The Risk Management Process

Risk Management is the systematic application of management policies, procedures, and practices to the tasks of establishing the context, identifying, analyzing, assessing, treating, monitoring, and communicating. It is an iterative process that, with each cycle, can contribute progressively to organizational improvement by providing management with a greater insight into risks and their impact. Risk management should be applied to all levels, in both the strategic and operational contexts, to specific projects, decisions, and recognized risk areas. Risk is the chance of something happening that will have an impact on objectives. It is, therefore, important to understand the objectives of a project and your position, prior to attempting to analyze the risks.

A Simple Process

Risk analysis is often best done in a group with each member of the group having a good understanding of the objectives being considered.

Identify the Risks: What might inhibit the ability to meet objectives? E.g. loss of a key team member; prolonged IT network outage; delayed provision of important information by another work unit/individual; failure to seize a commercial opportunity, etc. Consider also things that might enhance the ability to meet objectives.

Identify the Causes: What might cause these things to occur e.g. the person upon whom you are relying for information might be very busy, going on leave, or notoriously slow in supplying such data; the supervisor required to approve the commercial undertaking might be risk averse and need extra convincing before taking the risk etc.?

Identify the Controls: Identify all the things (Controls) that you have in place that are aimed at reducing the likelihood of your risks from happening in the first place and if they do happen, what you have in place to reduce their impact (Consequence). Examples include multi-skilling across the team to reduce the reliance on one person; stressing the need for the required information to be supplied in a timely manner; sending a reminder before the deadline; and provide additional information to the relevant person before they ask for it, etc.

Establish your Likelihood and Consequence Descriptors: The likelihood descriptors are fairly generic however the consequence descriptors may depend upon the context of your analysis. You will need to establish these parameters in consultation with the team.

Establish your Risk Rating Descriptors: i.e. what is meant by a Low, Moderate, High, or Extreme Risk needs to be decided upon from the outset.

Add Other Controls: Generally, any risk rated High or Extreme should have additional controls applied to it to reduce the rating to an acceptable level. What the additional controls might be is something for the group to determine in consultation with other team members.

Make a Decision: Once the above process is complete, if there are still some risks that are rated as High or Extreme, a decision has to be made as to whether the activity will go ahead. Sometimes risks are higher than preferred but there may be nothing more that can be done to mitigate the risk i.e. they are out of the control of the work unit but the activity must still be carried out. In such situations, monitoring and regular review is essential.

Monitor and Review: Monitoring of all risks and regular review of the risk profile is a key part of effective risk management.