Analysing risks in your organisation
THE TAKEAWAY: A clear analysis of the likelihood and severity of each risk you have identified will help you decide on priorities for treatments.
This is the fourth step in a seven-stage process of successfully tackling risk management in your organisation (go to the Insurance and Risk Management Help Centre for information about the other steps.
Before you can do anything about the risks that face your organisation - and you should now have a long list of them - the risks must be analysed to determine their potential to cause harm.
This will give you a basis for determining which risks are the most serious, which are treatable and which can be accepted, and that will give you a good framework to assess your risk management priorities.
Setting clear priorities will allow you to tackle risk in a logical order - otherwise you might find yourselves dealing with the risk posed by a falling piece of space junk before replacing the heater that is throwing sparks into the clubhouse.
Depending on the size of your group, the job of analysing risks is probably best performed by your committee or person responsible for risk management. It may be worthwhile, however, getting the person or committee responsible to outline their reasons behind the analysis to a wider audience.
The analysis should also be open to review and the results circulated to members as part of the communication and consultation process.
Analysis can be based in two simple criteria:
- Likelihood - how likely is it the risk will occur?
- Severity (or Consequence) - How bad is it if the risk if it is realised?
How seriously you take each risk is based on a combination of these factors. For instance, an outbreak of the Ebola Virus in your organisation would be disastrous if it happened, but isn't all that likely. On the other hand, the consequences of banging your head on a low doorframe aren't so bad (well, relatively anyway) but may be much more likely to occur.
Whether the frequency and severity of potential losses is classed as high or low will depend on the size of your organisation and the activities you are involved in - a netball club with several teams might not consider a serious injury every six months frequent, but this same number would be unacceptable for a bridge club.
Estimating frequency is reasonably straightforward for risks that occur on a regular basis, but is more complicated for losses that occur rarely or may never have happened at all - yet.
But even with regular risks you should consider any changes in your organisation or the environment in which it operates that could impact on how often the risk will arise. For instance, looking at how often accidents have occurred in the past will help a four-wheel-drive group estimate how often they will happen in the future - but keep in mind the club might now have more or less members, go on more or fewer trips to more out of the way places, the roads may be in better or worse condition than before and there may be more vehicles on those roads.
Look at situations from more than one point of view - who could be affected by your activities? - and make sure you discuss, consult and check with your members throughout this process.
For less frequent risks, you may be able to draw on specialist advice from federal, state or local government agencies, insurers, a similar organisation to you or your peak body, or someone with a connection to your organisation who has expertise in a particular field, such as a firefighter or risk consultant etc. You may also want to check with your local Occupational Health and Safety authority, which may have advice.
Questions that may assist you when estimating frequency include:
- How often do people encounter the risk?
- Has it ever happened before - in your group or another one? How often?
- Has this hazard caused any near-misses?
- Is there any level of training required to perform the risky activity? If so, have people done it? How complex is the training?
Severity or Consequences
Several factors need to be taken into account when assessing the severity of a potential risk and, again, many will be specific to your organisation and the work you do.
For example, fire damage to a hall would be a bad thing for any group, but how bad it is will depend on how often you used that particular hall, whether other facilities are available to continue your activities and if you have the money (or insurance) to fix the premises.
Another factor to consider is the impact on the community of a particular risk, the effects of which could indirectly impact your organisation. For example, a flood may not directly damage your premises but if no one can get to it your activities will be severely affected.
The public relations impact of a risk should also be considered - if money is being spent irresponsibly, for example, that it is not the best advertisement for sponsorship or donations.
You should also look at the number of people likely to be affected by a risk - a large number of people getting cuts and bruises may be worse than one person breaking their arm, for example.
The worst risks are those that result in death or severe harm to individuals or threaten your group's ability to continue its mission, or - in a worst-case scenario - cause it to close down altogether.
So how do you work out the severity and likelihood of risks? There are two main methods:
- Quantitative analysis applies a numerical value to the level of risk. This method usually depends on reliable data and is best used when specific figures are available, such as accident or injury statistics. This method can be extremely accurate but is best suited to large organisations where there is enough evidence to provide useful analysis. Smaller organisations should avoid it like the plague.
- Qualitative analysis is the easiest, and most commonly used, method of analysing risks, especially for smaller organisations. It applies a descriptive word to the level of risk and is based on knowledge, experience and anecdotal evidence. This method does have limitations, including a risk of subjectivity, but is useful in indicating which risks may be disregarded, those that require further attention, and management priorities.
Analysing a lot of the risks will involve estimation - even detailed police statistics aren't really going to tell you how likely it is that your group's bus will be run off the highway during a road rage incident. But don't be afraid to guess - it's better than waiting until you know for sure because then it could be too late.
A simple method of analysis is to draw up a simple grid:
Assign each of the risks to one of the four categories - the ones that you need to give highest priority are the ones in the top right corner.
A more detailed approach can be followed by scoring or rating on a scale. An example is provided below:
A - Frequent - likely to occur frequently
B - Probable - would occur but not frequently
C - Occasional - could happen occasionally
D - Remote - rare, not likely but possible
E - Improbable - highly unlikely but still possible
A - Catastrophic - may result in death or loss of bodily functions
B - Critical - may cause severe injury, illness
C - Marginal - may cause injury or illness resulting in loss of work as an example
D - Negligible - may cause minor injury or illness
A rating table can then be developed that will assist in evaluating your risks in the next step.
Placing each risk into its category will give you a good starting point from which to approach the management of risks.
Some examples of risk analysis for the fictional junior football club, the Joeys, might include:
Remember that the frequency and severity of particular hazards will be different for different organisations.
The idea is not to detail all the potential losses that may result if a risk does occur, but simply to assign a level of estimated risk that will provide a basis for managing those risks.
The frequency and severity you assign to each risk can be entered on your risk register.
Analysing risks in your organisation is the fourth step in a seven-stage process of successfully tackling risk management in your organisation. The next stage is to evaluate your risks.