One of the best practices of sound management and governance is to conduct an analysis of operational risks. However, this analysis is too often limited to internal risks and those related to the company’s operations.
Knowing that no organization is immune to an interruption of its operations caused by its external environment, it is necessary to identify these sources of risk and understand their possible consequences.
We propose a simplified and effective five-step approach to guide you in identifying external risks. This approach does not replace a risk analysis conducted according to best practices. The objective is to make you aware of the importance of external risk sources in order to take them into account in your strategic planning. Although the list is not exhaustive, some examples are provided to illustrate the usefulness of each step.
Identification des sources de risques externes
1- Detecting risk sources
Simply use a map with the location of your place of business as the center point, and then draw a one-kilometer radius around it. Within this radius, identify risk sources that could affect your business. If you have more than one location, this process should be done for each one. A site visit may also be required to confirm certain sources or to ensure that nothing has been missed.
Of course, some risk sources are more obvious than others to identify, such as a river, an industrial park or a nearby railroad. However, special attention should be paid to other features that may not at first glance appear to be risk sources. Sometimes these sources are not hazards per se, but they can be the subject of disruptive events that compromise your safety and that of your employees, while interrupting your operations.
2- Impact Assessment Summary
This step allows you to understand the effects and impacts that a risk could have on your business if it occurs. Thus, each risk source must be assessed to understand the consequences. This approach also enables you to perceive the locations that are exposed to the same risk sources.
The consequences are different for different risk sources, but in some cases the effects may be common. A good approach is to use a dedicated risk source register where all this information is reconciled and kept up to date.
Some risk sources may result in strikes and/or violent demonstrations, the presence of an active shooter, flooding, major fire, explosion, major road closures, hazardous substance leaks, air/water/soil contamination, long-term power outages, loss of telecommunications, etc. All of these consequences may have an impact on the company’s operations and the ability to maintain your operations and on the safety of your employees and visitors.
Thus, for several weeks, it could be difficult or even impossible to access your workplaces. Damage could be caused to your buildings and production or computer equipment, your deliveries and shipments of goods could be impossible or very delayed, your employees could be injured, contamination could require major disinfection, it could be difficult or impossible to travel on the roads to your locations, etc.
3- Risk classification
This step consists of prioritizing the risks that have the greatest impact on your operations and the highest probability of occurrence. This approach does not mean ignoring those at the bottom of the scale. It simply focuses on those that are most critical to the organization. Knowing that this classification must be reviewed annually, it is possible to update the prioritization while adding new risk sources, if necessary.
This exercise must be carried out considering that your organization could be the only one to be affected by the consequences of this risk, since your competitors are not all located in the same area as your company. Unfortunately, this situation would be to your competitors’ advantage.
4- Risk Prioritization Approval
This step, although often omitted, is essential. In order to ensure that the entire company is on board and that there is a consensus, the risk ranking should be approved by your organization’s management or board of directors. This provides a formal, written position at the executive meeting. This usually results in initiatives and budgets to implement risk mitigation measures, the establishment of risk management governance and a regular reporting process to management.
5- Implementing a business continuity plan
The last step is to implement a business continuity plan for your company. This plan establishes, among other things, the measures to be implemented to mitigate the priority risks and their consequences on the organization, allowing the most critical operations to remain functional during a major incident. In addition, it is an official document that each department can rely on in such circumstances. This plan reassures and secures your entire business ecosystem (employees, suppliers, customers, etc.).
In summary, performing a risk source analysis allows you to illustrate if there are unacceptable concentrations of risks in your company’s external environment and to know the consequences and impacts if they actually materialize. If you are looking for help to perform or revise this type of analysis, Benoit Racette Services-conseils inc. can help you! Contact us now: [email protected].