Transparent risk identification – the four step process

The risk identification process
The four steps to risk identification

The risk identification process should involve your entire organisation, hence the phrase “everyone is a risk manager”. This means conducting surveys and interviews, analysing the responses and drafting a risk register based on those results. This is known as the transparent risk identification process because it requires everyone in the organisation to be transparent, includes the whole organisation and the results can be shared throughout the company. Here are the four steps to transparent risk identification that we recommend.

1. Collect responses and perspectives

Getting buy-in for risk management initiatives from the leadership and getting time with key stakeholders is a huge challenge faced by risk managers. The best way to do this is to start with a survey. This keeps the process brief and concise; it can cut right across the organisation and capture answers from a broad congregation. Using the appropriate tools, this is a quick and easy process and encourages engagement due to it being fully inclusive. A survey can be made available to everyone but be mandatory for those who will be getting a follow-up interview. Sending a survey to everyone promotes the risk management initiative at the organisation and reinforces the idea that everyone is a risk manager and that risk management involves the entire organisation.

2. Analyse and prepare responses for interviews

The next step in the process is to analyse the statements in the responses and classify them in terms of causes, risks and consequences. It also helps to classify respondents in terms of roles across the organisation. At this stage, you’ll be able to spot trends, patterns and outliers in terms of the responses. You can then start to create a draft top-level risk register. While this part of the transparent risk identification process may take some time, this is where you start to add real value to the process. At this stage risk managers start to prepare for interviews and populate their interview templates.

3. Interview and elaborate to understand the risks

At step three, you should book and conduct the interviews. At this stage, you should start to see buy-in to the process. Again, this may seem challenging, particularly when it comes to finding a time for each staff member to meet for an interview. In our experience, to get buy-in, risk managers should present to the leadership the draft risks and promote the importance of getting more information. This gives them a taste of what’s to come and often, the CEO puts down a three-line whip and even sends the email to the key players so that getting time in diaries becomes more of a mandate. When planning your interviews, we recommend starting with the least senior employees first in order to remove biases and have a better picture of the risks when you’re speaking to the most senior people or the CEO. This stage of the process gives survey respondents the chance to elaborate on their answers. The output from step 3 is a comprehensive list of risk, causes and consequences.

4. Aggregate and draft a single coherent risk register

The final step involves deduplicating and aggregating the responses. At this stage, you might also start weighting the responses too. For example, if you have a lot of responses on a particular risk, that might indicate you need to highlight this issue higher in the draft register you create. You might want to compare and contrast the latest round of responses with previous registers as you may find you have a completely new set of risks to consider. At this point, you will also start drafting the risks, beginning the process of risk mitigation.

Risk identification with VinciWorks

VinciWorks can deliver a risk identification masterclass to the risk managers in your organisation and provide them with the tools and templates to deliver this themselves. Alternatively, VinciWorks can facilitate the risk identification process at your organisation and deliver a 360° view of the principal risks that your organisation faces, including comparing and contrasting against industry trends.

Free Enterprise Risk Management health check

Risk identification is one of the critical steps of the 10 Steps of ERM. VinciWorks offers a free ERM health check to help organisations understand their risk maturity, highlight gaps in their ERM framework and put together a roadmap to meet their risk objectives. This includes:

  • One hour consultation with a Risk Management Professional
  • Risk maturity questionnaire
  • Gap analysis against the 10 steps of ERM
  • Bespoke roadmap for improving ERM at the organisation

To request a call with one of our experts, or to schedule your free health check, simply complete the form below.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.