Simple Tool to Identify Risks


There are several techniques to identify causes for risks in order to map and prioritize risk mitigation efforts. Some techniques are brainstorming, questionnaires, industry scenarios and researches, workshops, audit programs and incident investigations. In this post, I would like to share a simple tool to be used in the process to identify risks when questionnaires are used.

Some techniques to get field information about risks could be time consuming, for instance, to arrange individual interviews with key staff or to organize risk workshops. Other techniques only allow a specific approach (eg. top down or bottom up). Other fails to collect most relevant and meaningful risk control deficiencies. Some alternatives may require a solid IT infrastructure (eg. Microsoft InfoPath). GRC professionals face a real challenge in developing a proper methodology to balance the pros and cons of each alternative.

A simple process would be to distribute a MS Excel file with a predefined risk catalog by email. Then, each survey participant (eg. area managers) can decide that areas to assess. For instance, a finance country manager would assess the finance and compliance areas; or a production manager would assess the operational area. Because this process needs to promote the employee participation, the risk catalog also includes the alternative to report other risks. In other to prevent errors, most of the fields are input from drop down lists.

Once that all questionnaires are completed by key staff for different locations, responses can be compiled by using a macro. Reports to map risks or to get a risk matrix are also easy to obtain. Reports to risk profiling may rank risk by using the common formula frequency/probability (1 to 5) * impact/consequence (1 to 5).

This tool can be downloaded from here:
Generic Risk Assessment Tool.xlsm

The tool requires MS Excel 2007 and habilitated macros. Please let me know if you need this file converted to other formats.

This tool would be simple, fast to complete, open to collect other risks and self-explained.

Notes: The applied risk catalog is a high level collection of potential hazards for the oil industry. This tool is not intended to replace a robust system for risk assessment. This post is not done to cover any methodology for risk estimation or details about other risk techniques.

Get the latest in corporate governance, risk, and compliance on  Twitter