Risk identification and analysis

During the risk identification phase, all possible risks are listed as scenarios. Risks are identified, analyzed and then categorized according to priority.

During this stage, the focus is on the main risks to the company. The checklist is often called the danger list. Most of the time, risks linked to individuals are limited. It is therefore important to concentrate on major risks to eliminate them as much as possible.

Internal and external risks

Graphic. List of internal and external risks which could affect a business

In principle, identifying risk begins with an analysis of strengths and weaknesses, i.e. a SWOT analysis (Strengths, Weaknesses, Opportunities, Threats). This can be carried out as part of a meeting with interviews with the company’s key managers. The SWOT analysis is a simple tool that helps give an understanding of risk management within a company and shows existing links between major problems and the company’s objectives. Moreover, the objective of a SWOT analysis is to identify main internal and external factors that influence the company’s development and values.

The results of the meeting, interviews, benchmark analyses and information from other internal and external sources are used to create a database that includes all major information regarding risk. Risks are categorized by type and are attributed to the correct category in the risk model (see illustration below).

Opportunity and threat profile

Level

Threat

Opportunity

insignificant

to be ignored given the size of the organization; the budget is barely reduced

to be ignored given the size of the organization; the budget is hardly any different

limited

the consequences are minimal and can be financed by the cash flow; the budget is slightly reduced

the budget is slightly higher than forecast for certain aspects

perceptible

the annual accounts are down; the EBIT is less than expected

the annual accounts and EBIT are better than expected

critical/optimistic

the annual accounts are worse and worse; the EBIT is in danger (risk)

the annual accounts and EBIT are markedly higher than expected

catastrophic/
surprisingly
positive

the company’s existence is under threat; equity is almost or entirely gone

the annual accounts and EBIT are extraordinarily positive and considerably higher than expected

Source: Dr. Bruno Brühwiler, Management und Qualität, 5/2009

Once the risk catalog is defined, a general analysis should be performed for all identified risks. The risk analysis determines when a risk is manageable and therefore acceptable.

A risk tolerance threshold is often indicated in the risk environment. Risks above this threshold should not be tolerated, and risks below the threshold are acceptable.

A risk analysis is performed, generally, using two aspects:

  • Probability describes the likelihood of an event occurring. In principle, probability is calculated for a three-year period. This period is used as a basis when the company has a strategic planning cycle;
  • The consequences describe the concrete effect that this event would have. The analysis normally requires a financial value. As not all risks can be analyzed from a financial point of view, it is also possible to analyze them vis-à-vis their quality. To do so, you will need to use reputation, compliance, health and safety risks, as well as the expenses incurred by management to bring the situation under control, should the event occur.

The result of the risk analysis is represented graphically in the form of a risk map.

Risk map for fiduciary company xy

The example below highlights the main risks for a fiduciary company. The analysis is performed using two aspects: probability and consequences. Experience shows that companies often focus on approximately 10 main risks.

Graphic. Shows how to analyse risks based on their probability and seriousness

Sample danger list for a fiduciary company

No.

Danger zone0

Danger sector

Description of risk

Probability1

Potential damage2

Manager

Measures

Timeframe

1

Strategic threat

Current commercial activity

Depends on a few clients; losing a client would lead to dismissals

Possible

Threatens the company’s existence

XY

Diversification of customer base by focusing on another sector; drawing up a marketing plan

December 20xx

4

Management and employees

Employees

Behavior

Embezzlement by an employee/Company reputation affected

Extremely rare

Threatens the company’s existence

ZY

Verification of signatory powers. Verification of the authorization process. Verification of the monitoring process.

June 20xx

6

Management and employees

Unfair trade practices

Imprecise (lax, superficial, unprofessional) application of business standards

Unlikely

Threatens the company’s existence

ZY

Operational audits by superiors, survey of customers, training and professional development

Twice per year

Until June 20xx

Every two months

10

Operational threat

Dangers to production plants

Flooding of premises

Extremely rare

Threatens the company’s existence

XX

New IT rooms on the 2nd floor of the building, ensure that the site transfer goes well

July 20xx

January 20xx

16

Financial threat

Liquidity and non-payments

Credit limit exceeded - higher bank interest

Frequent

Sensitive

ZZ

Improve processes for reminders and liquidity planning

October 20xx

0. Danger zones: strategic threat; operational threat; financial threat; management and employees
1. Frequent: weekly; possible = monthly, rare = annually; extremely rare = every five years; unlikely ≤ 5 years
2. Insignificant ≤ CHF 5,000; minimal ≤ CHF 10,000; sensitive ≤ CHF 50,000; critical ≤ CHF 100,000; threatens existence ≥ CHF 100,000 

Source: Risikomanagement, Schweiz. Vereinigung für Qualitäts- und Management-Systeme (SQS), Zollikofen; 2008


Sign up to our newsletter to stay informed (on the top right).


Informations

Last modification 27.09.2019

Top of page

https://www.kmu.admin.ch/content/kmu/en/home/savoir-pratique/finances/gestion-des-risques/planification-des-risques/identification-du-risque.html