Chapter 5: Risk identification

Risk identification techniques.

Physical inspection
Common to assess health and safety-related risks such as fire and other physical hazards.
•Conducted by qualified risk identification specialists such as a building surveyor, fire safety
professional or health and safety expert.
•supported by questionnaires or checklists and concluded with a formal inspection report with
recommendations to improve the control environment findings and reduce the probability and
impact of loss.
The disadvantages of inspections are:
An inspector can only see risk exposures visible on the day of visit.
An inspection programme can be costly -visits are needed to many different places.
Some of an organisation’s greatest types or sources of risk may be from third party
suppliers provide goods and services. –may have difficulty to obtain access or approval to
conduct detailed inspections in third party premises unless this permission is negotiated
within the original contract.
Risk management is and should remain the responsibility of every manager and employee
throughout an organisation. Regular visits by an inspector may encourage employees to
believe that they can transfer the responsibility for risk management to the inspector.

1
Expert judgement
Expert judgement relies on the skills and experiences of relevant specialists, either in
isolation or as a group.
This expertise may be contributed by a group or by an individual, including:
Other departments
For example, an IT specialist should have a good understanding of the types of IT-related
risk events an organisation may be exposed.
Equally, finance specialists should have a good understanding of any financial risks, such
as financial mis-statement.
Consultants
Most organisations will use their own internal specialists to provide expert judgement but
in some circumstances external experts, such as risk management consultants, may be used.
Professional associations
Subject matter experts
Focus groups and surveys
Focus groups may comprise a mix of specialists, such as IT, Finance and HR specialists.
•May also include functional and departmental managers, such as operations managers or
marketing managers.
•The idea is to share a range of different perspectives and experiences to achieve a consensus
view.
•This should ensure that a greater number of relevant risk events are identified.
•The cost is that focus groups take up more specialist or management time due to the greater
number of people involved.
•Risk survey -asked a series of questions and their responses are consolidated and analysed to
identify relevant risk events.
•A simple risk identification survey may ask respondents to list the risk events that they
believe could occur or may provide a checklist of potential risk events.
•Survey may ask on organisational processes and procedures that are designed and controlled
to identify the potential sources of risk events.

2
Checklists
• list of potential risk events

• used to support and complement other risk identification approaches

• ensures that particular types of risk event are not forgotten or overlook

• draw up its own checklists based on past experience of risk events or use checklists
provided by an external agency, such as risk management association, consultant, or
regulator.

• Historical information or a checklist from another project deemed useful.

• At the end of the project, the risk checklist is reviewed against the project's actual
performance in risk management. If necessary, the checklist is revised before it is
submitted as historical information.

Loss events and near misses

Loss events and near misses are learning opportunities that are recorded by an organisation.
•Whenever they occur, an organisation may decide to identify the causes of these events
using techniques such as root cause analysis.
•These investigations may help an organisation to identify new risks; they may also signify
an increase in exposure to a previously identified risk or a control weakness.

3
•It is imperative that organisations learn quickly from losses and near misses to help prevent
more serious risk events in the future.

Analytical approach 1 –What-if techniques

Series of structured ‘what-if’ and ‘how-could’ type questions to consider deviations from the
normal operation of systems and processes
•no standard approach to structured WIFT
•flexible and can be modified to suit each individual application
•expensive technique to use because of the time and people involved, but more likely to
identify all relevant risk events.
Analytical approach 2 Delphi techniques
Information-gathering tool that is used to reach a consensus of experts on a subject
•Experts on the subject participate in this technique anonymously. Anonymity is essential to
encourage each expert to be as honest and open as possible.
•A facilitator uses a questionnaire to solicit ideas about the important project points related to
the subject.
•The responses are summarized and are then recirculated to the experts for further comment.
•Consensus may be reached in a few rounds of this process.
•The Delphi technique helps reduce bias in the data and keeps any one person from having
undue influence on the outcome.
•Studies have shown that the technique can be effective at predicting risk events but it is time
consuming, especially if a consensus is hard to reach.

