Risk Management
Initiating risk, identifying risk, managing and responding to risk, monitoring, reporting and communicating risk.
4. Assessing Risk
Once a risk has been identified, it must then be assessed to judge the potential or actual impact it may have on the organisation, staff member of patient (Wang, 1999. Bandyopadhyay et al, 1999. Lorton, 2005. Hillson & Murray-Webster, 2007. Lee et al, 2011. Hung, 2012. Hu et al, 2013). Klinke and Renn, (2006) argue that this is a fundamental area for policy makers because not only does it outline specific suitable approaches and instruments for adequate risk assessment practices, it also enables staff to understand the impact of risks and to assess and evaluate their contribution to a number of different types and categories of risk.
The way of assessing a risk which is widely supported in the literature is to determine the likelihood of that risk occurring or recurring versus the impact (sometime called consequence) if the risk were to materialise. This is outlined in a variety of ways in the following guidance documents:
- • National Institute of Standards and Technology United States (2002) Risk Management Guide for Information Technology Systems
- • Australian and New Zealand Standards (2004) Risk Management
- • HM Treasury (2004) The Orange Book: Management of Risk – Principles and Concepts
- • Hong Kong Health Authority (2004) Risk Register Guidelines
- • Australian and New Zealand Standards (2009) Risk Management – Principles and Guidelines
- • National Patient Safety Agency (2011) Guidance for Risk Managers
These documents vary from using a vocabulary grading of ‘high’, ‘medium’ and ‘low’ for both likelihood and impact (preferred by National Institute of Standards and Technology (2002)) to using a numerical system based on numbering each category. The latter form of assessment is preferred in the other documents because, as explained by the Hong Kong Health Authority (2004), it easily lends itself to use within a risk matrix.
Applying a risk matrix is the natural next step after using a numerical grading scale. The National Patient Safety Agency (NPSA) (2011) Guidance for Risk Managers developed the matrix below which is generally accepted and widely used within the NHS:
Table 1: Risk Management Matrix (NPSA, 2011)
The NPSA (2011, p.11) believe this risk matrix has the following advantages:
“It is based on simple mathematical formulae and is ideal for use in spread sheets. Equal weighting of consequence and likelihood prevents disproportionate effort directed at highly unlikely but high consequence risks. This should clearly illustrate the effectiveness of risk treatment. There are four colour bandings for categorising risk, which provides an illustrative red-amber-green rating that may be useful for organisations. Even if the boundaries of risk categorisation are changed, trusts will still be able to compare ‘scores’ to monitor whether risks are being evaluated in a similar manner.”
However, HM Treasury (2004) notes that there is no standard for the scale of risk matrices, therefore, an organisation should reach a judgement about the level of analysis which is deemed most practicable for its circumstances. A risk matrix should be used because when the assessment is complete it can then easily be compared to the risk appetite and outline the risk priorities for the organisation.
Managing risk means thinking about it in a logical and structured way. Risk can come from within, for example through employee actions and / or from the decisions of management, such as the choice of accounting policy. There are external threats too, like risks posed by factors beyond the control of company staff. It is therefore useful to group risks together (Nash, 2003). Risk categories can allow staff to gain a general idea of where a risk can be identified in a system and can subsequently be utilised to break down risks contained on the risk register for ease of reporting (Hong Kong Health Authority, 2004). Millar (1992) was one of the first to outline a number of risk categories for use within firms. These were: operating, liability, research and development and behavioural risks. The NPSA (2011) outlines a number of categories of risk for use within the NHS:
- Patients and Staff Safety
- Quality
- Organisational
- Statutory
- Reputational
- Business Objectives
- Project
- Finance including claims
- Operational