What is a Risk Assessment?
The risk assessment process is well suited to a structured and systemic approach. For complex or more widespread issues a facilitated workshop format involving participants with different perspectives is often helpful and using an experience facilitator to lead the discussion can help provide other objective perspectives.
The guidelines that follow should be used to implement a departmental or project specific risk assessment. It is the responsibility of the department head or project manager to determine the life cycle of the Risk Management Process for the department or project:
- Identify Department Goals - The first step is to identify the unit's or project's principal goals and objectives, and the critical success factors to achieve them.
- Risk Identification - Second, identify the risks that are the potential causes of failing to achieve the goals and objectives.
- Risk Analysis - The third step involves risk analysis, which is estimating the significance of a risk in terms of the potential dollar loss to the university and assessing the likelihood the of the risk occurring.
- Risk Assessment - The fourth step in risk assessment is consideration of how the risk should be managed. All risks identified as significant risks that are beyond the ability or authority of the department or project to mitigate must be reported to the appropriate director and/or vice president.
- Reassessment - The fifth and final step is to reassess at appropriate intervals by following steps one through four.
Questions to Ask When Assessing Risk
- What is the mission/purpose of the unit? What are its principal goals and objectives?
- What is of most concern to you regarding the attainment of the unit's goals and objectives?
- For each of the units principal goals and objectives, identify events or circumstances that may interfere with or prevent its achievement. Consider:
- Have there been changes to external factors such as laws or regulations?
- Have the terms of contracts changed? Are contracts up for renewal? If a contract is not renewed, is a contingency plan required, and if so, is there one?
- Have there been changes in key personnel during the past year?
- Has there been high staff turnover in the past few years?
- Is staff well trained?
- Are the unit's business processes simple and routine, or complex and non-routine?
- Are procedures and processes documented, i.e., procedure manuals?
- Have other units in other universities failed to accomplish similar objectives?
- Have there been changes in information systems in the past year?
- Has the unit taken on new activities? Has there been internal restructuring?
- Does the unit have a contingency plan if there were a major disruption in provision of services, e.g., all staff on leave of absence, information systems crash, and permanent loss of facilities, or key personnel, all paper records destroyed?
- What risks have increased or decreased during the past year?