Risk management is often seen as something that project managers do. However, an effective way of managing risk across the business relies on taking a joined up approach. Risk management should be integral to the way your teams work.
Here are 7 key criteria that can help you manage your approach to risk and be more effective and successful.
1. Must be Enterprise-Wide
It seems unnecessary to mention, but a successful enterprise risk management approach needs to encompass the whole enterprise. That means all areas of your organization need to be in scope including business as usual (operational) work and projects.
In the past, enterprise risk management tools were not always set up to support the process across the whole enterprise. That is slowly changing, and now there is greater oversight by executive management and board members.
When a risk management approach is truly enterprise-wide, you can start to reap the benefits of better management information and clarity around the level of risk faced by the business.
2. Must look at All Risks
Traditionally, risk management at a corporate level has focused on financial risks to the organization. That is perhaps because it is difficult to quantify strategic and operational risk. However, financial risk is a big part of risk management, but it isn’t the only part.
There are lots of different categories of enterprise and project risk. Effective risk management means looking at all of them, from financial and operational risks to those that relate to governance, strategy, technology and more.
Tip: Better risk categorization and definition will help you quantify the impact of non-financial risk.
3. Must Prioritize
At a company level, you can’t deal with hundreds of risks. The executive management team should be focused on understanding and mitigating the major risks. In order to know which ones they are, you need to find a way of prioritizing and identifying the ones that require focus.
While all risks should be tracked, this can be done at various levels within the organization.
Tip: Let project and program managers handle risks that exclusively relate to their work. Top priority risk at a corporate level are likely to be strategic and operational risks.
4. Must Aggregate Risk
Looking at each risk in isolation isn’t that helpful. This approach gives you an understanding of each risk, of course, but your business faces many risks. When you look at the risk profile overall, the exposure of your organization might be more than you are prepared to take on.
Aggregating risk lets you see the bigger picture. You can then compare that to your risk appetite – how much risk you think is appropriate for your business at this time – and take any actions required as a result. You can then ensure that the level of risk you are prepared to tolerate matches the level of risk your business is exposed to across all project activities and business as usual work.
5. Must Consider Interactivity
Risks don’t affect businesses in isolation. If one risk materializes and creates a problem for your business, that might prompt another risk to materialize. Or perhaps two risks individually could be managed, but if they both happened at the same time that would be catastrophic.
Risk management approaches often consider risk in a theoretical sense, applying a silo mentality. In the real-world, things can and do go wrong simultaneously.
A good risk management approach takes this into account. It looks at the interactivity between risks to understand how they work together, and whether the results would be positive or negative. For example, if two risks happened at the same time, and one had a negative result and one had a positive result, would they work to cancel each other out?
Tip: When you look at the interplay between risks, you might be able to spot other benefits of managing them together. For example, several risks needing similar management actions could be managed together, and any investments to be made as part of the management plan could be done in bulk, lowering purchasing costs. Or you may be able to insure against several risks on the same policy.
6. Must Include Action Steps
Logging risks doesn’t make them go away. Managing risk requires more than simply completing fields in an enterprise risk management tool, or tracking them against a project.
You actually need someone to take control of the risk, work out what your options are and take positive steps to take action to implement those controls.
Your risk management processes need to include these action-driven steps as well as risk identification and recording. This includes allocating an owner to each risk who will be responsible for driving through the completion of actions (even if that person does not complete all the actions themselves).
Different levels of risk, and different categories of risk, will require owners in different teams and at different levels in the organization.
7. Must Facilitate Decision Making
An effective risk management system makes it easy to make decisions about risk. Too often, risk management is all about pulling out the top risks and reporting them to the board. Alone, that is ineffective. What are they supposed to do with the information?
A risk map is a useful report. It shows the key risks with the significance of the risk – the financial impact should the risk materialize. Any critical risks with a high financial implication are the ones that management should be paying attention to.
Make sure that your risk management processes facilitate decision making. The decisions required should be clear, and it should be easy to use the information in risk reports to inform the next steps for projects and the business overall.
Looking at risk management as an integrated and integral way of working has plenty of benefits. Typically, better risk management will help you improve the way you select projects and make investment decisions, improve your estimating and improve your project results.
Take steps to improve the ways you manage risk across projects and operations in your organization, and you’ll see the benefits too.