IJCA - Volume 2 - Flipbook - Page 36
36 The International Journal of Conformity Assessment
Based on the mitigation and contingency plans
discussed in section 4 below, the top management
and managers related to each department were
tasked with defining the allocation of resources
for implementation of the selected proposed
actions. These mitigation/contingency measures
are reviewed on an ongoing basis for continued
effectiveness throughout the lifecycle of the
organization. Based on the review of these actions
and their effectiveness, IAS continues to make
changes based on feedback data received.
Risk Assessment and Analysis Methods
Step 1: Information Gathering
Understanding the business and associated
interested parties is a critical first step in risk
assessment. (For the remainder of this paper,
risk(s) is used interchangeably for risk/opportunity.)
Practitioners should consider, for example:
1. What are some important aspects of the
business? Is it product-based, service-based,
or both? What is the level of public scrutiny? Is
the business sector regulated? Is it dangerous?
Does it use contract workers? What is the level
of associated liability?
2. Who are the interested parties related to the
business? Staff? Customers? The public?
Regulators? Industry groups? Governments?
Then, form a group of the identified interested
parties, provide a brief on the business (generated by
asking question 1, if needed), and ask the interested
parties to identify risks anticipated within the
business. This can be accomplished quite simply
using email, and does not need to be a lengthy, highly
technical process. Seeking input from individuals at
all levels within an organization (e.g., administration,
technical, management, finance, etc.), including
external individuals (e.g., trade groups, regulators,
subject matter experts, etc.) when appropriate, helps
ensure that the business is considered from many
different perspectives, increasing the likelihood that
relevant risks will be identified and reported.
Step 2: Categorization and Combination of Risks
Upon collecting the responses, the next step is to
create broad categories based on the various risks
received. This allows for combination of “like risks”
helping to reduce the overall workload and duplicate
analysis later. Categories should make sense for
the business, and some example categories are as
follows: regulatory risks, IT systems risks, conflict of
interest/impartiality risks, resource risks, domestic
business risks, international business risks, and
policy, procedure, or process risks. Once broad
categories have been identified, risks can be grouped
under each of the categories. During the grouping
process, if “like risks,” or, risks that are similar in
subject, are discovered, they can be combined to
reduce the overall list of risks. For example, “loss of
internet connectivity while traveling,” and “inability
to connect to IT systems while on the road” can be
combined into “loss of internet connectivity while
traveling.” Here is another example where two
similar risks can be combined: “Inability to complete
jobsite projects in allocated time” and “Not enough
time to complete complicated paperwork while at
a jobsite.” In this case, they may be combined into
a single risk that addresses both of the individual
ones: “Complicated paperwork requires too much
time while on the jobsite, which prevents project
completion.” In this case, one risk was a cause of
the other. It is very important to consider risks from
a holistic point of view as in many cases, risks are
related to one another.
Step 3: Ascertain Impact/Likelihood of Each Risk
Now that risks have been categorized and combined,
where appropriate, the next step is to seek interested
party input for the Impact (1-10) and Likelihood of
Occurrence (1% to 100%) of each risk. Like step 1,
this can be easily accomplished via email and should
not be a lengthy or highly technical process. Simply
arrange the risks according to category, identify the
most relevant interested parties for each category,
and ask them to report:
A. What they think the Impact of each risk is on a
scale of 1 to 10, and
