In this post I will cover Risk Management for Business Analysis.
As per the Business Analysis Book of Knowledge Risk management is an ongoing activity. Continuous consultation and communication with stakeholders help to both identify new risks and to monitor identified risks. Risk analysis and management identify areas of uncertainty that could negatively affect value, analyzes and evaluates those uncertainties, and develops and manages ways of dealing with the risks. Failure to identify and manage risks may negatively affect the value of the solution. Risk analysis and management involve identifying, analyzing, and evaluating risks. Where sufficient controls are not already in place, business analysts develop plans for avoiding, reducing, or modifying the risks, and when necessary, implementing these plans.
Risk analysis and management involve identifying, analyzing, and evaluating the risks that negatively affect the product outcome. Risk management is the process of identifying, assessing, and controlling threats to an organization’s capital and earnings. These risks stem from a variety of sources, including financial uncertainties, legal liabilities, technology issues, strategic management errors, accidents, and natural disasters.
Risk Analysis is mentioned in the Business Analysis Book of Knowledge and is it’s own task in the Strategy Analysis knowledge area in the BABOK. Risk Analysis is important to know for a Business Analyst because it enables the effective implementation of change. As an example, say your organization is looking to transition from fuel-based vehicles to electric vehicles, some of the risks that you as a Business Analyst may identify are are Risk of if the electric pumps are not set up properly they could cause a fire thus causing damage to the vehicle and financial losses to the company.
So how do you effectively conduct a risk analysis as a Business Analyst?
Step 1: Identify your organization’s Risk Tolerance.
What this means is that Organizations accept different levels of risk depending on their risk attitude. The risk tolerance, appetite, and threshold of the organization and its stakeholders must be fully understood, defined, and communicated. An organization may be risk-averse, risk-neutral or risk-seeking. A risk-averse organization seeks to reduce risk as much as possible and gravitates towards attaining a high level of certainty on its projects. For risk-neutral organizations, the benefits of the risk response must be equal to or outweigh the costs. Risk-seekers on the other hand, accept low chances of success as long as the benefits of success are considerably high.
Step 2. Complete a Risk Register to Assess the Risk.
Bring your stakeholders together to assess the Risk using a Risk Register.
A risk register is a tool that is used to help foster discussions among stakeholders and key stakeholders regarding an organization’s key objectives and the unplanned events that could interfere (or enhance) the organization’s ability to achieve them.
Specifically, a risk register is a list of an organization’s risks, along with their ratings (scores or risk levels), responsible executives, areas affected and a summary of the actions being taken in response to the risk.On the right is an example risk register taken from the Essential ERM system.
The image above shows many of the elements that are typically documented within a risk register, including a name for the risk, a category (and sub-categories), inherent risk scores, control effectiveness, residual risk scores and risk velocity. Risks also usually have a rank showing their relative priority and include a summary of the action plans assigned to them, as well as the areas of the business that would be impacted if the risk events were to occur. They may also indicate if a risk’s residual rating is above, below or within the allowable thresholds set through the organization’s risk appetite framework.
Other important areas to consider adding to your register are the strategic objectives impacted, the risk treatment strategy to be followed, root causes, pre-event mitigations (controls), post-event mitigations and eventual consequences (qualitative and quantitative). Note that while this information is extremely important for the risk assessment and process, it is often difficult to capture and maintain in a spreadsheet because of the many-to-many relationships between these risk elements (more on this below).
Step 3: Identify a Response Strategy
or negative risks, there are 4 ways in which an organization may choose to respond:
Transfer: The responsibilities of bearing the risk are transferred to another entity, usually in the form of insurance.
Avoidance: The organization does all it can to ensure that the risk does not occur.
Mitigation: The organization reduces the chances of the risk occurring and also identifies alternatives for reducing the consequences.
Acceptance: When there’s no way to avoid, transfer or mitigate risk, the organization accepts that there is nothing that can be done and makes no effort to deal with it.
For positive risks (opportunities), there are 4 different ways in which an organization can respond:
Acceptance: The organization chooses to accept the opportunity once it lands.
Exploit: The organization actively takes steps to ensure that the opportunity materializes.
Enhance: This is the exact opposite of mitigating. The organization takes steps to increase the probability of an opportunity occurring and its associated benefits, should it occur.
Share: Involves working with another entity to increase the probability of the opportunity occurring and sharing the benefits.
