I live in South Florida, and for one half of each year we worry about hurricanes. Actually, we start worrying about one month before our six-month hurricane season begins on June 1st; hurricane season officially ends just after Thanksgiving on November 30th.
(At least with hurricanes we’ve got some warning which we’re very grateful for; earthquakes and twisters provide little advance notice, if at all.)
I use life in a hurricane zone when discussing risk analysis.
Let’s take a look at a risk analysis for hurricane season in South Florida based on some risk characteristics:
- Occurrence: Hurricane season is guaranteed to happen once per year (frequency), though the likelihood of a hurricane strike is unknown.
- Control: We can’t control the weather, but we can control other things that create risk.
- Severity: We cannot mitigate the strength of a hurricane but we may be able to reduce the impact it has to our lives and businesses through various preparations.
- Interruption: Can we continue through a hurricane strike or will we be forced to recover after a period of downtime?
Once the characteristics of a risk are determined, risks can be plotted on a chart or given a numerical ranking, allowing us to determine which risks should be addressed in an order of priority. This analysis can also be used to determine the cost of the risk versus the value of addressing it.
The exercise of performing a risk analysis has the benefit of uncovering risks to your organization that you may have previously not considered. The Risk Assessment is part of the COSO framework used for Sarbanes-Oxley compliance, so for public companies this is a requirement.
The failure to identify risks is a risk in-and-of itself. I would submit that knowing about a risk and knowing that something could be done about it is pretty much just as bad as not bothering to identify risks in the first place.