Risk Management Blog | Pirani

Know 8 processes to identify risks

Written by Maria Camila Arévalo | September 16, 2024

No company, regardless of its size, is exempt from internal and external risks, which can directly affect the company's operations, destabilizing processes, infrastructure, development and day-to-day operations.

It is important to understand that risks will always be present and that is why it is key to identify them and have a prevention plan for each one of them in order to prevent them from materializing, and in case they do happen, to be able to act in an agile and effective way to prevent them from affecting the objectives set in your organization.

With Pirani Risk software you will be able to register your company's risks, as well as associate them to processes, controls, events, and action plans, in order to identify, measure, control, and monitor these risks to prevent their materialization or mitigate their impact.

The following analysis and evaluation are aimed at any type of system, whether operational, money laundering, terrorist financing, or technological, among others.  

In this eBook you will find techniques and tools that will allow you to get ahead of the facts and discover the risks to which your organization may be exposed, as well as keys to manage them and some tips to mitigate them, taking as a reference the ISO 31000 standard and annex 31010.

What is a risk?

It is the possibility of incurring losses either due to causes or failures in resources: human, processes, technological, or due to the occurrence of an external event. 

According to the Basel Committee on Banking Supervision, a risk is any possibility of occurrence of a situation that may hinder the normal development of the entity's functions and prevent it from achieving its objectives.  

What is a method of analysis?

It is a technique used to evaluate risks, whether of a process or a project. This methodology allows us to make decisions that help us to be one step ahead and to take preventive actions to avoid potential hazards or reduce their impact. 

It is important to keep in mind that there is no single way to do it, even though ISO 31000 offers certain parameters for this. What each organization should do is review each of the techniques and understand which one best fits the internal needs depending on the scheme that is proposed, what are the possible risks that may occur, and the organization chart that is established.

All these methods are adjustable and parameterizable, at the same time different techniques can be used for risk identification.  The ideal way to manage risks is to select and combine the best ones, depending on the type of business or project. Therefore, when making a choice, it should be borne in mind that some of these tools are more suitable for assessing the causes of a problem, while others are more suitable for assessing the consequences.

In the following, we will present tools with a preventive approach that will help you during the process of recognizing risks within the organization to implement the corresponding actions to avoid their occurrence.

1. Brainstorming

It is a process that is carried out as a group to generate innovative ideas in a non-traditional environment, it is interactive and unstructured. 

The goal is to generate best practices so that the members of each organization can complement each other, have a panoramic view of what is happening, and create new things that will bring benefits to each of the members through the stimulation of fluid conversation to identify potential failure modes and associated risks, decision criteria and how they will be mitigated. 

The key is to arrive at structured opinions at the time of the meeting to avoid wasting time.

The rules you must follow in this methodology are:

Suspending the trial 

If you are only going to limit yourself to judging and complaining, it will be very difficult to reach agreements that will bring benefits to the organization. You have to do it in an objective way. 

Thinking freely

Do not limit yourself when transmitting an idea, fear must be put aside, no matter how crazy it is, “it is easier to perfect an idea than to issue a new one”, Alex F. Osborn, Brainstorming.

Quantity is important

The greater the number of ideas you have, the easier it will be to choose among them, because sometimes they can complement each other and obtain a winning result. 

Multiplier effect

This allows for positive feedback, i.e., from everything that has been presented during the meeting, improvements can be made to the ideas so that they meet all the expectations of the members. 

2. What if...?

This technique is very commonly used for the identification of consequences, since for its implementation it is important that you ask yourself a series of questions that must be answered and that will help you understand what is the best plan of action to implement in an individual risk, in addition, it allows you to anticipate the facts and understand what would happen if any of these events were to occur.

This method is quite creative and inductive, it is easy and simple to understand for any manager who puts it into practice, it is normally used in the first phase of management when you are just in the process of identification. 

It can also be complemented through in-depth analysis and other methods such as brainstorming.

To carry it out, you can schedule meetings between employees or workers who have full knowledge of the process to be analyzed.

3. The five whys or fishbone

It is a model that seeks to get to the root cause of the risk or situation being analyzed, it will help you identify where the problem is originating.

It is used to structure group discussions on the possible causes raised and its main objective is to get to the bottom of the specific risk, discarding the most immediate and superficial answers.

The process you should put into practice is as follows:

  1. Ask yourself what the problem is.
  2. Ask yourself questions such as: Why is this happening, what caused this to happen, and what is the root cause of the risk, among others?
  3. Once you answer the above questions, you can begin to identify the root cause of what happened.

    Contrary to what the name of the technique indicates, it is not necessary to restrict the analysis to only five questions.

Example:

  • Problem: Customers are complaining about why deliveries are not being made on time.
  • Why are deliveries not being made on time? Because the goods are being held in the warehouse.
  • Why are the goods being held in the warehouse? Because the trucks are taking too long to leave.
  • Why are they taking so long to leave? Because the worker is late.
  • Why is the worker taking so long? Because one person has to load many trucks at the same time.
  • Why does one worker have to load all the trucks? Because there are not enough helpers in the warehouse.

