IJCA - Volume 2 - Flipbook - Page 35
2023 | Volume 2, Issue 1
35
specific risk or guarantee a specific opportunity.
Instead, we reduce/increase one, or both of the
following factors:
Likelihood of Occurrence: On a scale of 1% to
100%, what is the likelihood of this risk/opportunity
happening?
Impact: On a scale of 1 to 10, what is the impact
should this risk/opportunity happen?
However, before arriving at the point of developing
mitigation and contingency plans and truly
managing one’s risks, one must first identify the
risks; analyze them to determine the above factors;
prioritize the list so that the most important,
most likely, and higher impact risks are identified;
and quantify the data. This is what is known as
conducting a risk assessment.
Methodology
Following a modified Fink approach, this risk
assessment/analysis was initiated by first seeking
input from IAS personnel to ascertain the top
risks as perceived by the various staff members.
Consideration was also given to various risk registers
and internationally accepted methodologies when
developing this risk assessment (see, for example:
EA-2/19 INF:2020 – List of Risks for Accreditation
Processes and Operation of National Accreditation
Bodies and ISO 31000:2018 – Risk Management Guidelines).
After receiving the first round of feedback,
risks were divided into seven broad categories
referenced above. After categorization, “like risks”
were combined to bring the overall list to a more
manageable level. At this point, the refined lists were
recirculated to staff and all individuals were asked to
estimate:
A. The likelihood of the risk materializing (1% [Not
Likely] – 100% [Extremely Likely])
B. The impact should the risk materialize (1 [No
Impact] – 10 [Significant Impact])
for each risk presented in the refined lists for each
broad category with the aim of calculating Crisis
Impact Values (CIVs) for each identified risk.
Responses were received from nearly all staff
included in the poll, and CIVs were calculated for
each risk presented. Risks were ordered according
to CIV (largest to smallest) and those risks falling
within the medium to high risk levels (CIV>250) were
isolated. Each risk value was plotted on a risk matrix
to provide visual representation of where each risk
falls on the graph, per category (see next section).
The next step in the process was to define and draft
both mitigation and contingency plans for each
identified risk.
A mitigation plan is enacted to reduce the likelihood
and/or impact of a specific risk; it is synonymous
with a preventive action.
A contingency plan is enacted to respond to a crisis
arising due to a specific risk; it is synonymous with a
corrective action.
To identify appropriate mitigation/contingency plans,
the risks that were classified as medium to high from
each category were sent to all relevant staff based
on areas of responsibility, and staff were asked to
answer the following two questions, per risk:
A. What preventive actions do you propose to
reduce the likelihood and/or impact, if possible,
of this risk? (i.e., mitigation plan/action)?
B. What actions do you propose if the risk
escalates into a crisis (i.e., contingency plan/
action)?
Once staff responded to this request, responses
were compared, “like suggestions” were combined,
and the final mitigation/contingency plans were
presented for analysis in the subsequent sections of
this document.
