Need to know your processes to get most important risks
Process-based Risk Assessment is one of the most widely used methods of risk identification and analysis. Know the key processes is essential: without knowing the processes your risk list will not be correct and certainly not complete. You need to know your critical processes, which the malfunctioning, blocking or even discontinuance can endanger or completely cripple your organization.
In this article, we will walk you through basic steps how to conduct an risk identification and assessment based on your processes. We have put together 5 basic steps for you, which guide you through the process of identifying, evaluating and treating risks so that you do not drown in them.
Why analyze risks based on processes?
- Processes are one of the key sources of risks
- Process-based approach allows you easily find mission and operation critical risks
- For a number of organizational risks, this approach is much better than an asset-based approach, which, on the other hand, can more easily detect technical risks
- You cannot detect and uncover potential problems and errors in processes with asset analysis. A poorly set up process or a person who does not follow work procedures cannot be detected using asset analysis
- On the other hand the Process-based risk analysis complements the asset-based approach. Each of the approaches can reveal different kind of risks
- It is advisable to start with the processes as they give you a better picture of the criticality to the running of your organization
5 basic steps of risk analysis based on processes
- If you don't have your processes mapped out, there are many ways and techniques to do it
- Your company has for sure basic processes in your policies
- You can also start from some process-map templates or reference process model for your industry
Step 1: Create an overview of all processes in your organization
As a starting point, you need to have an overview of your processes, from which all further steps will be based. You need to know your processes well in order to target your efforts well on the biggest potential problems and risks that must come from your most important processes.
- Create an overview of your processes
- In the overview, select the processes that are critical to your organization
Basic principles for creating a list of critical processes for running your organization:
- Not all processes are equally important
- There are always processes and activities that are essential to the running of your organization, focus on those
- Start with your core processes that create value for your customers
- You select the processes whose discontinuance, stoppage or malfunction will cripple the running of your organization
- You certainly won't make a mistake if you start from the core processes that feed your business and creates your value - that is the sales, billing, the production or providing services to your customers. This will give you a clear idea of priorities and focus on the essential risks that can threaten the day-to-day functioning of your business.
Step 2: Find and name the risks that threaten your processes
Process and organizational risks are typically problems arising from poor or non-observed work procedures, processes and activities
- Basically any process may harbor some risk due to human error, bad intent, technical failure, or any number of other causes.
- Examples of typical process risks are an incorrectly posted invoice or a worker's wrong procedure when starting the machine
- Each process can also succumb to some threats and has its own vulnerabilities, write them down
- Carefully analyze each process and identify and assign potential risks to it
- At the end of this step, you will get a list of all the possible risks that you have found through the process analysis
Step 3: Conduct a risk assessment and prioritization
You need to prioritize your list of risks. You can't solve everything at once. For each risk, evaluate its impact and probability.
- You must prioritize the risks that can endanger you the most, and focus on these
- You determine this by estimating or calculating the impact and probability of each individual risk
- Of course, risks with a high degree of impact and probability have the highest priority
- The risk matrix will help you clearly display priority and less important risks.
- Use the risk register to describe individual risks.
Step 4: Decide how you will treat and manage the risks
Based on the priorities, you move on to the last step, which is to create a set of measures that will treat the risks. Select the most critical risks from the previous step and decide how you will deal with them, how you will treat individual risks. Focus on the 10 most critical risks. Keep in mind that most risks can never be completely eliminated, only reduced likelihood or impact on your processes
- Focus on priority risks
- Decide which way you will choose for each risk
- Create measures and preventive actions for selected risks
Step 5: Reevaluate and reasses processes and risks after some time
The situation is changing and you have to react to the changes. Some risks disappear, their probability changes and some new risks arise. In this sense, it is also necessary to keep your activities up-to-date, so that you do not solve measures for risks that have already disappeared and, on the contrary, you do not miss newly created risks.
- New risks appear and old ones may disappear or decrease in importance
- It is important to reassess regularly
- An annual cycle is the most suitable