Table of Contents
Introduction 3
Organization Background 4
List of Risks 5
Likelihood and Impact 5
Conclusion 7
Recommendations 8
Executive Summary 9
References 10
Appendix
Introduction
In our daily routine activities, we often come across a term named “Risk”. Also, we perceive this word in a negative way which is known as downside risk (Threats). Not many are aware of the fact that Risks are also an upside (opportunities) ones.
A combination of a probability that some particular event will happen and its consequences (positive, negative) is defined as a Risk.
To ensure that organizations achieve their intended objectives, Risk Management is a process of managing those risks (upside, downside). Risk assessment is an overall process of identification, analysis, and evaluation of risks (Iso.org, 2017).
Identification /Description Finding and describing Risks
Analysis / Estimation Analyze the level of Risk (Likelihood * Impact)
Evaluation Compare the estimated Risk vs. given Risk criteria
Note: Specific response to each risk can be decided after the Risk evaluation process.
Method of Risk Assessment
Quantitative: Numeric estimations based (Objective probabilities distribution to model)
Qualitative: Descriptive scales based (subjective probabilities)
Figure 1: Risk Management phases
Source: (Gajewska and Ropel, 2011)
Organization background
WHO (World Health Organization) is working with the governments and partners of more than 150 countries through their offices to ensure the highest possible health level for all people. They strive to combat both infectious and non-communicable diseases (World Health Organization, 2017).
Drive for Risk Assessment
Since WHO realize the importance of risks in both, downside and upside context so, at individual units and offices level, development of risk management framework has been started in 2009. The need for an organization-wide common framework became more acute when some unexpected events started happening which affected the WHO reputation and also, they had to face financial impacts of those events.
· Short crisis during 59th World health assembly due to the sudden death of Director-General
· Reputational damage by not reacting quickly to the allegations of collusion with industry
· The financial crisis (2011) due to sudden changes in the exchange rate
An organization-wide (top-level priority) strategic risk assessment has been done to enable WHO to be prepared for the management of those risks by analyzing the probability and impact of them. So in this case a detailed report including corporate risk register has been submitted by Secretariat to the Executive board in 2013.
Escalation process
Organizations at each level would report the major risks (complemented with the major risks of their lower level) to their above level after the assessment of all their identified risks.
Figure 2: Escalation process
Source: (www.who.int)
List of Risks
Since we haven’t undertaken any project so the other group members used the generalized approach of using categories in the risk identification process. Not everyone in their group was familiar with the objectives of our opted organization so one of our members elucidated about the primary role of WHO and briefed them about working.
Table 1: Group identified Risks
Source: Author’s designed
One of our group members asked other group members to individually identify risks as in this way we would be able to get a more unbiased list of risks. Furthermore, they also mentioned their risk personalities. Two members claimed to be risk-averse and one as risk-neutral. Even though other group members knew the fact that there are two risk types, they all identified downside risks altogether. Our group members realized that even though there risk personalities were different; they all came to the same point after a lot of discussions with each other. It indicates that group discussion played a vital role in the risk identification process. None of the other members were related to any kind of health industry so they didn’t have any technical or subject matter knowledge. This is the reason they came up with some general risks. Some risks seem to be obvious and we were expecting them to mention them includes failed to overcome the spread, not delivering intended results, and not analyzing data correctly. If we look at the original register, we would come to know that most of the risks have also been identified already. Because it was the preliminary register which includes top-level risks, there were some similarities observed between original assessment and group identification. The original Corporate risk register is attached as an Appendix at the end of this report.
Likelihood and Impacts
We could have used the Delphi method for this particular exercise but we did not because here every one is an independent observer and no such thing like peer pressure could have originated. Initially, we asked every member of the other group to individually rate risk in terms of a probability and impact out of 5 (1 = negligible/low goes to 5 = critical/high ). We did this exercise to remove any concern of biased behavior and to have a reliable score at the end. We wanted them all to think independently. After we collected scores from every member, we asked them to collectively think as a group and mention scores from the overall group’s perspective. Everyone discussed their scores in a group and after some discussions; they somehow managed to reach on a consensus. All of the four members claimed to be a Risk-averse. We have highlighted (Green) similar scores in a table to have a better understanding while doing analysis. Risk 1 has got the same weightage in both probability and impact in comparison to the original register. If we critically analyze the results, we would come to know that not a single risk has been assigned a probability of more than 3 by other members. According to them, risk1, 4, and 5 can leave a bigger impact if they happen. Even then the original risk register is a general corporate one and most of the risks are generalized which can affect many organizations on a corporate level e.g. hacking of data, financial crisis and defaulting of major donors, we can see that there is a difference in overall rating (P*I) except risk 1.
Table 2: Original vs. Group scores
Source: Author’s designed
Table 3: Risk rating comparison
Source: Author’s design
Arguments have been presented in a book named how to measure anything that how individuals can make better qualitative judgments (Hubbard and Drummond, 2011). For our particular case, one must have a good sense of how generally an organization works and what common risks they share. They are more like generic ones. Much evidence has been presented that most of us (Subject matters included) have got poor-risk intelligence but there are some ways like calibration technique with which we can improve our risk intelligence if we are making subjective forecasts.
