• constantiaconsulting

Risk management process - Risk analysis

Risk analysis is the process of developing an understanding of each risk. This involves analysing the causes of risk, consequence and likelihood, identification of the effectiveness of existing controls and interdependence with other risks. The outcome of this process provides a basis for future management and development of potential treatments.


Risk analysis is performed within the context of the area in which the risk has been identified.


Existing controls are things that are already in place such as policies, procedures, training programs, etc. These controls require rating as either effective, requires improvement or ineffective.


Once this has occurred, the level of risk can be ascertained. This is done by using the risk assessment matrix.



The organisation should create a risk assessment matrix based on its ‘risk appetite’ and what is and isn’t acceptable within the organisational structure. The organisation should determined whether or not it is prepared to accept a controlled level of risk above moderate. Should the organisation decide not to accept risks above moderate, a treatment plan could be required.


However, there are circumstances where a high or extreme level of risk is not treated due to the financial impact and therefore remains at this level. Should this occur, an explanation from the risk owner is normally required. This explanation should be reviewed by the Audit and Risk Committee (or its equivalent in the organisation).


All risks, along with their analysis, should be documented in a risk register which is reviewed regularly according to the organisations risk management plan. In documenting risks in the risk register, the following should be considered:


  • Risk descriptions – describe what the risk is, the cause of the risk and the consequences. As the risk description is only meant to be a short, contextual statement, the causes and consequences that are included should centre on the context that the risk is seen in.

  • Control descriptions – describe what the control is, what it does, who performs it and how it is done. If the control is a process or task performed by a particular role (committee, function or person), they must be named in the control description as the control owner is not always the person undertaking the process or task. Not every control will require every component; however, the description must reflect exactly how the control is working. If it requires improvement, the weakness of the control is also captured on the risk register.

  • Treatment descriptions – describe what the treatment is, what action is required and who performs the task. As with controls, the person undertaking the task is not always the treatment owner and therefore must be identified in the description. Treatment plans should have a due date which is monitored and reviewed regularly.

26 views0 comments

Recent Posts

See All

Risk evaluation uses the information obtained during the analysis to make decisions about whether the risk is acceptable in its current state or whether further action needs to be taken to mitigate th

Establishing the context defines the parameters within which risks should be identified, prioritised and managed. Some areas that can be considered in determining the context include: Scope and struct

Risk identification is the first step in the risk assessment process noted in the standard for risk management (ISO 31000:2018 Risk management - Guidelines). This step seeks to proactively identify th