August 31, 2021

What is a Risk Assessment Procedure? Learn the Basics and Start with a Risk Assessment Template

Diagrams for Businesses
Diagrams for Software Engineering
Back to top

What is Risk Assessment?

Risk assessment describes the overall method of identifying potential causes for harm and evaluating the risk associated with those hazards. Risk assessment procedures help companies protect their employees and business and are part of the risk management discipline.

Risk assessment is a three-phase process:

Want to get started right away? Conduct a visual risk assessment with a free trial of Gliffy >>

What is Risk Identification?

Risk identification requires that managers find the events, hazards, or factors that could prevent their work, business, or enterprise from achieving its goals.

Risk identification does not include finding data to understand the level of risk, likelihood of that event occurring, or estimate of its impact. These factors are added and weighed in the analysis and evaluation phases of the process.

Examples of risks identified for a construction company building a house for a client could be:

  • Errors in blueprints or structural designs
  • Changing priorities of future homeowner
  • Permits denied or delayed
  • Hazardous material found at the building site
  • Flooding
  • Insufficient staff
  • Materials on backorder or unavailable
  • Changing prices of building materials
  • Equipment failure

Depending on the industry of your business or scope of your project, there may be specific risk identification checklists or other resources that can help your team identify common risks faced by companies like yours. Your company may have also documented the risks they identified or discovered during past projects. These can be a good place to start, but take the time to brainstorm any other risks specific to your business or environment.

What is Risk Analysis?

Risk analysis is the time to consider the likelihood, potential impact, and sources of the risks identified. 

While conducting risk analysis, you should consult both internal and external resources at your organization. You can also take opinions from experts or stakeholders into account. Be sure to note where you found the information for your analysis or any assumptions made in order to create clear and robust documentation of your analysis.

Using the examples from the risk identification process, here are some examples of the information you may need to include in your analysis:

  • Errors in blueprints or structural designs
    • Data: Our company encounters errors on 4% of projects
    • Project history: The architect assigned to this project has made 2 errors on his last 20 projects. These errors were minor and were resolved early in the project.
    • Stakeholder assumption (from Project Lead): “This house is very similar to what we typically build. I don’t expect any major issues.”
    • Impact: When caught early, errors in blueprints or structural designs can delay the project by a few days. If not caught early, resolving an error can take several weeks.
  • Changing priorities of future homeowner
    • Stakeholder assumption (from Project Lead): “The client seems to know what they want. I doubt they will make any major changes mid-project.”
    • Data: 40% of our projects include an early-stage change on the building plans.
    • Data: Less than 3% of our projects include a late-stage change on the plans.
    • History: Since implementing a steeper change fee after the initial blueprint sign-off, clients are less likely to request changes. We are better compensated if these changes occur.
    • Impact: Changes by the client can delay the project by a few days. Because of our contract structure, these are not likely and we are compensated for these changes.

What is Risk Evaluation?

Risk evaluation is the final step of the process. It takes the analysis of the risks your team identified and requires that your team make decisions on whether or not they are comfortable with the level of risk. If a risk is not tolerable, then the team should identify steps to mitigate that risk — either making it less likely to occur or reducing its impact should it occur.

Some industries or organizations will have a set of criteria to determine which risks are tolerable and which risks require action. 

Using the examples above, you may decide that the level of risk associated with an error in the blueprints is unacceptable. You can address this risk by assigning an additional architect or engineer to the project so that they can have an extra expert review the project plans before starting construction. This may cost more, but you determine that the extra cost is worth minimizing the risk and could try to pass some of that cost on to the client.

On the other hand, you could decide to take no action against the risk of changes from the future homeowner. Because of the fee structure in place, you think changes are unlikely and will have little impact on overall business goals. Choosing to take no action is a common outcome within the evaluation process, but it’s still beneficial to identify and analyze these risks so that all stakeholders understand the position the business is in.

Back to top

How Risk Assessment Procedures Can Help Your Business

The process of working through identification, analysis, and evaluation are a great way to identify the factors that could throw your project off track. But, without structure, this process is far from a true procedure. The risk management discipline seeks to standardize inputs and outputs for each of these steps to create a better understanding of risks to the organization.

By setting standards for how you rate or rank likelihood or perceived impacts on projects, you can make a risk assessment process more iterative. As you work to mitigate risks, you can better document what helped and what did not. You can define which stakeholders or lines of business should always be involved so that every assessment involves a well-rounded set of opinions. And, as you document your assessments, you can more easily reference them in the future. 

Consider creating a standard operating procedure or SOP document to help guide your organization through risk assessments in the future. This will increase your ability to learn from past projects, highlight new insights as you repeat the procedure, and help your team iterate on work.

Back to top

How to Conduct a Risk Assessment Procedure

Before working your way through the process, make sure to identify and gather any stakeholders and subject matter experts who can help you evaluate the level of risk from multiple perspectives in your organization. 

1. Risk Identification

This step is for identifying as many possible risks or hazards to your project as possible. In this step, you can schedule a brainstorm with your experts or ask everyone to brainstorm separately, then meet to review your notes. You may go through multiple rounds of brainstorms or use both methods, too.

It can be helpful to create relevant categories to try to structure your team’s ideas. For example, risks can come from technological failures, human error, changing laws or regulations, environmental factors or natural disasters, competitor activity, problems with project management, or problems within your larger organization.

In Gliffy, you can use concept mapping as a way to capture these ideas while you brainstorm. Make sure you’re signed up for a free trial so that you can drag and drop as fast as you ideate.

Template for Risk Identification Brainstorms

2. Risk Analysis

Once you have a list of risks, it’s time to evaluate their likelihood and potential impact to your business or project. This will likely be a written activity, but you can continue to use your concept map from the first step to guide your research and conversation. 

You may decide that “low risk” items don’t require deep assessment. Adding color coding to your original concept map can help clarify for stakeholders which risks will be assessed in depth and which will be quickly addressed. Here’s an example of what this can look like in Gliffy:

Example of a risk identification exercise

You could also plot the risks you identified against their likelihood of happening and their impact to your business. This is called a risk analysis chart.

Example of a risk analysis chart

3. Risk Evaluation

Diagrams have a great way of getting people to share their feedback or ideas. As you enter the evaluation phase, bring the visuals that support your research and assessment. If you use Gliffy, you can easily make tweaks and review version history for your work, making it easy to adjust to feedback as your team evaluates the risks.

These diagrams and charts are also great to include in documentation so that you can quickly explain your decisions in the future or reference them should one of the risks occur.

Back to top

Use Gliffy for Your Next Risk Assessment Procedure

With Gliffy, diagramming is simple and fast — you can just drag and drop shapes at the speed of your ideas so it’s great for business diagrams like flowcharts, org charts, and more. Start your free trial and try using Gliffy to identify and assess risks to your business today. 


Back to top

Extra: Risk Management Resources for Software Developers

Risk assessment is a valuable skill for any team leader in any industry. Because Gliffy is a popular tool when it comes to diagrams for software engineering, these resources might help:

✏️ Blog: Risk Scoring for Product Developers
📄 White Paper: Risk Management in Software Development is Easier than You Think

Back to top