During the risk identification phase, all possible risks are listed as scenarios. Risks are identified, analyzed and then categorized according to priority.
During this stage, the focus is on the main risks to the company. The checklist is often called the danger list. Most of the time, risks linked to individuals are limited. It is therefore important to concentrate on major risks to eliminate them as much as possible.
In principle, identifying risk begins with an analysis of strengths and weaknesses, i.e. a SWOT analysis (Strengths, Weaknesses, Opportunities, Threats). This can be carried out as part of a meeting with interviews with the company’s key managers. The SWOT analysis is a simple tool that helps give an understanding of risk management within a company and shows existing links between major problems and the company’s objectives. Moreover, the objective of a SWOT analysis is to identify main internal and external factors that influence the company’s development and values.
The results of the meeting, interviews, benchmark analyses and information from other internal and external sources are used to create a database that includes all major information regarding risk. Risks are categorized by type and are attributed to the correct category in the risk model (see illustration below).
Level |
Threat |
Opportunity |
|---|---|---|
insignificant |
to be ignored given the size of the organization; the budget is barely reduced |
to be ignored given the size of the organization; the budget is hardly any different |
limited |
the consequences are minimal and can be financed by the cash flow; the budget is slightly reduced |
the budget is slightly higher than forecast for certain aspects |
perceptible |
the annual accounts are down; the EBIT is less than expected |
the annual accounts and EBIT are better than expected |
critical/optimistic |
the annual accounts are worse and worse; the EBIT is in danger (risk) |
the annual accounts and EBIT are markedly higher than expected |
catastrophic/ |
the company’s existence is under threat; equity is almost or entirely gone |
the annual accounts and EBIT are extraordinarily positive and considerably higher than expected |
Source: Dr. Bruno Brühwiler, Management und Qualität, 5/2009
Once the risk catalog is defined, a general analysis should be performed for all identified risks. The risk analysis determines when a risk is manageable and therefore acceptable.
A risk tolerance threshold is often indicated in the risk environment. Risks above this threshold should not be tolerated, and risks below the threshold are acceptable.
A risk analysis is performed, generally, using two aspects:
The result of the risk analysis is represented graphically in the form of a risk map.
The example below highlights the main risks for a fiduciary company. The analysis is performed using two aspects: probability and consequences. Experience shows that companies often focus on approximately 10 main risks.
No. |
Danger zone0 Danger sector |
Description of risk |
Probability1 |
Potential damage2 |
Manager |
Measures |
Timeframe |
|---|---|---|---|---|---|---|---|
1 |
Strategic threat Current commercial activity |
Depends on a few clients; losing a client would lead to dismissals |
Possible |
Threatens the company’s existence |
XY |
Diversification of customer base by focusing on another sector; drawing up a marketing plan |
December 20xx |
4 |
Management and employees Employees Behavior |
Embezzlement by an employee/Company reputation affected |
Extremely rare |
Threatens the company’s existence |
ZY |
Verification of signatory powers. Verification of the authorization process. Verification of the monitoring process. |
June 20xx |
6 |
Management and employees Unfair trade practices |
Imprecise (lax, superficial, unprofessional) application of business standards |
Unlikely |
Threatens the company’s existence |
ZY |
Operational audits by superiors, survey of customers, training and professional development |
Twice per year Until June 20xx Every two months |
10 |
Operational threat Dangers to production plants |
Flooding of premises |
Extremely rare |
Threatens the company’s existence |
XX |
New IT rooms on the 2nd floor of the building, ensure that the site transfer goes well |
July 20xx January 20xx |
16 |
Financial threat Liquidity and non-payments |
Credit limit exceeded - higher bank interest |
Frequent |
Sensitive |
ZZ |
Improve processes for reminders and liquidity planning |
October 20xx |
0. Danger zones: strategic threat; operational threat; financial threat; management and employees
1. Frequent: weekly; possible = monthly, rare = annually; extremely rare = every five years; unlikely ≤ 5 years
2. Insignificant ≤ CHF 5,000; minimal ≤ CHF 10,000; sensitive ≤ CHF 50,000; critical ≤ CHF 100,000; threatens existence ≥ CHF 100,000
A company can choose between various methods for analyzing risk. These are categorized into five different groups.
There are numerous methods for evaluating risks, which are categorized into five groups:
Source: Risikomanagement, Schweiz. Vereinigung für Qualitäts- und Management-Systeme (SQS), Zollikofen; 2008
Last modification 07.05.2021
