Analyse and Evaluate Sources of Risk (Crisis Scenario)
For crisis management implementation, readers of this article, "Analyse and Evaluate Sources of Risk, " are presented with a comprehensive overview of the crucial process of identifying and assessing potential sources of risk within an organisation.
Through systematic evaluation techniques and risk assessment frameworks, the article guides readers in identifying vulnerabilities, assessing likelihoods, and estimating potential impacts, enabling them to prioritise risk management efforts and allocate resources strategically.
The analysis and evaluation of the risk (crisis scenario) include the following performance criteria:
- To characterise risk, access sources of information and data on risk and vulnerability within the context of existing control measures.
- Identify and consult appropriate specialist advisors and agencies to analyse and evaluate the sources of risk.
- Evaluate and prioritise risks for action.
Determine and Rank Risks
Each organisation should identify its risks using an established list of threats. The impact of these risks on each of the primary and support activities of the organization should then be deliberated upon and determined.
For example, a cost-benefit analysis can be employed to compute the potential losses due to a particular risk.
The organization should deliberate and consolidate these risks. The list of risks drawn up should be ranked via established criteria. The process is shown in the Risk Analysis and Review Process or, in the context of crisis management implementation, Crisis Risk Scenario Assessment.
Risk Analysis and Review Process
Rate Risk Likelihood
Risk Likelihood is the probability or chance of a threat occurring. It is about the organization’s operating environment and is measured on a scale of 1 to 5.
Descriptor for Risk Likelihood provides an example of a detailed breakdown of risk likelihood.
Risk Likelihood |
Descriptor |
Description |
1 |
Very Low |
It is highly unlikely, but it may occur in exceptional circumstances. It could happen, but probably never will. It may occur once in 10 years. |
2 |
Low |
It's not expected, but there's a slight possibility it may occur at some time. Will occur once in 5 years. |
3 |
Medium |
The event might occur at some time as the organisation has a history of casual occurrence. Will occur once in 2 years. |
4 |
High |
There is a strong possibility the event will occur as there is a history of frequent occurrences in the organization. Will occur once in 1 year. |
5 |
Very High |
It is very likely. The event is expected to occur in most circumstances as the organisation has a history of regular occurrence. Will occur once in 3 months. |
Descriptor for Risk Likelihood
Establish Risk Impact
Risk Impact is an outcome of a threat (Crisis scenario) that will impact an organisation's objectives or assets. The Risk Impacts are categorized into the following areas:
- Financial
- There will be financial or quantifiable impact due to loss of revenue or damages to property or equipment.
- There will be financial or quantifiable impact due to loss of revenue or damages to property or equipment.
- Processes (Business Operations)
- The critical business processes or day-to-day operations of the organisation are impacted.
- The critical business processes or day-to-day operations of the organisation are impacted.
- Legal and Regulatory
- Non-compliance with regulatory requirements, inability to fulfil contractual obligations leading to penalties and sanctions, or strategy changes, i.e. outsourcing a service or production line to the vendor
- Reputation and Image
- The delay or unavailability of key products and services adversely impacts the organization’s reputation and image and may lead to adverse coverage on various media platforms.
- The delay or unavailability of key products and services adversely impacts the organization’s reputation and image and may lead to adverse coverage on various media platforms.
- Social Responsibility
- The particular impacts are public and community needs, expectations, and interests.
- The particular impacts are public and community needs, expectations, and interests.
- People
- The threat that may cause adverse impacts on personnel, i.e. employees, part-time staff and agency staff.
- The threat that may cause adverse impacts on personnel, i.e. employees, part-time staff and agency staff.
- Assets / ICT Systems / Information
- The specific threat impacts critical assets, technology, telecommunications and information.
- Assets refer to significant buildings, facilities, equipment, utilities or physical security of premises.
Risk Rating and Risk Level
Risk Rating
Risk Rating is the product of Risk Likelihood and the Risk Impact from the impact area. It represents the overall Risk Rating of a threat to the organisation, considering the Risk Likelihood of the threat occurring and its Risk Impact.
Risk Level
Risk Level is the perceived level of risk to the organization as assessed against each identified threat.
Figure 9-3: Risk Rating and Risk Level
Treat Risks
Each risk in the list of risks drawn up should be addressed via one or a combination of the following treatments.
Types of Risk Treatment
Risk Reduction
- Measures should be explored to reduce risks that cannot be avoided.
- For example, instead of concentrating primary operations and functions in a single building, they can be distributed to several locations.
- Considerations should also be given to reducing risk occurrences from affecting the organisation's other operational or functional areas.
- For example, operational processes involving hazardous materials should be segregated and carried out separately.
Risk Avoidance
- Whenever possible, risks should be avoided.
- Termination of risk is another option but rarely possible unless this is the start of the implementation of a product or service.
- For example, relocating premises away from locations plagued by natural disasters.
Risk Transference
- Considerations should be given to transferring risks faced by a third party or through insurance.
- Examples include outsourcing to external vendors or insurance against financial loss.
Risk Acceptance
- An organization should be prepared to accept those risks that cannot be addressed via any of the above risk treatments.
- For example, if the cost of the risk solution far exceeds the expected loss. A list of all such risks should be documented.
Determine Risk Treatment Choices
It is highlighted that an organization shall identify available risk treatments (to the crises) that:
- Reduce the likelihood of a disruption (Avoidance).
- Reduce or shorten the period of disruption (Reduction).
- Limit the impact of a disruption on key products and services (Transference, Avoidance, and Reduction).
The organization shall choose and implement appropriate risk treatments for each critical activity by its level of Risk Acceptance.
Goh, M. H. (2016). A Manager’s Guide to Implement Your Crisis Management Plan . Business Continuity Management Specialist Series (1st ed., p. 192). Singapore: GMH Pte Ltd.
Extracted from Analyse and Evaluate Sources of Risk
More Information About Crisis Management Blended/ Hybrid Learning Courses
To learn more about the course and schedule, click the buttons below for the CM-300 Crisis Management Implementer [CM-3] and the CM-5000 Crisis Management Expert Implementer [CM-5].