Risk assessment
134
organization that will be impacted by the event. These components are represented 
in the same way as in Table 3.2 as people, premises, processes and products.
nature of risk classification systems
In order to identify all of the risks facing an organization, a structure for risk identi-
fication is required. Formalized risk classification systems enable the organization
to identify where similar risks exist within the organization. Classification of risks 
also enables the organization to identify who should be responsible for setting 
strategy for management of related or similar risks. Finally, appropriate classifi-
cation of risks will enable the organization to better identify the risk appetite, risk 
capacity and total risk exposure in relation to each risk, group of similar risks or 
generic type of risk.
The FIRM risk scorecard provides such a structure, but there are many risk 
classification systems available. The FIRM scorecard builds on the different aspects 
of risk, including timescale of impact, nature of impact, whether the risk is hazard, 
control or opportunity, and the overall risk exposure and risk capacity of the
organization. The headings of the FIRM scorecard provide for the classification of 
risks as being primarily financial, infrastructure, reputational or marketplace in
nature.
The FIRM risk scorecard can also be used as a template for the identification of 
corporate objectives, stakeholder expectations and, most importantly, key dependencies. 
The scorecard is an important addition to the currently available risk management 
tools and techniques. It is compiled by analysing the way in which each risk could 
impact the key dependencies that support each core process. Use of the FIRM risk 
scorecard facilitates robust risk assessment by ensuring that the chances of failing to 
identify a significant risk are much reduced.
As with so many risk management decisions, it is for the organization to decide 
which risk classification system most fully satisfies its needs and requirements.
As well as being classified according to the timescale of their impact, risks can also 
be grouped according to the nature of the risk, the source of the risk and/or the
nature of the impact or size and nature of the consequences.
An organization will choose the risk classification system that is most suited to
its size, nature and complexity. For example, banks and other financial institutions 
almost universally classify risks as market, credit and operational risks. Other
commonly used risk classification systems that can also be employed to provide 
structure to risk assessment workshops are the SWOT and PESTLE analysis.
Figure 11.2 presents an operational version of the bow-tie representation of risk 
management, rather than the high-level overview presented in Figure 11.1. Figure 11.2 
uses the bow-tie to represent the sources of potential damage to premises and
retains the impacts as financial, infrastructure, reputational and marketplace. The 
sources of potential damage to premises are identified as flood, fire, earthquake and 
break-in.

Download 3.45 Mb.

Do'stlaringiz bilan baham: