Risk assessment
120
Health and safety practitioners, for example, prefer to undertake risk assessment 
with the current controls in place. This can be a simpler approach, although it relies 
on the assumption that the current controls will always work to the assumed effec-
tiveness. For example, if an assessment of an x-ray machine is being undertaken, the 
safety person will assume that the enclosure or cabinet is in good order and the risk 
should be assessed on that basis. The internal auditor will more easily recognize that 
the enclosure or cabinet is a vitally important control factor that has to be subject to 
a routine inspection.
Approaches to risk assessment
There are several approaches that can be taken when planning how to undertake 
risk assessment. One of the key decisions will be who to involve in the risk assess-
ment exercise. Sometimes risk assessments are undertaken by the board of directors 
as a top-down exercise. Risk assessments can also be undertaken by involving
individual members of staff and local departmental management. This bottom-up 
approach is also valuable.
The opinion of the chief executive officer (CEO) is critically important, especially 
as it helps to define the overall attitude of the organization to risk. There is no doubt 
that the CEO will be able to provide a well-structured view of the significant risks 
faced by the organization. The disadvantage in relying on the opinion of the CEO is 
that the focus is likely to be on external risks. Although CEOs will be concerned 
about the financial management and infrastructure risks, these internal risks may 
not be their major concern or area of interest.
In general, the overall approach by the organization to risk assessments will
be heavily influenced by the risk assessment techniques that are selected. Certain 
techniques require the involvement of specific individuals and require a particular 
approach to undertaking risk assessments. It is important that the approach that is 
adopted is consistent with the culture of the organization.
For example, if an organization does not normally hold meetings and workshops, 
then a workshop may not be the most appropriate approach to risk assessments. 
Likewise, if the culture of the organization relies heavily on reports and written papers, 
this may be the best way of conducting the risk assessments.
The use of voting software has become popular in recent times. For organizations 
such as media companies familiar with this technology, this may be a very appropriate 
way of undertaking risk assessments. However, for organizations that are not keen 
on technology, the use of such tools may be seen as gimmicks that detract from the 
value of the workshop.
The use of the voting software can provide additional information in the risk
assessment workshop. Not only is it possible to identify the majority position in
relation to the likelihood and impact of a risk materializing, but it is also possible to 
identify the spread of opinions. If there is a broad spread of opinions, this needs
to be explored, because it could represent a possible misunderstanding of the nature 
of the risk being discussed.

Download 3.45 Mb.

Do'stlaringiz bilan baham: