Table of contents
Normally, risk assessment is not considered as a separate phase in the crisis management process, but rather as part of prevention. Nevertheless, risk assessment is important as a basis for successful crisis management, because in order to be able to defuse or even prevent a crisis, you first have to know the risks. Risk assessment also plays a decisive role in other areas of the crisis management cycle, which we have already briefly introduced in Part 2 of our blog series.
It makes as little sense to prepare indiscriminately for any risks as it does, for example, to try to set up monitoring and early warning systems for all existing risks. Even in crisis management, risk assessment not only provides information about a risk that has occurred, but also points to associated risks. These can - if not considered in the coping strategy - lead to undesirable cascading or side effects. Later in the recovery and reconstruction phase, risk assessment provides information on the proper allocation of resources. Learning after a crisis, disaster or emergency is again the element that feeds into future risk assessment. Overall, then, risk assessment is essential for understanding and dealing with crisis management.
Let’s move on to the details.
Risk Assessment
What is risk assessment? The associated vocabulary alone is extremely confusing. Whether risk assessment, risk analysis, risk evaluation or risk management, there seems to be no consensus on what exactly is meant by the terms. In fact, they are often used interchangeably with different meanings.
Despite this ambivalence, the field of risk assessment has become the subject of authorised standardisation bodies, especially ISO, in recent years. The so-called ISO 31000 family of standards is the centrepiece of this standardisation effort. An important feature of the ISO approach is that it aims to map a multidisciplinary and generic process that is not related to a specific type of organisation but can be used across domains.
According to ISO 31000, risk management is the overarching concept that refers to all coordinated activities to manage and control an organisation with regard to risks. The standard is designed to be dynamic, repetitive and responsive to change. This is achieved through ISO practice, whereby standards are always subject to periodic review after a number of years. Nevertheless, the ISO 31000 family of standards only provides a general framework for risk assessment (and risk management) and should always be tailored to the specific and diverse needs of each organisation.
Let us now turn to one of the most fundamental questions of risk management:
What are risks?
Risk is the cumulative effect of the probability of uncertain positive or negative events. What is striking about this definition is that a risk does not have to be exclusively negative. The ISO approach to risk management is consistent with this dual understanding of risk as a threat and an opportunity. Thus, risk is also considered in ISO parlance as “the effect of uncertainty on objectives “, which can be either negative, positive or both (ISO 31000:2018). The quote from American economist Paul Romer “A crisis is a terrible thing to waste. “ fits well in this context. It can therefore make sense to also consider the potentially positive consequences when defining risks.
Mathematically, risk is expressed as a combination of probability and danger:
How are risks identified?
The assessment of risks includes the areas of risk identification, risk analysis and risk assessment. Before an organisation starts risk identification, the context or risk environment must first be defined. This is in terms of the overall mission, values and objectives, as well as various external and internal constraints, perceptions, etc. The risk criteria should also be defined at this stage.
- Risk identification: Risk identification describes the process of finding, identifying and recording risks based on historical data. However, this is not just about collecting data, but also about combining quantitative data with qualitative data.
- Risk analysis: Risk analysis involves identifying the nature of risks in more detail and, in particular, determining the level of risk by identifying the probabilities and consequences for the identified risks.
- Risk assessment: Here the results of the risk analysis are compared with the risk criteria to determine whether the risk is acceptable or tolerable. Risks are also prioritised, taking into account organisational objectives, regulatory requirements, political, financial and other factors, in order to make a balanced decision on future actions.
Risk assessment in practice
So far we have gained a rough overview of the main elements of the risk concept and the three phases of risk assessment. But how is risk assessment carried out in practice? For this, we will take a brief look at some techniques and methods.
Quantitative techniques
One of the quantitative techniques is the so-called Bow-Tie Analysis. This combines Fault Tree Analysis and Event Tree Analysis with each other. The former focuses on analysing the causes of a risk factor and the latter on the consequences. However, quantitative, retrospective data and formal audits are not sufficient to identify risks adequately. On the one hand, this is because expected risks can be quite different from previous hazards and must first be anticipated. On the other hand, there are also rare risks that will never occur but can be more serious. Furthermore, in addition to single risks, it is important to consider complex and multiple risks, where unrelated hazards or a cascade of crises and disasters occur simultaneously. However, complex multiple risks are difficult to estimate based on statistics and historical data, as these data do not provide much evidence that thousands of potential and unexpected coincidences, interdependencies and interdependencies can occur.
Qualitative techniques
To identify potentially new or complicated risks, it is important to use qualitative techniques in addition to purely quantitative methods. These include carefully structured brainstorming, conducted by a small group of key people who have the necessary knowledge and information based on the common risk assessment context. Expert interviews and self-assessment are also typical qualitative techniques, usually based on semi-structured templates. Risk questionnaires and risk surveys can be used by all types of audiences, including external and internal stakeholders. A typical SWOT analysis (Strengths, Weaknesses, Opportunities and Threats) is also a good technique to identify risks and also the positive side of risks. Another useful technique is the so-called SWIFT analysis (“Structured what-if technique”), which can be studied for example to illustrate a brainstorming approach.
Semi-qualitative techniques
In addition to quantitative and qualitative techniques, there are also so-called semi-quantitative techniques that are used to describe the relative scale of risk. For example, risk can be divided into categories such as “low”, “medium”, “high” or “very high”. The number of individual risk levels can vary from 3 to 10 or more. In a semi-quantitative approach, different scales are used to characterise the probability of adverse events and their consequences. Widely used semiquantitative methods of risk analysis are e.g. risk matrix, risk graph or risk priority numbers (DIN V VDE V 0831-101:2011). Since none of the three models is able to capture all risks, it is recommended to use a good mix of the mentioned techniques.
Risk scenarios
The use of scenarios allows for a concretisation of the identified risks and can be used in all phases of risk assessment. Basically, scenarios illustrate what an identified risk might look like in reality. For example, we know the number of industrial accidents in a certain area or the bottlenecks in a company, but only more detailed scenarios make this information useful for a comprehensive risk assessment in practice. Scenario building also serves as a strategic planning method, combining known facts such as time, place or socio-economic characteristics with the most important risk factors. Criteria for scenarios can be, for example, the “best case”, the “worst case” and the “expected case” in relation to a hazard. Alternatively, one varies the conditions of a basic scenario to cover a larger number of possible developments.
Risk matrix
As defined above, risk is a combination of consequence and probability of occurrence . This function is often presented in the form of a risk matrix. The most well-known risk matrix in the field of occupational safety is the one according to Nohl . It presents the risk in tabular form by classifying individual hazards into one of three risk levels, taking into account the probability of the hazard becoming effective and the possible severity of the damage:
Critics of this risk matrix complain that the individual risks are only shown selectively, while interactions between the individual risks remain unnoticed. This is because the dangers and security risks that occur in companies are usually far more complex than can be represented in a binomial matrix. In addition, the representation implies that the primary objective is to limit the probability of occurrence of a certain loss to a tolerable minimum. In fact, however, it is about avoiding the event that causes the damage in the first place, not the damage itself. Despite the problems inherent in the risk matrix, it remains a powerful tool for visualisation or decision-making when accompanied by careful explanations of the judgements it contains.
Risks identified. What now?
Let us briefly summarise what we have learned so far: Among other things, risk assessment helps to raise awareness of risks. Without adequate risk assessment, no company can manage the risks of its operational activities. Only when these are identified and quantified is it possible to make correct decisions and plan protective measures. Numerous methods and techniques facilitate the identification of risks. Once the risks have been identified and conclusions drawn, the appropriate measures for the situation at hand can be planned. You will find out what these are in the next instalment of our blog series “What is crisis management”, Part 4. Crisis prevention.