4
Analytical approach 3 –Root cause analysis
Root cause analysis explores what, how, and why a risk occurred or might occur
•breaks down high-level risks into more specific descriptions of the risks that cause risks.
•best conducted by a facilitator who takes a risk that a respondent has identified, interviews
further to find out if it can be broken down into more specific elements of risk.
•time consuming –rarely practical or cost effective to identify all risks but good technique in
investigating the causes of large and negative risk events that occur
•Treating the true cause rather than the symptom can save significant effort -allow
organisation to learn from these events and prevent a similar chain of causes from occurring
in future.
Analytical approach 4 –System and process mapping
Fault tree analysis (FTA) is a graphical tool to explore the causes of system level failures.
•aim is to identify key points of failure and whether these can be overcome by adapting other
process or system
•An advantage is, it can highlight connected risk events that could combine to cause much
larger risk events -visually depict the analysis
•A disadvantage is that it can take a lot of time and money to flowchart systems and
processes and then analyse them for points of failure that may cause risk events, need
experience people who understand the process mapping and logics

5
Techniques to identify emerging risks
Emerging risks are either new risks or known risks that become apparent in new or unfamiliar
conditions
•Emerging risks are characterised by high levels of uncertainty, as there is not yet much
experience gained, and may therefore be ignored or under/over-estimated.
•Techniques for identifying emerging risks can help to prevent them from being ignored or
underestimated.

PESTEL Analysis
Analyse external factors within the macro business environment that could give impact
towards their operations and reputation in the market
PESTEL analysis is usually completed by a group of participants can be focus group of
managers or senior managers from relevant functions supported by an expert facilitator. May
involve a board of directors in the case of large scale emerging risks that can have a far
reaching strategic impact.

6
SWOT Analysis
The SWOT analysis (internal-external analysis) is a strategic planning technique that
examines the project’s strengths, weaknesses, opportunities, and threats.

7
World economic forum
The annual World Economic Forum Global Risk Report is a useful source of current and
emerging risks.
•Issued each year, this report provides a strategic view of risk supplemented by in-depth
analyses of specific ‘hot topics’.

Techniques on qualitative risk assessment

Generally, risk assessment techniques:
•assess the probability and impact of a risk event to help determine the level of exposure.
•either qualitative risk assessment or quantitative risk assessment
Qualitative risk
•involves a significant degree of judgement.
•can be performed in a meeting or forum with all identified participants present or
individually
•probability scale/ rating might be: [most common are scales of three and five]
1. Very unlikely
2. Somewhat unlikely
3.50-50 possibility
4. Somewhat likely
5. Very likely
•probability scale must be assigned meaningful numerical values that indicate their relative
positions.
•Probability sometimes term as –possibility or likelihood
•In practice, avoid using 0% and 100% because they signify certainty that the risk will not or
will occur

8
•Some avoid numbers altogether and just use words to describe the level of probability and
impact.
Techniques –quantitative risk assessment
Standard of measurement to probability and impact to allow a more precise and objective
analysis of risk.
•With quantitative methods, it is possible to determine how much bigger a given probability
or impact value
With quantitative method, possible to model an infinite number of probability and impact
combinations rather than be limited to three, four, five or six values for probability and
impact.
•uses the principles of statistical analysis, precise in mathematical terms and does not rely on
subjective judgement. . It is concerned with building and analysing complex distributions for
probability and impact
quantitative risk assessment uses historical data. For example, data regarding past stock
price movements are used to assess market risks and insurance companies use claims data to
assess things like the risk of property fires or vehicle collisions.
Quantitative risk assessment can be challenging
Data is not always available, especially for very low probability risk events.
no guarantee that what happened in the past will happen in the same way in the future,
especially in complex and changing risk environments.
•effect of global warming is a good example–extreme weather events appear to be on the
increase, meaning that historical weather data is much less effective at predicting the future
Techniques –hybrid risk assessment
Combine elements of quantitative and qualitative risk assessment.
•to provide a relatively consistent and objective method for assessing risk, which does not
rely on large amounts of data.
•Hybrid approaches are used for extreme risk events, meaning those with a low probability,
but a high impact (whether positive or negative).
Risk registers
Used to store and monitor the results of risk assessment activities
Acts as a database of past, current and perceived risks, to enable learning from the past and
mitigation of the future
Often an organisation has more than one risk register, these might be held by department,
or by business function. From a director perspective it is important that there is a consistency
of approach and method, together with a transparent and thought-out route for the distillation
of risks on a number of registers to the main risk register which is used for board and
committee reporting.

