Confronting the “What if’s” in our Work: How to Conduct a Risk Assessment | DCR Workforce Blog

Confronting the “What if’s” in our Work: How to Conduct a Risk Assessment

Every day we take risks, both big and small: From changing a lane while you drive home to making the decision to expand your company. And in the words of Tony Montana from the movie Scarface, ” Either you make a move, or you don’t.” The reason I happened to mention our good friend Tony is that I think there is a little part of everybody that wants to be that bold, minus all the lawlessness and violence. But I wish it was that simple. Everyone intends to make a move, but no one wants to deal with failure. When your company and team members are counting on you, the need to succeed can be overwhelming. So how do we come to terms with our fears and make that move?

The biggest battle with accessing risk is not even the risk- it’s acknowledging that problems and mishaps may occur and to prepare for it.

Employees and managers have ingrained preferences and a need to appear competent and confident at all times. This blinds companies to potential perils. In order to experience progress and growth, risks have to be taken. As the saying goes ” No risk, no reward”. But risks have to be managed in a method that is discerning.

Establishing a Risk Assessment Methodology

So how do companies bring risk assessment into their corporate structure? During my research, I came across an educational video titled, ” A View from the Audit Committee: Risk Oversight and Assessment.”  This video is an interview with Robert Finocchio, who is the Chairman of the Board at Santa Clara University. Below are some of his recommendations on how to conduct risk assessment.

1) Audit Committee: Having an independent group that is specifically in charge of risk assessment can help get past biases and group politics to objectively confront issues that need to be addressed.  He discusses the value of having an audit committee and some important points to look out for when evaluating risk.

  • Create a risk template: Finocchio states that you should find the “buckets of risk and who owns them, for example, departments like IT, finance, compensation or strategy.” Certain departments will be dealing with more risk than others and need to be watched and studied more carefully for any trends.
  • Key questions: Asking important questions like, “What business are we in?”,”How do we make money?”, and “How do our customers make money?” helps to initiate an investigation of risk. Also, asking questions that are much broader in thought will help you identify risks in other areas that may not be receiving the attention that it needs.
  • Biggest mistakes: According to Finocchio, a majority of the time, big mistakes are “core structure or core operational.” In addition, Finocchio also mentions that big mistakes tend to happen when the company is overconfident because they are doing well.

2) Qualified Individuals to evaluate risk: If a company does not have or want a risk assessment committee, then they can use a small number of selected individuals to conduct risk assessment. Finocchio’s second suggestion is to select individuals who can work with managers to analyze information, develop new ideas, and then challenge these ideas by engaging in a dialectical analysis.

The assessment of risk is much more objective when the evaluation is done by an independent and unbiased third party. Perhaps this is because risk assessment is contentious. You have to be critical of new ideas, innovations, products, or systems. This process is unpleasant but necessary to reduce misjudgments.

Risk Assessment Techniques

Now, if you aren’t able to have a committee or select individuals to help you with risk assessment, it might be helpful to know some valuable information. A video titled, ” Risk Assessment Methods by James Vesper” has two techniques to deal with two types of scenarios.  Both of these techniques require a spread sheet.

The first technique is the Preliminary Risk Analysis in a spreadsheet form. Vesper explains that this kind of analysis is used when there is little information. Below are the following set of questions for this technique.

1) Preliminary Risk Analysis: Each of the questions below are placed in a column of your spreadsheet.

  • Hazards or unwanted Events: “What could go wrong?”
  • Harm or consequences: “What might be the potential impact?”
  • Potential causes: “How would a problem occur?”
  • Likelihood of occurrence: “What is the probability that the problem would happen?” This category requires a numerical rating scale. You can use a simple scale of 1-10. This category must be given a numerical value.
  • Severity of consequence: “How significant is the impact?” This category will also be given a numerical value using the same rating scale from the previous question.
  • Risk score: Take the numeric values of the likelihood of occurrence and severity of consequence and multiply these two values. ( Likelihood of occurrence (X) Severity of consequence). When you perform a complete Preliminary Risk Analysis for each risk you can then compare the risk scores of each risk and see which risk needs to be taken the most seriously.
  • Possible additional controls/actions: “What might help control or mitigate this problem?”

The second technique is the Failure Mode Effect Analysis in a spreadsheet format. Vesper mentions that this method of accessing risk needs quite a bit of information. He also goes on to say that you have to be very specific in what you are accessing and that the scope has to be limited. Below are the following set of questions for this technique.

2) Failure Mode Effect Analysis: Each of the questions below are placed in a column of your spreadsheet.

  • Process step or parameter: “What is supposed to happen?”
  • Failure mode: “What could fail?”
  • Failure Effect: “What could happen if it fails?”
  • Failure Mechanism: “What could specifically cause it to fail?”
  • Likelihood of occurrence: “What is the possibility that the failure occurs and has this effect?” A numerical rating scale is required for this category. This category must be given a value.
  • The severity of consequence: “How significant is the impact?” The same numerical rating scale used for the previous question must be used to give this category a value.
  • Detectability of failure: “How detectable is the failure while something can still be done?” This category must also be given a value using the numerical rating scale used for the 2 previous categories.
  • Risk priority number: In order to determine this category’s value, you must multiply the values of the Likelihood of occurrence, The severity of consequence and Detectability of failure. ( Likelihood of occurrence (X) The severity of consequence (X) Detectability of failure ). Once each risk has been given a priority number, one can clearly see which risks need to be addressed immediately.

The techniques described in this post are very detailed, but I believe there is information that can be applicable to numerous situations that require risk assessment. Risk is mitigated with knowledge obtained through proper analysis. The right information can be used to make critical decisions with less hesitation. Risk can be mitigated, but unfortunately it can never be eradicated. But dealing with our concerns and understanding trends allows us to make the right move, not just any move.

The content on this blog is for informational purposes only and cannot be construed as specific legal advice or as a substitute for competent legal advice. They reflect the opinions of DCR Workforce and may not reflect the opinions of any individual attorney. Do contact an attorney for advice specific to your issue or problem.
Preeta is a writer and a mom who writes about topics that strive to connect with readers in a real way.