EITHER E

ALDE BUSINESS SCH

EITHER EALDE
BUSINESS SCHOOL

RISK ASSESSMENT PROCESS

STUDY CASE
EALDE Business School
Practical case
Risk analysis techniques. ISO 31010
EITHER
EALDE BUSINESS SCHOOL

Course objectives
This course has allowed us to know in detail all the phases of the risk assessment
process.

In this practical case, we are going to carry out four exercises with two sections each
that aim to put into practice the knowledge acquired and demonstrate the
understanding of the key aspects of risk assessment and what is considered the
degree of maturity in risk-based thinking.

Exercise 1
Question a)
Imagine any activity in which there is an order or order receipt and a product or
shipment output, and describe it in no more than 10 lines .

Question b)
Now, based on that described activity, complete TABLE 1 on the next page with 4
examples of events according to the description of the fields shown below:

(1) The description of the event. For example: That an incorrect product has been
noted in the order.

(2) The type of event. Related to inputs (EE), to the process of internal origin (EI) or
external (EX).

1
Practical case
Risk analysis techniques. ISO 31010
EITHER
EALDE BUSINESS SCH

(3) Part of the process in which we consider it or appear for the first time. In this case,
at the entrance (Reception and validation of the order).

(4) We will indicate HIGH, MEDIUM or LOW, depending on whether we think that
what can cause the event to occur is something very complex or not. In this example
we could say that, as we imagine a company with very few different products, the
complexity is LOW.

(5) We will indicate HIGH, MEDIUM or LOW, depending on the degree of control that
we consider we have over the event.
It becomes an indicator of probability of occurrence. In this example we could assume
that the salespeople are all very experienced, so the probability that the order includes
the wrong product is LOW. But in the case of a new addition to the sales team, that
probability could go from MEDIUM to HIGH, if the salesperson has not been properly
trained.

(6) We will indicate HIGH, MEDIUM OR LOW depending on how much we think the
outputs may be diverted if the event occurs. In this case, let's think that the order
would end up being delivered and collected, but the profitability of the entire process
would be lower, we could characterize it as MEDIUM (-), negative because the
deviations would cause losses. Is the importance of clearly defining the outputs or
objectives understood?

2
Practical case
Risk analysis techniques. ISO 31010
EITHER EALDE
BUSINESS SCH

TABLE 1

Process 1

What we hope will come in: What we hope comes out:

An order with all the information necessary to make the delivery Profitable collection and customer satisfaction
What can happen that causes the inputs to differ from what is expected. What can happen that causes the outputs to differ from what is expected.
Ticket Events (EE) Events specific to the process (EI) and external events (EX).

Identification and characterization of risks

Complexity of the Degree of certainty that Effect we think it may

Part of the process in Degree of control we have
Event (1) Type (2) event. How many we have that it can occur have on the output
which it can happen ( 3) over the event (5) (6)
things it depends on (positive or negative) (7)
(4)
that can be given

3
Practical case
Risk analysis techniques. ISO 31010
EITHE
REAL
DE BUSINESS SCHOOL

Exercise 2

Let's consider the following figure:

On the “y” axis we have the probability. From the value “zero” (impossible
event), to the value “one” (sure event).

On the “x” axis we have the consequences. From the value “zero” (no effects on
the objectives), to the value “ten” (which surely compromises the objective).

As we see, the graph has 4 regions indicated with the letters A, B, C and D.

Each of these regions corresponds to one of the following descriptions:

“1” Region of high or very high probabilities and moderate or low

consequences. It is a region of inefficiencies. Small, very recurring losses that,
because they are small, do not receive the attention they deserve, but because
they happen very frequently, they can cause problems for the organization.

4
Practical case
Risk analysis techniques. ISO 31010
EITHE
REAL
DE BUSINESS SCH

“2” Region of very high probability and high consequences. It is a region of

events that should not be part of the risk analysis. It is the area of the company's
serious inefficiencies. It is an area of events that, if they happened as frequently
as it says, the organization would be closed.

“3” Region of true risk management. Events of low probability and medium-high
consequences.

“4” Region of very low probabilities and very low consequences. It is a region in
which events are not usually identified since we never think of them as a threat
and, furthermore, they really are not.

