The risk management process is an essential part of the overall way your organization responds to risk. And when the business environment feels inherently risky – such as in times of economic turbulence, transition or disruption – it’s worth taking a little time to review your risk management approach.
Your risk management framework is the governance structure that implements and supports the process. So let’s pick on the risk process for today, and review how that should work.
1. Risk Identification
The first step in the risk management process is always to identify what risks are out there. Risks can be opportunities (positive things that are uncertain) or hazards (negative things that are uncertain), related to compliance or control, or any other categorization that makes sense to your business.
Risk identification is not a one-off exercise. It’s something people think about in times of disruption, but it should be an ongoing effort for your teams. The easiest way to do this is to schedule time for it. Whether that’s part of the PMO’s responsibility, or whether it sits with the risk governance team – as long as someone is regularly reviewing the activities and projects in the business and identifying new risks, then you’re golden.
2. Risk Analysis
Risk analysis is the next step. Once you have identified what risks are facing the organization, department, team or project, you should analyze the situation to make sure it is fully understood.
Often, analysis throws up some interesting factors that might not have been properly considered until this point. Bring in your subject matter experts and dive into what happened to lead you to this situation. Consider who else needs to be involved. What might the next steps be?
Analysis and evaluation often happen in parallel and are taken to mean similar things. As part of your analysis, calculate the impact should the risk happen. The impact can be measured in financial, quality, time or any other measure that fits into your categorization system.
Finally, look at the likelihood that the risk will happen. Some risks are far more likely to occur than others. These are the ones you want to prioritize in the next step, so you have your plans firmly prepared before the risk happens. And if it doesn’t, well, it’s better to be prepared!
3. Risk Treatment
Once you have completed the risk analysis step, the team works out what options are open to them to manage the risk. This is normally done by having the experts in the room (or meeting virtually) and brainstorming the different ways the risk could be approached. They’ll then come up with a recommendation for next steps.
The risk treatment is drawn from a number of different options. For example:
- Mitigation (Reduction)
- Acceptance (Ignore)
You may use a combination of strategies, or several in succession, to manage the risk according to the challenge it presents for your business or project.
Remember, with positive/opportunity risk, you’ll want your management actions to try to make the risk as likely as possible to occur. What can you do to tip the scales and make it more likely that you’ll find yourself in that situation? Then how will you capitalize on it? This is the ‘exploit’ option in the risk management responses above.
Once a risk management strategy is approved by the appropriate person or group, draw up an action plan and allocate someone to take the lead on implementing it.
4. Risk Monitoring
You’ve identified a risk and decided how to handle it. Next you have to monitor that the action plan is put in place and carried through effectively.
The project manager or risk manager should check in with risk owners on a regular basis, so that progress can be monitored. Action plans can take some time to complete, so make sure everyone has realistic expectations about when it will be possible to say a risk is truly managed – or even closed. Make sure the risk owner has enough time to dedicate to managing the risk and overseeing the implementation of the action plan.
If this all sounds like a foreign language so far, it might be time for some risk management consulting services to help establish a solid base for your team’s process.
5. Risk Review
Finally, as we saw in the first step, risk identification is not a one-and-done effort. You should have your risks under regular review. On a project, it’s the project manager and team who meet to discuss the risk log. At an organizational level, the risk governance process will determine who reviews the overall risk profile and makes sure that the other steps of the risk management process are being carried out effectively and in adherence to any applicable risk management standards.
When you are putting together your risk management training plans and educating the business about how risk management processes will work in your organization, consider whether one process will manage all kinds of risk. Ideally, you should be creating a streamlined process that serves all business departments and all types of risk, whether they are compliance, hazard, opportunity or control risks.
Of course, there’s a lot more about risk management that we haven’t touched on here. You can also look at risk proximity, triggers, and a whole host of other things including tools that bring a level of robustness and maturity to the way your organization handles risk from top to bottom.
However, it starts with a simple process that can be used on organizational risk and project risk. From there, you can develop and grow the approaches used to manage risk until this process becomes second nature and part of the fabric of how the organization runs.