Public liability risks
The general liability risks mainly revolve around loss, damage or injury to third parties (usually visitors to premises). Identifying these risks is particularly difficult as they relate to the business' interactions with the general public and hazards will be constantly changing.
Take the example of a supermarket chain where the visitors are customers; the shop owner cannot regulate the number, age or physical condition of their customers so there will be a wide range of potential claimants. Elderly people can lose their footing on wet floors, children can cause trip hazards and product spillage is a general hazard to all customers.
Claims from customers can be numerous and can often be expensive. Retailers will also be wary of their reputational risk exposures so may err on the cautious side (i.e. in favour of the claimant) when making claim settlements.
Employers' liability risks
The Employers Liability (Compulsory Insurance) Act 1969 requires all employers to arrange insurance concerning accidents to staff while in the workplace. This legislation has generated an industry around claims fuelled by lawyers, unions and, occasionally, fraudulent claimants.
The Act requires employers to carry a minimum £5 million of insurance. Identifying risks is often a matter for health and safety teams, which
- enforce compliance with health and safety legislation
- audit and spot-check safety standards in the business
- investigate accidents and incidents; and
- liaise with the Health and Safety Executive (the statutory body that implements and monitors legislation and codes of practice).
Risks in the workplace fall into two categories: occupational injuries or diseases, and simple accidents. Simple accidents tend to be one-offs and can be readily addressed. Occupational risks (such as back injuries, noise-induced hearing loss and repetitive strain injury) are more complicated as the conditions are generated by the work environment and injuries can only be avoided if workers are not vulnerable to the risk exposure (e.g. have poor hearing in the first place) or take suitable precautions (e.g. wear ear defenders). Identifying those people predisposed to certain risk exposures at the interview stage can be difficult, and even when they are at work some employees will not wear safety equipment despite attempts to enforce this.
Employment practices risks
The insurance industry has partly responded to risks arising from disputes that become employment tribunal matters. The main exposures here are events that occur in the workplace where the employee feels aggrieved and takes legal action to hold the employer accountable (even where it is a dispute between two employees rather than employee/manager).
Examples include sex discrimination and race discrimination disputes. Risk identification will be addressed by examining the company's policies and procedures for employment protection matters and assessing how well these are met in practice.
Professional indemnity risks
Risks arising from provision of specialist professional services are complex, and are some of the most expensive disputes to resolve where things go wrong.
The insurance industry offers solutions to those facing the greatest exposures: typically architects, engineers, consultants and lawyers. They purchase the cover to protect them in the event their advice is disputed or actually proven to be incorrect.
In fact, many businesses find they will not be able to secure work without some evidence that they buy professional indemnity insurance to cover their professional liability under contract and against their errors and omissions.
Identifying risks must be an ongoing process for these professionals. They are fiercely protective of their reputations and will want to contest claims routinely; it is a sad fact that sometimes claims arise because the client has incorrectly specified their exact requirements and the professional has fulfilled the contract under some frustration - and is then sued when the client realises the result is ineffective.
It is therefore up to the professional to constantly check and double-check advice, specifications and other technical output and to challenge the client whenever they have any doubt over the likely outcomes. This constant check process will also serve as an audit trail if the quality of advice is disputed.
Directors' and officers'/trustee liability risks
Senior managers and board members face a lot of pressure to ensure business compliance and to be accountable for business failure. This means that, nowadays, incoming non-executive directors and top-level management seek confirmation they will be covered by directors' and officers' liability insurance.
Therefore, risk identification is required on both sides:
- Senior staff must ensure that the business meets compliance requirements and adopts good governance.
- The company must ensure that its senior staff act responsibly, are accountable for errors and take rational decisions to protect the company's reputation and financial position.
Methods of identifying risks within the product manufacture and retail cycle rely strongly on quality control procedures.
This is one area where flow charts can be very useful. They can detail the entire retail cycle from sourcing raw material through to end consumer supply. Each step in the process can then be tested for risks that could affect quality control.
The level of quality control tends to be much stricter in certain sectors and (in some cases) is regulated. Much emphasis is placed on consumer protection. It is therefore in a business's best interests to ensure that the whole production cycle is protected from potential risk factors.
Potential risks include:
- product contamination (deliberate or otherwise)
- manufacturing defect (caused by machinery breakdown, for example)
- product deterioration - particularly important where the product is temperature-sensitive.
Many businesses outsource much of their supply chain, so the risk identification process must extend to reassurance that such risks are managed by the service providers.
If a product failure occurs, it is occasionally necessary to retrieve all products sold or supplied to customers and retailers for destruction or modification. Businesses will do this because the risk of injury or damage from the defective product is too high. An example is a defective electric toaster that carries the risk of catching fire. The risks of serious property damage or injury and the subsequent reputational damage to the supplier are too great.
In some cases, the supplier will take a gamble and rely on fixing problems as they arise, but such a gamble is a major risk in itself. Toyota faced this situation in 2009-10 when its vehicles experienced sudden acceleration problems and it was forced to recall all affected vehicles - an expensive but necessary exercise.
So, identifying risks here is more about contingency planning for procedures to quickly identify problems and set in place plans to implement a recall.