    Doing this exercise will allow you to know what the root of the problem is and what is causing destabilization within the process, in addition, it opens the door for you to create a manual or action plan to mitigate or directly attack the risk.

4. Scenario analysis

Once the problem has been identified, different scenarios and points of view can be considered to anticipate situations that may arise in the future, considering the possibility and probability of their occurrence to find a solution and plan the strategy. 

In this technique, a set of future circumstances is analyzed, either by experience, assumption, or trend, and descriptive models of how the future could be presented are developed. 

The steps you should consider are:

  1. Define the problem: decide what is to be achieved and set the time horizon.
  2. Collect data: identify the main factors, trends, and uncertainties that may affect the plan.
  3. Separate certainties from uncertainties: adopt the best supported and contrasted trends as “certainties”, separating them from “uncertainties” and execute a prioritized list of these. 
  4. Develop scenarios: from a high uncertainty two outcomes will be created: one moderately good and one moderately bad, based on this an environment will be developed for each that merges its certainties with the chosen outcome.
  5. Include the scenarios: This should be included in the analysis and strategy.
  6. Involve the leaders: those responsible for making the analysis, even people who carry out the operationalization can be taken into account. 

5. Preliminary Risk Analysis (PRA)

It is recognized by its acronym PHA (Preliminary Hazard Analysis) and was first implemented by the U.S. Armed Forces to define strategies, losses, and risks, and over time it began to be implemented in companies.

What is done first is a qualitative analysis, since at the beginning it is very complicated to have a mature system, and quantifying it would be almost null. 

The main feature is that it is a tool to help reveal those aspects that sometimes go unnoticed in existing systems and is widely used in occupational health and safety management.

The first step in the preliminary risk analysis is to identify all the activities that are part of a project or a process, trying to recognize the possible problems that may be faced in each phase.

A log table is filled in with this data: one column describes the risks that were identified, another lists the possible causes, the third column lists the consequences and the last column lists the risk categories, combining the frequency and severity of the risk to create a priority ranking.

The more likely a risk is and the more serious its consequences, the more attention you should give it. Using these criteria, risks are classified as minor, moderate, serious, or catastrophic.

To carry out this risk prioritization, it is advisable to use a risk matrix.

 

6. Decision tree

It is a map of possible outcomes of a series of related decisions. What it means is that you must start from a situation that could occur or is occurring and from there begin to review the possible consequences that may arise.

This map gives the possibility for the manager or the people involved to compare possible actions with each other, according to their costs, probabilities, and benefits.

It usually starts with a single node and then branches out into possible outcomes. Each of these creates other nodes and thereby generates other possibilities.

To begin the structure of the decision tree it is important to know that it has a symbology, in the following table we explain what it is:

Carrying out this technique provides benefits such as: being useful with or without hard data, allowing new options to be added to existing trees, value in selecting the best of numerous options, and can be seamlessly combined with other decision-making tools.

Keep in mind that condensing all the information can cause them to become somewhat complex to understand, so it is recommended to use influence diagrams to classify the information.

 

7. Checklist or verification

It is used to confirm that the preventive measures of the analysis and risk processes are being adopted. This technique consists of making a list of all the risks that have been identified and their corresponding prevention recommendations, and in turn, adding an item that allows information to be added on the tasks that have already been done and those that have not. 

This method is commonly used because it is easy to perform, it is aimed at any activity or process, it helps to make decisions, to analyze the location of defects, and to verify the causes of possible problems.

 

8. Structured and semi-structured interviews 

Structured or prepared: individual interviewees are asked a series of prepared questions taken from a guide sheet that encourages them to view a situation from a different perspective and identify risks. They are generally used when the system is already implemented or at a stage of maturity. 

Semi-structured or free-form:
this works with open-ended questions, without a pre-established order, acquiring the characteristics of a conversation. During this exercise, it is very likely that new ideas or aspects that were not taken into account will emerge. This type of interview is most often used at the beginning of management. 

They are useful when it is difficult to get people together in a brainstorming session or when the free flow of a group discussion is not appropriate for the situation or the people involved.
   

Advantages of risk identification 

  • Increases the probability of achieving objectives.
  • Enhances proactive management.
  • Is aware of the need to identify and address risks.
  • Supports compliance with legal and regulatory requirements.
  • Minimizes losses.
  • Helps with decision making.
  • Improves controls.
  • Establishes the data base.
  • Improves reporting, corporate governance, resource allocation, efficiency and effectiveness,
    loss prevention and incident management, organizational learning, and flexibility.
  • Increases health and safety performance and animal welfare.
  • Performs a comprehensive review of a broad category of risks. 

    All these processes to identify risks, you can have them in a single software with Pirani Risk, with our modules you can register the risks of your company, as well as associate them to processes, controls, events and action plans, and you can test it.Aumenta la probabilidad de alcanzar los objetivos.

Did you find this content useful to learn how to identify risks in an organization? Leave us your comments.