What risk is your organization willing to accept?
What risk is your organization willing to accept? A scenario that gives your management ‘sweaty palms’ is probably a ‘high risk’ and a situation your management is willing to put some effort in to change for the better. In other words, ‘high risk’ is a scenario that threatens the very existence of your organization or threatens strategic targets.
Before starting risk analysis, consider the definitions used and make them concrete for your organization. Everybody in the organization must have the same mindset. Therefore, top management and the different risk stakeholders should be involved in this discussion. It is crucial to create a common ground in the definition of risk. We can not have a situation where all risks are equal, but some are more equal than others.
Introduction to risk appetite
A risk analysis is a process that identifies and evaluates potential threats to a business or organization. Each threat's likelihood of occurrence is determined, and an estimate is made of the impact of any damage that might occur if the threat materializes. This information is then used to assign a risk class that helps management determine how urgent the threat is and what action should be taken.
In addition to identifying threats, opportunities can be identified using the same process.
The main goal of a risk analysis is to determine how risks can be controlled or reduced to an acceptable level. This can be done by implementing measures to mitigate the risk, accepting the risk, outsourcing the risk to a supplier, or avoiding the activity that poses a risk altogether.
The demarcation line between risks that need action and those that can be left for acceptance is called ‘Risk appetite.’
Integrated Risk Management
Management often faces multiple risk analyses on different topics, such as financial, image, health and safety, environment, information security, privacy, and patient safety. These topics have different methods and definitions, challenging comparing risks and prioritizing actions.
To overcome this challenge, management could align the most crucial risk management parameters for all topics, such as probability, impact, and risk class. This allows management to compare risks from different topics, make consistent policy choices, and prioritize actions. Ultimately, this approach helps organizations work towards integrated risk management, where all risks are considered holistically.
Here you can find some sample definitions; please adapt them to make them your own.
Probability / Likelihood
The classification for probability or likelihood of an incident or threat is occurring.
Daily, weekly, or multiple times per month.
One to several times per year.
Less than annually.
The classification for the impact or consequences of an incident or threat. It is categorized by different themes to better align with the perception of those in the workplace. The theme with the highest class is used as the basis for analysis. The impact class is specific to each organization. An example from the healthcare sector can be found below.
Legal and Regulatory Compliance
Affects over 5% of annual turnover.
Heavy reputation damage. Customers seek alternatives and avoid the organization.
Parts of the organization or processes may need to be closed by supervisory authorities.
Threat to strategic goals.
(Multiple) fatal incidents.
Affects 1% of annual turnover
Serious customer happiness issues, loss of some customers.
Issues with supervisory authorities.
Threat to tactical goals.
Medium Incidents resulting in permanent or temporary disability.
Efficiency issues, and financial damage stays within exploitation borders
Issues with small impact
Notifications in the quality systems, internal and external audit findings.
Impact on operational areas.
Wrong treatment or near misses on patient safety.
Risk Class; Risk Appetite
The risk class determines the response of the organization and the organizational level at which the response is handled. The table below represents a high-level policy intention, which is also referred to as risk appetite.
It is generally agreed upon within all quality systems that deviation from the standard is allowed, but always with justification.
High-risk situations may threaten the organization's continuity or endanger its strategic goals. In such cases, the management takes a leading role and defines actions through an improvement plan to mitigate the high risk and bring it down to an acceptable level. If, for economic reasons, preventive measures are not feasible, a reactive scenario is developed as an alternative measure.
Executive Board Strategic level
Medium-risk situations receive the attention of management. Whether or not action is taken depends mainly on a business case. Low-hanging ripe fruit measures are quickly decided upon; measures that take a substantial investment depend on the business case.
Management, Tactical level
Low-risk situations are considered acceptable for the organization. Operational action like process optimization is possible and is decided for by operational management.
Workfloor, Operational level