Question a)
Well, based on these considerations , complete TABLE 2 indicating with the
corresponding number (1,2,3,4), which description corresponds to each region
(A, B, C, D)

TABLE 2
REGION DESCRIPTION (Indicate 1,2,3 or 4)
TO
b
c
d

Question b)
Make a comment of between 500 and 800 words in which you compare region A
with region B, giving specific examples of each of them.

5
Practical case
Risk analysis techniques. ISO 31010

O EALDE

Exercise 3
We have seen in the techniques and tools class that ISO 31010 proposes the
following examples for each phase of the risk assessment process:

86. Analyze dependencies and

Bl. Get views
•
•
Brainstorming
Delphi technique
TECHNIQUES AND TOOLS FOR interactions
• Causal maps

RISK MANAGEMENT
• Cross impact analysis
• Nominal groups
• Interviews

INCLUDED IN ISO 31010:2019

• Surveys 87. Provide risk measures
• Toxicological risk assessment
82. Identify risks
• Data protection impact analysis
• Checklists
• Value at risk (VaR)
• FMEA/FMECA • Conditional Value at Risk
• HAZOP (CVaR)
• Scenario analysis
SWIFT
88. Significance of the risk
83. Determine flows, sources and • ALARP/SFAIRP
drivers • Frequency number (FN)
* Cyndinic method or model diagrams
* Ishikawa method • Pareto diagrams
* Root cause analysis • Reliability-based maintenance
84. Control analysis • risk indices
• Bow Tie Analysis
89. Choice between options
• HACCP
• Cost-benefit analysis
' LOPA
• Decision Tree Analysis
85. Probability and consequences • Games theory

• Bayesian analysis • Multicriteria analysis

• Bayesian networks B10. Registration and report

• Risk register

• Business impact analysis •

matrix
Probability-consequence

• S Curves
• Event tree analysis • bow tie

We have also seen that the characteristics that we should take into account of a
technique in order to assess its suitability are:

• Its general application (what it is usually used for)

• Scope (For what business dimension is it usually used: company, area,
department, process, task, for some of the above, for all...)
• Time horizon (if it is a technique that is used for events and/or
decisions in a short, medium or long term time horizon)

• Starting information / necessary data (What do we need to

use it)

• Level of competence of specialists (What type of professionals and

6
Practical case
Risk analysis techniques. ISO 31010
training required)

7
Practical case
Risk analysis techniques. ISO 31010
EITHER EA
LDE BUSINESS SCHOOL

• Type of method (whether it is a qualitative, quantitative, mixed, very objective,

subjective method...)
• Effort required (if the amount of personal and information resources represents a
considerable, moderate or very limited operational cost)

Question a)
Choose any of the techniques in the figure and describe it using the parameters indicated
in the previous section (application, scope, time horizon...)

Question b)
Give a concrete example in which you would use the selected technique and briefly
describe (less than 250 words) how you would develop it.

8
Practical case EITHER EA
LDE
Risk analysis techniques. ISO 31010
BUSINESS SCHOOL

Exercise 4
Let's start from the following figure in which different characteristics of the companies
were shown according to their level of maturity:

'Risks are systematically assessed

Levels of a model
risk maturity
/ Some degree of concern about risk but
without specific procedures to
evaluate them in a general way
/ Normally they have identified and more
or less controlled some of the risks
that they subjectively consider
critical .
Level 1
It is a level associated
with reactive
management .
Evaluation activities are
void.
/ There are specific policies and procedures that define the roles and responsibilities of members of
the organization
✓ It is very efficient in the treatment and monitoring of them
Level
3 A specific scheme or
Sc has the resources and framework is followed.
capabilities to evaluate Trained and qualified
risks and to a large extent personnel are available.
treat them. Certain risks are quantified
The definition of policies is with advanced statistical
intuited although they are procedures. It is reported to
not formally established the board of directors
periodically and in a timely
manner.

Question a)
Define, for each of the 5 levels, a new characteristic that allows a company to be included
in that maturity level.

Question b)
Give an example of a typical maturity level 3 company and another, a typical level 1
company, briefly describing the reasons why they are included in that level. (500 words)