Risk Management

by Peter Parkes

In a nutshell

1. What is risk?

Risk is the uncertainty inherent in the world in which we live and do business.

  • An uncertainty may be good or bad, but risk management is about managing potential negative impacts.
  • To balance investment in opportunity against acceptable risk, we need to understand risk better.
  • An issue is a risk that has come home to roost.


2. The process of risk management

Once you have decided to do something, the process of risk management has five logical basic steps. You get added value from completing each step of the process, but you will have obtained value from just completing even the first stage or simply understanding the principles of risk management.

  • Decide to do something!
  • Identify risks.
  • Assess risks.
  • Communicate risks.
  • Take some action!
  • Review risks.


3. Step 1: Identifying risks

This is the most important part of risk management. If you are at least aware what your key risks are, you are probably dealing with them to some extent anyway, albeit maybe at an unconscious level.

  • Brainstorm your risks and write them down in a table.
  • Consult others to get a more complete picture, more viewpoints and a moderated view.
  • Capture the risks in a logical format, such as a risk register.


4. Step 2: Assessing risk

In our log of the risks that we have identified, usually referred to as our risk register, it is sensible to include additional columns to describe features about the risks:

  • A description (as the context will probably be lost after the initial risk assessment discussion or workshop)
  • A guess as to what may be the cause of the risk – in other words, the root cause
  • Some estimate of what the consequence of the risk may be
  • An estimate of the likelihood of the risk occurring.

With regard to our assessment of likelihood and impact, most texts refer to qualitative methods and quantitative methods.

  • In a qualitative assessment, the various combinations of likelihood and impact can be displayed in what is sometimes called a probability impact grid.
  • Quantitative assessment is about building and using the knowledge and data that the organisation has acquired over time.
  • The basis of scenario planning is imagining a number of possible futures that would be created if a specific variable changes: for example, if the price of oil were to dramatically rise or fall.


5. Step 3: Communicating risk

Once you have drawn a risk register, or preferably held a risk workshop to come up with a more comprehensive and moderated list, the next step is to communicate your conclusions to your stakeholders. The principal stakeholders, in other words those affected most by the risk management process, will include:

  • Higher levels of management, so that they can form a coordinated view of risk to the business
  • Any professional risk management function within the organisation
  • People you have involved in any risk workshop
  • Those people most affected by individual risks (especially safety related risks)
  • Those people you have identified as able to take action to reduce (mitigate) risk.

To communicate the risks effectively to the above, keep your risk register as simple and clear as possible.


6. Step 4: Taking action

Our assessment of risks gives us a pecking order to work from. This is indicated by the likelihood of risk and the potential impact. Our basic tools for communicating risk, such as our risk register and probability impact grid, indicate which risks to deal with first, especially when we have limited resources. We can take one or a combination of several forms of action in dealing with risk:

  • Accept risk
  • Transfer the risk
  • Reduce the probability of the risk
  • Reduce the impact of the risk


7. Step 5: Reviewing risks

Risks aren’t only for Christmas. Once you have started a risk management process, then you need to take into account that the map of risks changes with time.

  • Keep a column in the risk register for updating progress.
  • If a risk register is not being used, then add risk actions to any more general action logs in use – for example, for a management team meeting or a project team meeting.
  • It’s easier and quicker to keep a risk register than to start from Step 1 each time the picture changes.


8. Organising a risk workshop

As with any workshop, it is usually best to get someone independent to manage the process and arbitrate. Some organisations have internal trained facilitators, while others buy-in trained consultants when required for these purposes. Get as wide a representation as possible – different departments, different outlooks, old and young, junior and senior grades.

  • Before the workshop – gather a wide range of people who can usefully contribute and explain your purpose.
  • First session – brainstorm and capture as many risks as possible.
  • Break to rationalise results and put them in logical order in the risk register.
  • Second session – assess the likelihood and impact of the risks; agree what should be done and who should do it.


9. Starting a risk register

A risk register captures the stages of the risk management process and helps us to view our overall risks, the ones we need to prioritise, and the status of any progress in mitigating them. To add value, an effective risk register needs the following fields (which are built up and refined through the process):

  • A unique identifier or reference, so that we can keep track
  • A description, so that we have a common understanding (often lost after the original workshop)
  • A guess at what might be the root cause or initiating event that may cause the problem (there may be several)
  • A description of what the consequences of the risk may be
  • An estimate of what the likelihood of an event occurring might be
  • An estimate of what the consequences might be if the event happens
  • A column for risk severity – a multiplication of the probability and the impact
  • Some agreed actions, even if this is ‘do nothing’, with a responsible person ascribed to doing the action
  • A column to capture and monitor progress during reviews in order to confirm that we are on top of our risks


10. Tools for risk management

There are several standard management tools and models which can be applied to risk management, including:

  • Stakeholder analysis – most of your risks may come from the people around you
  • Porter’s five forces model – what are your competitors doing?
  • SWOT – a common management model, including your weaknesses and threats
  • Force field analyses – includes negative forces
  • FMEA – Failure Mode and Effects Analysis