Autor: Francis Van Der Staey
Managing Partner and Co-founder at Radar Risk
How to select the appropriate risk assessment methods?
Well, I am very happy that there is a risk assessment standard like the ISO 31000 because it has become our guideline to put every other assessment methodology underneath it. So, it is the perfect umbrella for us to categorize our work into a framework that exists.
It has proven us a very much value because we are not only doing risk assessments we are also specializing in several areas in solutions for risk assessment for Risk Management like we are now specialized in security solutions, so the source of that is a criminal risk but other areas are also and it all fits underneath the 31000 umbrella and next to that because the 31000 exists we are creating software to do all that.
Which are the factors and constrains in conducting risk assessment?
I think it is important for us to start always, we always start at a business level in a company and the business level is about every possible risk, so on a top level we want to identify and assess all those risks, once we have that we are going to put the main categories and make sure that when you go deeper in assessing those risks you do that in a fashion that, that type of risk requires. Again in our example when we talk about criminal risks, there are actually seven additionally factors towards the traditional risk that are needed to be defined in order to assess the criminal risk, again in order to find the suited solution to solve or to mitigate that risk. So, in other areas there are other factors and criteria that will play a role and that is exactly what we were trying to put in software so in the end we will be able to measure the Return on Investment (ROI), not only on security investment which we already can, but also on all the other types of risks.
What are the requirements for risk assessment method?
First of all the requirements for risk assessment method is that the framework is clear, actually that we start off with good understanding of what you mean with ‘the risk is high or low or medium’ and what in fact is the criteria that it turns that is high or medium and how can we quantify that, because as I told you already we want to be able to calculate the Return on Investment, so we need the investment amount in the mitigation of the risk, compare to it the actual risk that exists in quantity and after that after the mitigation measures we want to be able to calculate the residual risk, so that we can prove to top management the actions we have been doing , the investments you have been deciding upon, based upon the risk assessment, priorities are actually bringing you back return.
What are the methods to conduct the risk assessment?
Of course that are many specified in ISO 31010 as methods that can be used to assess actually to capture what kind of risk exists in a company, like there are brainstorm sessions that can be done, there are very specialized methods to be applicate in the technical environments, but what we mostly do is talk to as many people as we can that have a stake in all story of risk assessment and risk management, so understanding your organization is the first thing you need to do, so understanding the processes and trying to determine the level of risk that exists, what can be a threat to the objectives of the company or the sub-structures.