IJCA - Volume 2 - Flipbook - Page 40
40 The International Journal of Conformity Assessment
example, recall the graph with A, B, C, and D shown in
Step 4:
Risks
100
90
B
80
A
70
Likelihood
60
50
40
D
30
C
20
10
0
0
1
2
3
4
5
6
7
8
9
10
the risks in a vertical direction (A), reducing Impact
moves the risks in a horizontal direction (B), and
reducing both the Impact and the Likelihood of
Occurrence moves the risks in a diagonal direction
(C). For risk D, the mitigation plan failed to address
either the Impact, or the Likelihood of Occurrence,
so, the risk plot did not move. The same can be seen
mathematically if comparing the IVs previously
calculated vs. the IVs calculated post-mitigation.
After rerunning the numbers and finding that residual
risk is acceptable, document the justification for
acceptability. After rerunning the numbers and
finding that residual risk remains unacceptable,
repeat the process again until arriving at acceptable
residual risk.
Impact
Step 9: Plan, Do, Check, Act
Fig. 4
Figure 4
Now, suppose mitigation measures have been
implemented for each risk, as below:
Risk A: Mitigation measure successfully
implemented to reduce Likelihood of Occurrence
Risk B: Mitigation measure successfully
implemented to reduce Impact
Risk C: Mitigation measure successfully
implemented to reduce Likelihood of Occurrence
and Impact
Risk D: Mitigation measure not successfully
implemented to reduce either factor
The movement of the risks on the graph would
appear like this:
Risks
100
90
B2
Likelihood
80
B1
70
A1
60
A2
50
40
D1
No change
30
C1
20
10
C2
0
0
1
2
3
4
5
6
7
8
9
10
Impact
Figure 5
In Figure 5, A2, B2, and C2 are the newly calculated
IVs after implementation of the respective mitigation
plans. Reducing Likelihood of Occurrence moves
Like nearly everything in conformity assessment,
risk assessment and analysis is not a one-time
operation. Instead, it is a continuous process that
must be re-done whenever significant changes to
the organization, or organizational context occur.
There is no magic number or frequency that dictates
ideal intervals of risk assessment and analysis.
Instead, it is up to the organization to define when,
why, and how risk assessment and analysis will
take place.
Other Considerations
Read on for additional discussion regarding other
considerations that were not covered in the above
methods section.
Extended Impact Score
Wherein this paper the value for Impact of each risk
was requested simply by asking for an answer on
a scale of 1 to 10, it may be valuable to use a more
extensive method to ascertain Impact. In order to
find the Extended Impact Score, instead of simply
asking interested parties for a number between 1
and 10, ask the following five questions:
1. If the crisis escalates in intensity, how intense
might it get for you?
2. To what extend would the crisis fall under
someone’s watchful eye, such as the news
media or some government regulatory agency?
3. To what extent would the crisis interfere with the
normal operations of your business?
4. To what extent would your company’s public
image and/or your personal reputation be
damaged in the event of the potential crisis?