9
Risk identification and selection
There are a number of key questions that an organisation needs to answer before it starts to
compile or maintain a risk register
o How to identify and compile the risks that it faces?
o How to devise appropriate metrics to decide whether or not a risk should appear on a risk
register?
o How to determine and measure likelihood and impact?
o How to set the tolerance boundaries for the different risk registers that might exits for
different areas and at different levels? EG a risk of a machine breaking down and interrupting
a day of production might be significant at the shop-floor level but might be immaterial at the
management level.
Risk register structure and presentation
The structure of a risk register itself can be determined by an organisation. There is no
right method, but there are plenty of wrong methods.
The precursor is to decide what, as an organisation, you want to be able to see
The need to set an appropriate level of granularity (this will clearly be quite low at an
individual site or section, but much higher when it reaches board level). An important aspect
of the controls is to ensure that low level, but high impact incidents manage to find their way
through a series of layers to still appear at a board level, so directors have clarity as to what is
happening.
The danger of a cumulative risk register is that it becomes quickly over-populated with
entries, there needs to be a way of segregating past, present and future – recognising that we
are always faced with immediate risk at the present moment, but for most directors, in normal
circumstances, it is the risk into the future that should maintain their focus.
Risk reporting
•Effective risk reporting exists to support decision making in an organisation.
•All decisions involve an element of risk. Decision makers need information on the nature
and extent of these risks to make the best possible choices, whether this relates to the
achievement of strategic goals
•no single best approach to the design or presentation of risk reports, nor is there an optimum
number of risks to report.
•best approach is context-specific and will depend on the nature, scale and complexity of an
organisation’s activities and risks.
•Concept may be used to help prioritise risk exposures, control weaknesses, internal audit
issues or any other aspect of an organisation’s risk management activities.

10
Key factors to consider when designing risk reports are:
Audience and its requirements

Size of report and level of detail

O More data not necessarily better in a risk report. Too much data will not be able to make
sense of it.
O Audience have to spend more time reviewing the report and less on other matters. The key
is to determine the essential pieces of data, including any narrative reporting, needed by the
report’s audience.
O Should involve consultation with the intended audience to ensure that they have the length
of report and level of detail that they need.
Degree of statistical complexity
O Risk reports can get very complex, especially when quantitative risk assessment
approaches are used.
O Not every audience for a risk report will understand statistics or need a statistically
complex report, even where data is available that can be analysed and reported using
statistical methods.
O consultation with the report’s audience should help to determine their requirements.
Reporting frequency
O The frequency of a risk report depends on the frequency with which risk exposures change.
O In volatile areas like financial markets, reporting may be daily or on a real-time basis.
O areas like cash flow/treasury management or credit risk, weekly or monthly is common.
O Monthly or quarterly is normal for other risks like health and safety.

11
Examples of risk reporting tools include:

❖ heat maps

❖ Loss event reporting and near-miss database

❖ risk, control and performance indicators

❖ risk dashboards and balanced scorecards

❖ narrative reporting.
Risk dashboards are risk reports that combine various risk and control indicators, as well as
heat maps, risk event and near miss data.
may be presented thematically to different audience. For example, the board may receive a
strategic risk dashboard. Executive leaderships may receive dashboards on key operations
and function managers may receive dashboards relating to their area of responsibility.
Balanced scorecards are used for strategic planning. May monitor achievement of its
objectives into the following balanced scorecard factors and structure its risk monitoring and
reporting around these elements:
1) Financial performance
2) Operational efficiency
3) Human resources
4) Compliance
Narrative reporting involves using words to explain how a risk exposure is changing.
common if no numerical data can be reported.
Can also be combined with numerical data to help provide context.

12
13
14
Case study

Chocs plc Background

Chocs plc (Chocs) was established in 1951 by Peter Davison. Despite the consistent success, business
growth is now slowing. The financial year-end results for 30th June 2019 reflect a turnover of
£425million (down by 7% from 2018) and a net worth of £642million (down by 5% from 2018).

A general decline in profits over the last five years has been attributed to increased competition,
rising prices of raw materials and increased labour costs worldwide.

Chocs has remained a family business in culture and ethos, and at age 99 Peter still tries to attend
the AGM each year. The CEO is now Susan Davison, Peter’s grand-daughter, she took over from her
father (Peter’s son, Ben, who remains as Chair) in 2011. Although in many ways unrecognisable from
1951, the Birmingham factory is still the head-office and is the centre of a highly modernised
production operation. An external stakeholder would consider this to be a business where all was
running well.

