Risk Assessment

From NGO Handbook
Revision as of 13:16, 6 February 2008 by Frederick Swarts (talk | contribs) (Why are risk assessments important?)

This article was based on an article prepared for the NGO Handbook by Jennifer L. Tavis, titled, "Impact Assessments and Risk Evaluation.

Risk assessment is the methodical collection and ranking of risks according to severity of consequences and probability of occurrence, and then the creation of a plan to mitigate identified risks. It is used with specific technical meanings in a number of contexts, from finance to medicine, but certain common elements can be identified across the board.

In all cases, risk can be defined as the potential for negative eventualities, including loss, injury, and damage. Assessing risk involves taking into account not only the severity of the negative eventuality but also its probability. There are mathematical formulas for assessing risk, but these can only be used if all of the data you are trying to analyze is quantitative, which is rarely the case outside of the world of finance.

In an NGO context, risk assessment is generally going to be based more on facts and opinions than on numbers.

Risk assessments provide a framework for prioritizing and mitigating risk.

Basic elements of risk assessment

The following steps outline the basic elements of a risk assessment.

Step 1: Identify risks, potential impacts and stakeholders

Depending on the scale of your project, this can be anything from a brainstorming exercise with the project team to a detailed assessment of input from a wide variety of stakeholders, as in the impact assessment process.

Is the risk related to the budget or timelines? Is it related to how well received the project will be by the affected community? Who has a stake in mitigating the risk? If possible, try to bring stakeholders into the assessment process so that they can both define the relative importance of the risks and help plan to mitigate them.

Step 2: Evaluate and prioritize the risks

Rate the risks in terms of severity and probability of occurrence. If it doesn’t make sense to quantify severity and probability, use descriptive labels. For instance, you may want to use high, medium and low as probability categories, rather than trying to come up with an odds ratio or a percentage.

For severity, be specific in your category definitions. For instance, if you use serious as a severity category, indicate what the criteria are for that rating (for example, you may want to define serious as a category for risks that could potentially result in the cancellation of the project). Depending on your preferences, you may not want to use descriptive labels at all, but instead use designations such as Severity Level 1, accompanied by clear descriptions. By doing so, you avoid the potential for conflicts over differing interpretations of the meaning of the word used as a label and whether it implies something different from what is laid out in the category criteria.

It’s a good practice to record the rationale behind the risk ratings you assign to each identified risk. That way, everyone can remember the thinking behind the rating and remember the implications. For instance, say you identify the following risk: James Albert, a local community leader, may choose not to support the project. Several key people familiar with the community agree that this could potentially be a significant problem, but you do not record the reasons. Those people are not present at your next meeting, and the risk is downgraded to a minor consideration because James Albert is not part of your organization, nor does anyone present feel he holds significant sway in the community. Subsequently, the original decision-makers are angry and confused about the change. It turns out that you needed James Albert’s support because he is the only person in the area with an airplane and a pilot’s license. You need his help to transport personnel and supplies. If the rationale behind the severity rating had been recorded in the first place, the disagreement and confusion could have been avoided.

Step 3: Create mitigation strategies that are scaled to the level of risk

Once you have your ratings and rationale documented, it can be helpful to map out your risks in quadrants (see figure below) to help you prioritize and think about next steps.

Risks that fall into the upper right-hand quadrant will be your top priorities in terms of mitigation strategies. Risks in the lower left-hand quadrant need little attention and may not even need to be addressed at all. Some thought should go into how to treat risks in the remaining two categories. You may want to place limits on how much money and effort you are willing to put into dealing with them, as they are not top priorities.

Be thoughtful about coming up with mitigation plans that minimize effort and expenditure while at the same time effectively managing the risk. When it makes sense, use mitigation plans that cover multiple risks. This can simplify the implementation effort and reduce costs. Don’t pursue mitigation options that can’t be implemented with the available resources. The perfect solution may be out there, but that doesn’t mean you can afford it. Conversely, be careful not to dedicate resources to efforts that won’t have any meaningful effect. Try to find a balance where resources can be dedicated in such a way that they make a difference without breaking the bank.

Review your mitigation plans with stakeholders whenever possible to ensure that they feel the risk has been addressed. This may take some negotiation, since it’s rarely possible to give them 100 percent of what they want. Nonetheless, implementation will be significantly easier if you take the time to get stakeholder buy-in at this point.

Step 4: Record and implement the mitigation strategy

Incorporate your mitigation plans into your project plan, and be mindful that project budget money and work effort will need to be allocated to carry them out. Often mitigation plans have multiple steps. These need to be thought through, documented, and assigned just like any other project task.

Ongoing: Update and maintain the risk assessment

If unforeseen issues arise during the project and create further risks, address them as described above. If it becomes clear that certain risks have resolved themselves and are no longer relevant, reallocate any resources dedicated to managing them. Keep an eye on how often certain issues are coming up. If something originally designated as unlikely has turned out to be an issue you deal with every day, rethink your original assessment and adjust your approach to deal with the realities you are encountering.

Why are risk assessments important?

Preparation through risk assessment reduces the overall risk associated with a project. It allows you to categorize and prioritize risks, and it gives you a starting place for ensuring that things go as planned.

Conclusion

Before undertaking any serious effort, it makes sense to check your plans against reality and do your best to ensure that you will achieve the desired results. Over time, specialists in a wide variety of fields, from sociology and economics to epidemiology and psychology, have developed formal methodologies that are adapted to answer specific types of questions about the potential risks and benefits of potential projects.

While you will likely find that at least some aspects of these methodologies are helpful in your decision-making, it should be understood that no assessment process can predict the future with absolute certainty. Use impact assessments as guidelines, but remember that as the project unfolds, new and unexpected eventualities can still arise.