operational level e.g., risks of machine breakdown delaying production.Risk IdentificationIn COSO risk identification is a separate step from risk assessment while ISO treats risk identificationas part of risk assessment.The purpose of risk identification is to find, recognize and describe risks (or opportunities) that mighthelp or prevent an organization achieving its objectives.In identifying risk, it also necessary to determine the sources, causes and drivers of risks, as well asthe nature and root cause of the risk. Sources of risk can include events, decisions, actions andprocesses, both favorable and unfavorable, as well as situations that are known to exist but whereoutcomes are uncertain. ISO recognizes that events and consequences can have multiple causes orcausal chains, and risk can often only be controlled by modifying risk drivers. Risk Identification TechniquesThere are variety of techniques that companies may use in identifying risks. These are also thetechniques you encountered in your TQM/Project Management subject.Workshops and interviews. Facilitator-led structured discussions to draw on the collective knowledgeand experience of management, staff, and other stakeholders about events that may impact theachievement of entity or unit objectives.Event inventories/checklists. Detailed list of potential events common to companies within a particularindustry or to a particular process or activity.Process flow analysis. Examines the combination of inputs, tasks, and responsibilities in a process;considered internal and external factors that affect inputs or activities within a process; identifiesevents that could impact the achievement of process objectives.Risk Analysis (Assessing the Severity of Risk)
5/31/2020MODULE 6. ENTERPRISE RISK MANAGEMENT7/11Severity means a measurement of considerations such as the likelihood and impact of events or thetime it takes to recover from events.At this stage, identified risks are translated into impacts at all levels of an organization (e.g., entity,business unit, division or other functional level) in order to determine whether the identified risks arerelevant. A risk is relevant if it could impact the achievement of an entity’s strategy or businessobjectives. Impact is the result or effect of a risk.Qualitative TechniquesRisk analysis considers both the quantitative and qualitative impact and likelihood of a risk. Somequantitative and qualitative techniques are discussed in the succeeding paragraphs.Qualitative techniques are often used to assess risks which do not lend themselves to quantification,when sufficient reliable data is not readily available to use a quantitative model, or it is not cost-effective to obtain or analyze quantitative data. The most commonly used qualitative assessmenttechniques are interviews, cross-functional workshops, and surveys, benchmarking, even treeanalysis.