A Risk identification method

This method is in line with the COSO-ERM approach when it comes to setting the objectives of the company and identifying both static and dynamic risks throughout the entity.In this contribution I write my own opinion, not that of any organization
Author: Manu Steens

The structure is a matrix

The structure is a matrix. The objectives (Strategic and operational objectives), on the one hand, the objectives and, on the other hand, possible internal and external factors, shape the quick scan.

This matrix approach promotes the completeness of the risk identification and provides a structure for the organization of the risks.

More specifically, this ‘risk matrix’ looks like the one shown below:

nrAspects Quick Scan findingsRisks: mention the incidents, their probability, cause and consequence
 Strategic goalsSG1SG2
 Operational goalsOG1-1OG1-2OG2-1OG2-2
1Proces management         
2stakeholders management         
4Organisation structure         
5Human Resources Management         
6Organization culture         
7Information and communication         
8Financial management         
9Facility management         
10Information and communication technology         
11External factors         

This answers three essential questions

By filling in this matrix, the CRO answers three essential questions:

  1. Which objectives of the entity are subject to research?
  2. What parts / aspects of the organization are the subject of research?
  3. Which risks require further insight?

In a first step, you examine the potential risks that expose the entity on the basis of a quick scan.

As a second step, the CRO will have to systematically check with the business which of the risk problem fields identified in the quick scan occur in its company and which require further investigation. For this he must question the internal and external experts and the management team in question.

Do the development of a quick scan by conducting a survey with the experts, which they generally view as realistic risks in relation to the aspects of the guideline. Eventually supplement this with a desk research using annual reports, audit reports, risk inventories of occupational safety, fire prevention plans, continuity plans, incident registrations, damage history including registration of near damage.

Afterwards “weight” the matrix with regard to the quick scan in step 2, whereby you clearly choose which risks have a grip on which strategic and operational objectives. In periodic interviews with the management team, the company then asks which risks they see, how these risks affect the organization and what one does to control them. You can include an approach of existing control measures in the quick scan.

Manu Steens

Manu works at the Flemish Government in risk management and Business Continuity Management. On this website, he shares his own opinions regarding these and related fields.

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts