Risk Assessment Techniques: A Review
 |
| Download FREE Risk Assessment Guide |
There are several techniques used by different types of businesses for risk assessment. Here we review three popular methods of assessing risk that can be applied across a wide range of business types.
Risk Assessment Matrix (RAM)
RAM is an extension of the original risk assessment process. With the use of this process, a company is able to identify its most critical resources (both in terms of processes and functions), identify the threats that can affect these critical resources, identify the causes pertaining to these threats and, eventually, tackle the threats and ensure smooth functioning of the critical resources.
For the smooth functioning of any organization, it is best to keep all critical resources independent of each other. This way, even if one of them is affected, the rest can perform in an unhindered manner. The RAM protocol is applied on the avenues from where the company gets it raw inputs, such as the suppliers, customers and the employee recruitment wing. Even the mundane necessities like electrical supply, water and sanitation, telecommunication, gas and sewage system are considered. This is done because disruption of any one of the above necessities will severely affect the normal work flow.
The whole RAM process can be summarized under the following steps:
- Identifying the various business functions and processes
- Identifying the most critical of all the resources
- Determining how much time will be spent to recover the critical resources, if they are stopped
- Identifying the threats that can cause harm to the critical resources
- Determining the vulnerability to these threats
- Planning and establishing the necessary steps to counter the threats
Risk Assessment Survey and Mapping
This risk assessment technique involves identifying, evaluating and, subsequently, ranking the various risks present in any business work cycle. Risks are an integral part of all business activities. The first part of this technique is used to survey the business processes and discover the risks that can hinder these processes. The mapping part then creates a plan, prioritizing the various risks, based on their criticality.
For the survey, the Arthur Andersen Business Risk Model is used. This model clearly describes the various risks that can affect the business. Once identified, these risks are ranked on a scale of 10, where 1 is the least risky and 10 is the riskiest factor. The important points to keep in mind are:
- Each ranking number should be used only once
- Once the ranking has been done based on significance, another ranking should be done based on likelihood of occurrence, where 1 stands for the least probability of occurrence and 5 for most probable risk
- Always make a note of risks that are left out but still have a minute chance of occurrence
The biggest advantage of this format is that the risks are handled based on their priority.
Quantitative Risk Assessment
This risk assessment technique works through the calculation of single loss expectancy (SLE) of critical assets of any organization. This SLE denotes the overall depreciation in the values of the assets in the event of a single security incident. The next step involves calculating the Annualized Rate of Occurrence (ARO) of the hazard in relation to the critical resource. The ARO is a simple estimation of the number of times a hazard can make use of the system’s vulnerability. The third parameter of this technique is Annualized Loss Expectancy (ALE). This is a measure of the overall loss expected through a single hazard in a given time frame. It is calculated by multiplying the SLE with the ARO. This technique is best suited from a financial perspective, as it can help justify the expenditures made to protect the critical resources.
This technique has been successfully automated in the form of quantitative risk assessment software. However, this method has also faced severe criticism from expert risk advisors because it does not account for risks that can be caused by unquantifiable and inaccessible information.
Alternatives to Risk Assessment: A Comparison
Since its inception, risk assessment, as a business technique, has faced very little competition. In fact Dr. Kaplan, the innovator of the Balanced Scorecard, in an interview with SearchCIO.com, said in reference to the companies that failed to utilize risk assessment, “[Risk Assessment] turned out to be an extremely important function that was not done well by many of the [financial services] companies we talked about earlier. Risk management was siloed and considered more of a compliance issue and not a strategic function. Now we see that identification, mitigation and management of risk has to be on an equal level with the strategic process.”
The only risk assessment alternative is predictive functioning. The loophole can be seen in the name itself. Predictive functioning is based on market analysis. A project or function is carried out if the market shows positive trends associated with it. On the other hand, with risk assessment, it is possible to figure out, in advance, whether investing in the new avenue is financially viable or not.
Risk Assessment: A Solution to Every Problem
Risk assessment is not just a business tool. It has been proven to be effective in health, environment, banking, software, and many more fields. Consider a situation where an insurance agent is given an application to judge whether the applicant is fit for life coverage or not. The applicant is a well built man in his mid 20s and in the prime of his life. The only problem is his fixation with high risk sports. In cases like these, the use of quantitative risk assessment software is advised. Some of its alternatives come packed with an application to actually map the risk versus the feasibility graph customized for insurance workers.
