1. Communicate and Consult
The first step is to involve the people who have an interest in the process, and therefore the risks, which are to be managed. Broad and inclusive communications will enable as much relevant information as possible to be gathered. This ensures the correct context, identification, prioritisation and analysis of risks. Buy-in at this stage is also important to ensure the involvement and commitment needed for the achievement of risk management outcomes.
2. Establish the Context
Establishing the context need not be a difficult concept to understand and apply. Risk is defined as “an opportunity for something to occur that can impact objectives”. Objectives are normally derived from the organisational strategy, so the first step is to understand the strategic and business objectives. We can then look at the influences that will impact on those objectives; for example, political/legal, economic, social, technological, trends and global issues. Within organisations there will generally also be operational or internal objectives at the business unit level. By clarifying these objectives, it becomes easier to understand the context and the environment in which those risks exist. When we have clarified the objectives of and throughout the organisation, we can determine the scope of the risk management activities we are going to undertake. Clear boundaries or reference points, as well as intended outcomes can be established, together with a logical approach to identify and manage risks throughout the organisation.
3. Establish the Risk Framework
We develop our criteria for measuring risk in terms of how likely risks are to impact on our objectives, as well as the consequences if they do occur. This is commonly known as a risk matrix . It is needed in order to rate the severity of risks for our organisation. Most organisations tend to choose 4 or 5 levels of likelihood, from rare through to almost certain. Consequences can fall into many categories. These may include financial, quality, environmental, health and safety, asset, business disruption. When we have established these categories we need to ‘calibrate’ them across the consequence categories. By combining the various levels of likelihood and consequence, we can apply our risk ratings throughout the organisation. Examples of risk ratings could be from low through to extreme. For example if something is almost certain with a consequence of fatality, we would obviously give that the highest risk rating of Extreme.
4. Identify the Risks
This is done by systematically reviewing processes and questioning what could possibly go wrong, or what could possibly be achieved. Risk identification is best undertaken using a multidisciplinary team. This provides a better opportunity to identify all risks and their causes. It is wise to have one or two people who have a very good understanding of the processes involved, and include all levels of management. Other stakeholders from interfacing processes can provide valuable input, as well as stakeholders who may incur the consequences of risks turning into negative or positive consequences. Risk Identification should be undertaken using a systematic approach, starting at interfaces, working through processes and finishing with down stream interfaces. If ad hoc or intuitive approaches are used, important risks may not be identified.
5. Analyse the Risks
Analysis enables us to make informed decisions about prioritisation of risk treatment. It involves starting from the basis of the existing controls we have in place. Then we consider the likelihood and consequences of the risk, in the context of a range of factors, such as historical information, performance, experience, research and stakeholder input.
6. Evaluate the Risks
Once risk analysis has been completed, we can determine the ranking and prioritisation of risks for treatment purposes. This is based on the criteria we established in the risk framework. For our higher level risks, we may undertake some further investigation and analysis to determine treatment plans.
7. Treat the Risks
Risk treatment strategy is the major work of risk management, and depends on what the organisation wants to achieve. For example, the organisation may limit its treatment activities to what is the accepted normal practice in that industry, or it might aim for the absolute minimum risk no matter what the cost. There are generally a number of priorities and methods of treating risk.
For negative risks:
- Avoid the Risk
- Reduce the likelihood of the event happening
- Reduce the consequences if it does happen
- Share some or all of the risk
- Accept/Retain the Risk and develop contingencies
For positive outcomes, we want to exploit the opportunity. This may involve:
- Determining those outcomes to pursue
- Improving the likelihood of the opportunity
- Improving the consequences
- Sharing the opportunity
- Retention of the remaining opportunity
Risk treatment should be undertaken using a planned approach that can be monitored and evidenced. Some analysis does need to be undertaken to determine the best method of treatment, taking into consideration the cost and the benefit, legal and social issues, and perception of stakeholders.
8. Monitor and Review
We need to ensure that once the previous steps have been implemented, that the risk management process is monitored, with regular review and reporting. Risk likelihoods and consequences can change over time. Risk profiles should be monitored to identify changes, and to ensure that the treatment plans are in accordance with the parameters we set, including time, resources, and responsibilities. Management need to be able to measure the improvements made and demonstrate due diligence in the treatment. Appropriate KPIs may be established, trended and monitored to support this.
Risk management is a fundamental element of due diligence. We need to ensure that we have sufficient auditable evidence of how risk management is being applied, both for decision purposes, and to demonstrate integrity in the processes of risk management. This means that we should have documented evidence of each stage including our methods and sources of information and risk treatments.