Risk Assessments in Kent & London
The ISO standards ask a business to think about its context, its internal & external environment and the interested parties who may affect, or be affected by business decisions. Naturally some of the major risks facing your business will come to you as second nature, however this systematic approach helps find other risks that may not be so immediately apparent.
Some of the most constructive risk assessments 2SB are involved with are with businesses that have a very good understanding of their position in their market. Understanding their competitors and how the wider contextual influences can affect their business allows more complete range of risks to be identified.
2SB are experienced in helping companies understand their risks, contact us if you would like to know more.
Once you have defined your risks we consider what controls are already in place to mitigate them. It is likely that if something is high risk you will be taking efforts to reduce the chances of it being realised. By considering the likelihood of the risk occurring, and the severity of the risk, we arrive at a risk rating.
To achieve this we can use:
- a qualitative approach, which analyses information that can’t be easily reduced to numbers
- a quantitative approach, which uses numerical methods to develop a probabilistic analysis of a risk
- a semi-quantitative approach, which is a combination of the two
Generally, businesses will adopt either a qualitative approach which allows for a more rapid evaluation of risk, or a semi-quantitative approach which can take longer but includes elements of numerical reasoning. Either approach is suitable and they can also be combined. It is important that every time you come to review the risk assessment you are applying the same scale as to how likely and how severe you consider levels of risk to be.
Types of risk
Although the range of risks a business can face is wide, some common examples are:
Strategic risk – Is our business plan right? Have we read the market right? Is this major business change the correct move?
Financial risk – Are we over reliant on one customer/client? Is our current profit margin on this product sustainable? How will inflation or currency change affect us?
Operational risk – Is our current infrastructure sufficient for the business? Is our power source safe? Is our procurement safe, are we over reliant on one supplier? What happens if a product fails?
Information security risk – How robust are our IT systems? How secure are our procedures? Could a human error cause a breach of confidential information?
HR risks – What condition is the labour market in? Do we have a high turn over of staff? Will Brexit affect the staff we have?
Catastrophic risk – Are we prone to flooding or fire? Are there any unforeseeable risks and how are we covered?
For advice on risk assessments, or to arrange one for your organisation, call 2SB on 01622 721684 or contact us by email at firstname.lastname@example.org.
What do we do with the risk assessment?
At this stage we can take one of five courses of action:
• accept the risk (the outcome is worth the risk)
• find ways to reduce the risk
• find ways to insure yourself against the risk
• transfer risk (can the risk be given to a sub-contractor, specialist who is better positioned to deal with it?)
• avoid it completely if the risk is too high
Whether a business decides to accept a risk as it is, or take action will depend on the impact the risk could have, and on their risk appetite. In certain situations it is reasonable to accept a risk as it is, especially a business risk, however this should be approved by the leadership of the business. You should never accept a risk that contravenes a legal requirement! (We can help you understand your legal requirements for H&S and environmental practices).
For those risks that need to be controlled, first it is important to understand that it isn’t possible to control every risk (at least immediately) so we need to focus our resources on the biggest risks first. As your management system matures, you will be able to address and control increasing numbers of risks.
Now we have our risks for treatment, we must decide what controls need to be put in place. Do we need to change a process; train staff; introduce a safe system of work; employ new technology? Whatever needs to be done, the option should be well thought through and if needed should consult the people affected to gain their input.
To give the treatment the best possible chance of being implemented, we need a time frame in which it should be completed, and a person assigned responsibility to it. The person given responsibility should be the most suitable person to implement the control, it does not have to be the highest person or the management representative for the management system.
Reviewing and improving our controls
These final steps go beyond the initial risk assessment and risk treatment but are important if any control put in place is to succeed. Internal audits are ISOs primary method to check whether what we say we are doing, is being done. It takes discipline and resources to carry out effective internal audits – 2SB are able to support you in this vital step – contact us for a quote.
Based on the outcome of our reviews, any changes that need to be made to the management system should be made. Improvement is one of the 7 quality management principles, and is so highly valued since it helps move the business forward. This statement in itself is obvious, the challenge lies in making the time to carry out effective reviews and considered improvements. This completes the Plan-Do-Check-Act loop, and any improvements will feed back into the planning stage.
Reviewing the risk assessment
No business environment stands still, particularly as we face major political changes and economic uncertainty. In information security, the environment from which a business must protect itself is moving even faster. Every business must review its risk assessments regularly (at the very least annually) and more often if the external or internal environment changes significantly, or if a major business change is going to occur.
Instead of waiting for something bad (or good!) to happen before we make a business decision, ISO helps a business proactively think about what it needs to do to control or avoid negative risks and make the most of opportunities. By conducting a thorough risk assessment and reviewing it as the environment and the business changes, you should be able to more effectively and thoroughly identify and control the risks that affect your work.