This method is in line with the COSO-ERM approach when it comes to setting the objectives of the company and identifying both static and dynamic risks throughout the entity. | In this contribution I write my own opinion, not that of any organization |
The structure is a matrix
The structure is a matrix. The objectives (Strategic and operational objectives), on the one hand, the objectives and, on the other hand, possible internal and external factors, shape the quick scan.
This matrix approach promotes the completeness of the risk identification and provides a structure for the organization of the risks.
More specifically, this ‘risk matrix’ looks like the one shown below:
nr | Aspects Quick Scan findings | Risks: mention the incidents, their probability, cause and consequence | ||||||||
Strategic goals | SG1 | SG2 | … | |||||||
Operational goals | OG1-1 | OG1-2 | … | OG2-1 | OG2-2 | … | … | … | … | |
1 | Proces management | |||||||||
2 | stakeholders management | |||||||||
3 | Monitoring | |||||||||
4 | Organisation structure | |||||||||
5 | Human Resources Management | |||||||||
6 | Organization culture | |||||||||
7 | Information and communication | |||||||||
8 | Financial management | |||||||||
9 | Facility management | |||||||||
10 | Information and communication technology | |||||||||
11 | External factors |
This answers three essential questions
By filling in this matrix, the CRO answers three essential questions:
- Which objectives of the entity are subject to research?
- What parts / aspects of the organization are the subject of research?
- Which risks require further insight?
In a first step, you examine the potential risks that expose the entity on the basis of a quick scan.
As a second step, the CRO will have to systematically check with the business which of the risk problem fields identified in the quick scan occur in its company and which require further investigation. For this he must question the internal and external experts and the management team in question.
Do the development of a quick scan by conducting a survey with the experts, which they generally view as realistic risks in relation to the aspects of the guideline. Eventually supplement this with a desk research using annual reports, audit reports, risk inventories of occupational safety, fire prevention plans, continuity plans, incident registrations, damage history including registration of near damage.
Afterwards “weight” the matrix with regard to the quick scan in step 2, whereby you clearly choose which risks have a grip on which strategic and operational objectives. In periodic interviews with the management team, the company then asks which risks they see, how these risks affect the organization and what one does to control them. You can include an approach of existing control measures in the quick scan.