Research and development risks
Identifying risks within research and development is usually a matter for those closely involved in the research activity.
The risks associated with research and development work can be great. However, they are better managed in that the risk of release of the product to the outside world is closely contained.
There are exceptions: in 2006, clinical trials of the drug Parexel caused six volunteers severe organ failure and significant complications, albeit contained as the injuries occurred at the final human-testing stage.
The pharmaceutical industry has very strict risk identification processes. However, setbacks will occasionally only be identified once clinical trials on humans begin. Therefore, identifying risks consists of product research followed by closely monitored trials on animals and constant monitoring and response when trials begin on humans.
This section identifies other areas of exposure where risk identification should be addressed.
Political risks arise where the business trades in countries or environments where government or anti-government action could negatively affect trading conditions.
This action may be war, civil unrest or simply where the government freezes foreign assets to prop up the local economy.
There are many examples of political risk, but perhaps one of the best-known is Zimbabwe, where - with government approval - local tribes confiscated foreigners' land, often killing farm-owners in the process.
From a risk identification point of view, specialist local market intelligence is required to spot looming trouble spots. Often, businesses must respond very quickly to protect their assets when risks come to light.
Many manufacturing processes produce waste. Sometimes that waste is toxic, meaning that accidental (or deliberate) spillage could cause many forms of loss.
Also, some simple business risks can lead to damage to the environment. For example, a spillage of vehicular-borne products that damages road surfaces or that enters rivers.
Identifying environmental risks in operational environments relies on adherence to standard production processes so creating a flow chart will be the starting point here. Accidental discharge requires immediate activation of the contingency plan, as often disaster will result.
This was seen in Hungary in 2010 when an aluminium plant discharged sludge waste into a reservoir that breached and which caused widespread land and waterways contamination.Speed is usually of the essence when any spillage or leak occurs.
Contracts act as the formal understanding between two parties, detailing:
- the work to be undertaken
- the manner in which it should be undertaken
- how payment will be made
- penalties for non-performance.
It is the last point that often apportions risk between the parties. The risk controls may be simple - financial penalty for non-performance, rights to terminate the contract for non-performance and also penalties for loss or damage caused by either party's negligence.
Identifying contractual risks requires some knowledge of contract law and construction and it is usually part of a solicitor's remit to cover risks identified during the contract review process.
Once risks have been identified, the next logical step is to begin quantifying the risks and their potential cost to the business. Read the risk quantification fact file for more information.
However, before quantifying the risks there are some intermediate steps that can help frame a risk management philosophy and assist the business in determining how it responds to risk. This section outlines some of these intermediate options.
- Risk appetite. Risk appetite is most often a financial measure of the level of risk exposure a business is prepared to accept for its "net account" (that is, how much it feels it can absorb on its balance sheet before passing any surplus externally - for example, to insurers, contract partners etc).It is important that the business considers this across a definable timeframe - for example, any accumulation of risks occurring within a 12-month period. This figure then becomes an important threshold - allowing the board to report major issues to shareholders, or even acting as the trigger point at which the business starts to purchase insurance to cover that risk. Risk appetite will change depending on the financial environment and the business' own changing profitability.
- Risk tolerance. This is the total level of risk that a business will accept before it changes its strategy in order to reduce exposure. Risk tolerance is a negative approach to risk (whereas risk appetite tends to be positive). Risk appetite will flex based on circumstances and often relates to quality of risk rather than quantity. For example, a business that invests in the stock market may shift investments to gilts when stock market conditions produce poor results. The level of investment may be the same, but the mix of investments will be less risky.
- Ranking risk. Risk profiles are often easier to digest if they are shown in some order. Risks cannot be ranked in size until risk quantification is undertaken. However, simply grouping risks together (perhaps in the categories outlined in the body of this fact file) may assist the audience to work through quantification, measurement etc.
- Risk identification involves understanding what threats exist and how they may make it more difficult to achieve stated objectives.
- Risks can be constant factors that arise as a routine part of business activity, or 'curve balls' that take businesses by surprise.
- Risks need to be researched carefully to ensure they are adequately identified and that sufficient information is available to assess the potential exposures they may cause.
- Risk categorisation is putting risks into categories and then looking within each category to determine which risks are important and which risks can be ignored.
- Once risks have been identified, the next logical step is to begin quantifying the risks and their potential cost to the business.
- Employers Liability (Compulsory Insurance) Act 1969
- Health and Safety at Work Act 1974
- Road Traffic Act 1991
- Sarbanes Oxley Act 2002
- A Risk Management Standard. The Institute of Risk Management, 2002.
- Controlling the risks in the workplace. The Health and Safety Executive.
- Risk register. Wikipedia article, 2011.
- Hungary battles to stem torrent of toxic sludge. BBC, 2010.
- Risk control. CII fact file, 2017.
- Risk transfer. CII fact file, 2017.
This document is believed to be accurate but is not intended as a basis of knowledge upon which advice can be given. Neither the author (personal or corporate), the CII group, local institute or Society, or any of the officers or employees of those organisations accept any responsibility for any loss occasioned to any person acting or refraining from action as a result of the data or opinions included in this material. Opinions expressed are those of the author or authors and not necessarily those of the CII group, local institutes, or Societies.