Chocs now has seven sites across the world employing approximately 1,800 people. They differ only
in size and capacity but all offer a generalised range of products. At the last Board meeting Susan
proposed a review of site capacity with a view to developing specialisation at certain sites, she was
concerned that the declining profitability was at least in part due to loss of focus and the risk of
Board complacency about future viability; this was not received well by Ben and further discussion
was deferred to the next meeting.

42% of Chocs shareholding remains with family and family trusts, the remaining 58% is traded
(infrequently) on the Alternative Investment Market after a successful IPO led by Ben in 2007. The
funding raised enabled expansion, modernisation and a capital return to the family shareholders.
The institutional and retail shareholders are mainly longer-term investors and have generally been
satisfied with dividend return and share price stability.

Governance

Chocs has seven directors; three months ago, you were appointed as Company Secretary reporting
to the CEO.

• two executive directors – Susan Davison (CEO) and Kenneth Dwight (CFO);

• three family NEDs – Ben Davison (Chairman) and two of his cousins (Peter Balfour and Elsie
Davison) – family NEDs are proposed and elected by a council representing family shareholders;

• two independent NEDs – Ramesh Singh (based in Mumbai) and Stefan Volski (based in
Warsaw).

The board meets eight times a year (four times in Birmingham and four times at different operating
sites of the business). An Audit Committee and a combined Remuneration and Nomination
Committee each meet three times a year, usually coinciding with a board meeting. All NEDs are the
constituent committee members, and all meetings are attended by the executive directors.

The AIM investors have been happy with this governance arrangement thus far, not least because
the financial returns have remained consistent and in line with expectations.

15
Risk and control

• The key strategic and operational decisions throughout the business seem to be made
through closed and un-minuted weekly meetings between Ben (Chairman), Susan (CEO) and
Peter Balfour (family NED).
• Papers presented to Board meetings are short, succinct headline summaries from each
operating business.
• Decisions seem to have already been made and are only brought to the Board for
ratification. You have discussed this with Kenneth who told you that this was the culture, he
was sometimes at these meetings and that he was treated as family, as his partner is a
nephew of Ben.
• As Chocs has large scale production capability, health and safety (H&S) features frequently in
operational reports, but again is only ever summarised in Board papers, usually in the form
of pie charts. Having analysed the figures further, you find that there has been an increase in
reportable Health and Safety (H&S) incidents at five out of the seven sites across the past 24
months, but this is barely mentioned in the board reports.
• Having read through the Board and Committee papers for the past three years, you find
there is very little record of how the directors view the alignment of strategy, risk and
control. Each site keeps their own version of a register of the risks pertinent to their site
(partly to keep the local H&S regulators satisfied).
• Each site has a high level of autonomy with regard to its approach to risk management.
• Monthly local reports regarding risk and any related incidents are amalgamated by a team at
the Chocs site in Ireland using a spreadsheet to provide a set of charts which appear as an
appendix to the Board papers.
• There is no minuted record of director discussion of any level of risk strategy, although you
assume this must have happened as there are oblique references to a number of accidents
across the world, and to two deaths that have occurred on Chocs sites (one in Poland earlier
in the year, and one in Brazil last year).
• Control, in so far as it exists at all, seems to be delegated to a very low level on individual
sites, and then discussed only confidentially at the weekly closed meetings. Stefan has
discussed with you his concerns regarding a lack of risk management awareness. He is also
surprised at the lack of apparent concern from the English directors; he has assumed that
they just have more experience than him of running this type of business. He is aware of his
duties under UK law and plans to raise the issue at the Board meeting, scheduled to be held
on the Choc’s site at Sao Paulo next month. He has talked to Ben about the whole H&S and
CSR approach but has been told that “CSR is just another acronym designed to take valuable
director time”.

It has also been brought to your attention in a conversation with Stefan that cocoa farmers in South
America have staged a series of protests over low wages and payments that they have been
receiving for their goods and services. Chocs has been wrongly implicated as one of the companies
who have attempted to hold down prices. This has received media attention and support groups are
threatening a media campaign to boycott Chocs‟ products.

16
Having been challenged by the CEO at the Sao Paulo Board meeting, the family and
independent non-executive directors of Chocs are concerned about current practices. Prepare
a report for the Board of Chocs assessing the benefits that could be gained from incorporating
a risk register into the company’s risk reporting framework. Your report should include the
rationale for a register, examples of how a register might be constructed, what it might
contain, and how the register could enhance the control and oversight of risk within Chocs.

17