What is risk assessment?
Risk assessment represents the second step in the risk-management process. It follows the first and initial step of identifying all possible risk exposures faced by the organization. Risk assessment allows for the systematic evaluation and prioritization of risks in terms of the likelihood of occurrence and the potential consequence when and if the particular risk event occurs.
Risk assessment is a collaborative process that attempts to answer the following questions: What assets need to be protected? What are the threats and vulnerabilities? What are the implications if the assets were damaged or lost? What is the value of the assets to the company? What can be done to minimize exposure to the loss or damage?
Organizing and prioritizing risk exposures
Once the identified risk exposures are gathered, they must be organized, quantified and prioritized. Organizing risk exposures requires reviewing and categorizing them into groups with common elements. One method is to place risk exposures into classes that represent potential losses to:
- Property exposures
- Liability exposures
- Net income exposures
- Human resource exposures
This phase also includes quantifying the loss potential that may result from the identified exposures. This may be accomplished by estimating the dollar amount of future losses. One method of projecting future losses is to review past loss experience and then extrapolate past experience into the future by using statistical probability and trend analysis. Quantification also helps the risk manager prioritize handling possible loss exposures.
Qualitative analysis of risk exposures
Analysis of a risk exposure is accomplished using a systematic, qualitative method that assigns a risk score or value to the exposure. This numerical value enables the risk manager to prioritize exposures and loss events in relation to others. Once the exposures and losses are categorized and prioritized, priority attention can be given to identifying the proper risk control and risk financing techniques to avoid, eliminate, transfer or control the problem.
During this analysis, risk exposures are analyzed by combining estimates of consequences and likelihood in the context of absolute risk, disregarding any controls (inherent risk) and risk with treatment considered (residual risk).
The level of risk is determined by the relationship between the likelihood and the consequence if the risk occurs. Each risk exposure is assigned a numerical value (risk score) based on its expected frequency and severity, which in turn becomes the basis to prioritize risk and select appropriate risk treatment techniques.
Frequency/severity qualitative risk rating system
The tables above present two examples of a numerical frequency/severity rating system that is used to assign priorities to the frequency and severity of exposures and losses. The first table addresses the financial impact of a loss and defines the consequences for a consequence range. The second table addresses the expected likelihood of a loss occurring and defines the frequencies for a frequency range.
Because assessing risk is becoming a more critical measure in today’s environment, organizations will do well to implement standard processes for evaluating, classifying and prioritizing risks to better mitigate the effects on their business. Having the data to analyze business risks positions a company for success in developing the appropriate responses to potential risks and increasing overall organizational value.
Robert Higgins, CPCU, ARM, ARMP, CRM, CIC, FRM, CRIS is a vice president with Schiff, Kreidler-Shell in their risk services department and has more than 25 years experience in insurance and risk management. Reach him (513) 977-3188 or firstname.lastname@example.org.