Risk identification and analysis
During the risk identification phase, all possible risks are listed as scenarios. Risks are identified, analyzed and then categorized according to priority.
During this stage, the focus is on the main risks to the company. The checklist is often called the danger list. Most of the time, risks linked to individuals are limited. It is therefore important to concentrate on major risks to eliminate them as much as possible.
Internal and external risks
In principle, identifying risk begins with an analysis of strengths and weaknesses, i.e. a SWOT analysis (Strengths, Weaknesses, Opportunities, Threats). This can be carried out as part of a meeting with interviews with the company’s key managers. The SWOT analysis is a simple tool that helps give an understanding of risk management within a company and shows existing links between major problems and the company’s objectives. Moreover, the objective of a SWOT analysis is to identify main internal and external factors that influence the company’s development and values.
The results of the meeting, interviews, benchmark analyses and information from other internal and external sources are used to create a database that includes all major information regarding risk. Risks are categorized by type and are attributed to the correct category in the risk model (see illustration below).
Opportunity and threat profile
Source: Dr. Bruno Brühwiler, Management und Qualität, 5/2009
Once the risk catalog is defined, a general analysis should be performed for all identified risks. The risk analysis determines when a risk is manageable and therefore acceptable.
A risk tolerance threshold is often indicated in the risk environment. Risks above this threshold should not be tolerated, and risks below the threshold are acceptable.
A risk analysis is performed, generally, using two aspects:
- Probability describes the likelihood of an event occurring. In principle, probability is calculated for a three-year period. This period is used as a basis when the company has a strategic planning cycle;
- The consequences describe the concrete effect that this event would have. The analysis normally requires a financial value. As not all risks can be analyzed from a financial point of view, it is also possible to analyze them vis-à-vis their quality. To do so, you will need to use reputation, compliance, health and safety risks, as well as the expenses incurred by management to bring the situation under control, should the event occur.
The result of the risk analysis is represented graphically in the form of a risk map.
Risk map for fiduciary company xy
The example below highlights the main risks for a fiduciary company. The analysis is performed using two aspects: probability and consequences. Experience shows that companies often focus on approximately 10 main risks.
0. Danger zones: strategic threat; operational threat; financial threat; management and employees
1. Frequent: weekly; possible = monthly, rare = annually; extremely rare = every five years; unlikely ≤ 5 years
2. Insignificant ≤ CHF 5,000; minimal ≤ CHF 10,000; sensitive ≤ CHF 50,000; critical ≤ CHF 100,000; threatens existence ≥ CHF 100,000
Source: Risikomanagement, Schweiz. Vereinigung für Qualitäts- und Management-Systeme (SQS), Zollikofen; 2008