Qualitative Risk Assessment
All activities of an organisation involve some level of risk. An organisational framework for managing risk incorporates processes to anticipate and understand the risks it faces, and decisions on whether to modify the risk. To achieve the most effective outcomes when managing risks, it is important to ensure that there is involvement from the relevant stakeholders. An effective means of achieving this is through a workshop environment.
The success of a workshop rests entirely on the make-up of the workshop group, with great responsibility for this resting with the facilitator. R4Risk’s principals are experienced workshop facilitators and have facilitated numerous risk assessments across a broad range of industries that have considered various types of risk issues, from safety and environmental risk issues through to business and operational risk issues.
The workshop group should include persons who have an in-depth knowledge of the area (i.e. subject matter experts). The role of these people is to provide the workshop group with sufficient information to enable the risk issues to be identified and assessed correctly.
The workshop group should also include personnel who may have responsibility, at both a management and operational level, for the system that manages the risk issue under consideration. This ensures that risk “owners” have a clear understanding of the risk issues that they are responsible for and that those who have hands-on responsibility for risk management controls understand the role that they play in the overall risk management process.
The steps conducted during the workshop process can be briefly outlined as the following:
- Set the context for the analysis
- Identify the hazards
- Estimate the likelihood and credible consequences for each hazard
- Identify existing risk management controls
- Rank the risk of each hazard
- Compare the risk level for each hazard to the applicable risk acceptance criteria
- Identify further risk treatment options available.
These steps, and the links to other management systems processes, are shown in the following diagram extracted from AS/NZS ISO 31000:2009 “Risk Management – Principles and Guidelines”.
AS/NZS ISO 31000-2009. © ISO and Standards Australia Limited. Copied by R4Risk Pty Ltd with the permission of ISO and Standards Australia under Licence 1711-c087”.
An effective means of assessing the risk level for hazards is to use a risk matrix. The advantage of using a risk matrix as the risk assessment tool is that it enables hazards to be quickly assessed to provide a comparison of risk levels between hazards. This enables hazards that are not significant to be screened out and focuses further risk management activities towards the hazards that have significance.
This can be rapidly achieved, because the consequence and likelihood categories are typically quite broad, and utilise qualitative descriptions to assist the workshop team members to understand the scale. It is then relatively easy for the workshop group to determine which is the correct category that each hazard should be assigned to. This limits the potential for the workshop group to get bogged down and waste time debating specific values. R4Risk’s experience is that for a workshop to be effective, lengthy debates over particular likelihood or consequence values must be avoided. The coarse nature of the risk matrix process, and generally taking a conservative approach to any assumptions made, enables these debates to be avoided.
An important stage in the process is the identification of the applicable risk management controls for each hazard. R4Risk’s facilitators have extensive experience in assessing what makes a sound risk management control. They will interrogate the workshop group to ensure that risk management controls nominated by the team are truly effective, and that as a group, the controls will be adequate to manage the hazard. This is one of the key skills that the facilitator brings to the risk workshop process.
Once the risk level from each hazard has been assessed, these risk levels can be compared to the organisations risk acceptance criteria. Should the estimated risk levels exceed the organisation’s risk acceptance criteria, then additional risk treatment measures should be considered by the workshop team to reduce the risk to an acceptable level. If a risk matrix is used as the risk assessment tool, the risk acceptance criteria is usually overlaid on the matrix to provide a simple comparison of the risk against the acceptance criteria.
An example of a very simple risk matrix showing risk criteria is shown below.