Risk assessment is a valuable risk management tool in managing the dangers or risks that threaten an organization. The ultimate risk management goal is to protect the organization, its employees, volunteers, donors, clients and others from harm. One way to achieve that goal is to identify the ways harm can occur and take measures to avoid or minimize its impact.
The risk management process begins with a risk assessment that identifies and analyzes the risks or exposures that an organization faces. A risk assessment is asystematic procedure that examines the different facets of an organization’s operations. The risk assessors or team divides and reviews the different operational areas. The team focuses on the board, physical plant, financial controls, human resources, fund raising, health and safety, and other categories that will identify the organization’s exposures. An organization’s full commitment to the assessment will help it identify all exposures, since an unidentified exposure is a loss waiting to happen.
Organizations can use many different methods to identify its loss exposures. Options include a risk assessment survey or questionnaire, review of the organization’s loss experience, analysis of financial statements, review of internal documents and records, operational flowcharts, personal inspections of the organization’s facilities and operations, and use of outside experts. An organization can also inventory its assets as physical, financial, human resources and reputational to identify its exposures. The team can also categorize the exposures by type of loss — property (tangible and intangible), net income (loss of revenues or increase in expenses), personnel, and liability.
Analysis of the identified exposures is the next step. First, consider the possibility of how often the event might occur (frequency). Second, determine the probable size of the loss (severity) if it does occur. The organization should address the risks with the largest severity and highest frequency factors first. Through analysis, the organization sets its priorities for addressing its exposures.
After the risk assessment, the risk management team evaluates the options for addressing the exposures. The team establishes a program for setting up and monitoring the selected risk management techniques. Since organizations are dynamic, risk management, especially risk assessment, is an ongoing process. As the organization changes, it must modify its risk management program to meet the new challenges.