Conclusions
Whether we plan a recreational trip or perform routine tasks, the risk is inherent in all our workplaces and our daily life activities. No matter how much someone is experienced enough to perform some particular task, they are always exposed to risk. The risk assessment aims to identify all possible inherent risks, their probabilities of happening, and the impact they leave if they happen. The expected benefit of risk assessment is that it allows concerned individuals to have a new appreciation of the risk assessment as it highlights those risks which team members otherwise would have overlooked. It creates awareness among the group members that how a lack of risk assessment can potentially put the organization in an undesirable situation. As we have seen that in our particular case, the group identified those risks where are somehow identical to the risks in the original risk register. Reason being that the original risk register comprises corporate risks that are most common to every organization. But yes, there are some variations in the perception of those risks. In the case with the exercise of finding probabilities and impacts, all individuals come up with different scores but in a group, they reached consensus after detailed discussion. I reiterate that the reason for not having many dissimilarities between original and group identified risks could be the selection of corporate risk register of WHO in which most of the risks seem to be common ones. WHO was caught on the back foot by Ebola in West Africa which brought several countries to a standstill. The impact of this epidemic was high due to the WHO’s unpreparedness. It is very much critical to identify every aspect of risk at the corporate level of WHO. Since they are operating in more than 150 countries, so the impact of not identifying and managing all potential risks would be massive which can affect WHO financially and otherwise. Only then we can prioritize the risk treatment and contingencies plan when we will be having some scores related to every identified risk. It’s important to use techniques like brainstorming and the Delphi method to assign probability and impact score to every risk so that the WHO can prepare themselves before any unusual event happens.
We experienced that compiling a risk register is dependent upon how complex the situation is. If let’s say we would have opted for any complex project of WHO which is going on in some desert area or no go zone, identified risks would have been much different as it requires a much deeper knowledge of that particular area and also about that project. For that purpose, subject matter knowledge would have been required. A general risk assessment can be carried out with some members who are not that much experienced but they have a sense of risk assessment but in many complex scenarios, they would not be able to do that. In our case, the group took two hours to complete this risk identification process and one hour to come up with the probability and impact rating. We believe that it also depends upon the team members and their subject matter knowledge who are doing it and also on the scenario difficulty level. Not every risk got identified as WHO also mentioned that it was a preliminary risk register and more detailed risk analysis will be done. We believe from the exercise that both risk seekers and risk-averse people are capable enough to identify risks on an almost equal basis but the idea behind the risk identification is different. For example, risk-averse people would identify downside risks to make a contingency plan and to be prepared for the worst-case scenarios. Risk seekers identify both risks (upside, downside) as an opportunity to make the best use of it. Either they would get benefit from it or else they would enjoy it with some important lessons learned for the future. Group members presented their individual’s scores (Probability, impact) against each risk and then while discussing overall aggregate, they took an average and presented the closest possible number with consensus.
Recommendations
Risk assessment allows an organization to have a holistic view of all the potential threats and opportunities related to them. Risk assessment should follow the below sequence. We believe that it’s very important to have a diversified team and especially concerned team members from a particular area should be involved as they know the processes best among many. In this way, a more detailed risk assessment can be done. Risk owners should be identified so that the mitigation strategies can be made and implemented clearly. It’s always good to have risk categories defined before proceeding with the risk identification process as it would help in covering every aspect of potential risk. There are some disadvantages in that as it narrows down the thinking ability of group members to those pre-defined categories and there are chances that members would not be able to think out of the box. It is very important to categorize them in a detailed manner so that every potential risk can be addressed. Not every risk assessment is the same as we have defined earlier. The process approach is the same but the detailed analysis can be very different. As in health and safety, risks are more on downside ones and in financial terms, it is more about opportunities to avail. To address any effects of having different risk personalities, it is advisable to use the Delphi method as it reduces the effects of peer pressure, and also one might be able to get much time to critically evaluate their responses in the light of others.
Figure 3: Risk assessment and risk treatment
Source: Broadleaf.com
Executive Summary
Risk assessment is a thought-provoking process that requires brainstorming and a great deal of time and effort. It is better to use PESTLE so that risks can be identified in a better way. Any professional irrespective of its field should be able to identify the general risks of any organization but it needs subject matter knowledge to identify risks of some particular technical field. People are more inclined towards the identification of downside risks. Our case of WHO is more inclined towards general risks which triggered other group members instantly. We have seen that up to much extent group identified some risks which are originally present in the risk register but likelihood and impact were not that same. Subjective analysis can lead to a difference of opinions. Risk personalities do play an important role in the risk assessment process but it doesn’t mean that risk-averse people always identify more risk as compared to risk seeker. Risk behavior gets shaped by the prevailing culture. It’s good to use the Delphi method so that unbiased results can be achieved. We cannot remove risks totally but yes measures can be taken to address them in the time of need.
References
· Iso.org. (2017). Risk management — Vocabulary. [online] Available at: https://www.iso.org/obp/ui/#iso:std:iso:guide:73:ed-1:v1:en [Accessed 17 Oct. 2017].
· World Health Organization. (2017). who we are, what we do. [online] Available at: http://www.who.int/about/en/ [Accessed 18 Oct. 2017].
· Hubbard, D., and Drummond, D. (2011). How to measure anything. [Old Saybrook, Ct.]: Tantor Media, Inc.
