An effective risk management process provides a dynamic, robust and responsive approach to the protection of things of value from harm. To that end the standard risk management process has five stages (each of these stages has associated processes and techniques).
- Identifying hazards
- Assessing the risks these hazards pose to things of value
- Developing responses to these risks
- Implementing these responses
- Evaluating the effectiveness of these responses
At each stage in the risk management process it is necessary to update the Risk Register with the outcome reached.
It is very important to never lose sight of the inherent characteristics of risk – uncertainty, dynamism and ambiguity. Risks are never truly ‘controlled’. The risk management process is therefore about understanding, communicating and managing. The process involves the whole organisation and if it is effective it will change what the organisation does.
Stage 1 – Identifying Hazards
Hazards are everywhere. The skill is to identify relevant hazards.
Understanding the context of the organisation is key because the hazards facing a start-up are very different to those facing an established firm. To that end there are a number of very well known techniques that can be used to understand this context and thus to help identify relevant hazards.
Mission analysis (a technique used in the military but widely applied in the commercial world), stakeholder analysis, PESTLE analysis, SWOT analysis, Porter’s Five Forces and many, many others are all appropriate techniques to use.
It is also sensible to ask people what they perceive the hazards to be. This can be done informally or formally through the use of structured interviews and questionnaires.
Remember you are trying to identify relevant hazards, not every hazard!
Stage 2 – Assessing Risks
We assess risk by determining the impact, probability and proximity of a hazard occurring. A tool for supporting this assessment is a simple Risk Matrix.
A Risk Matrix evaluates impact and probability using a five-point scale for each factor to give a risk rating. Most risk matrices will use a colour-coded system to indicate the severity of the risk, with green indicating low risk and red indicating high risk.
Part of this stage is deciding which risks to manage and which risks to accept – not all risks are severe enough to require a formal risk response. Some are so severe they demand immediate management attention and the commitment of resources.
A good practice is to decide what the threshold is for a risk to require a formal response and to plot this threshold on your risk matrix. Anything below the threshold is accepted and managed as ‘business-as-usual’. Anything above the threshold is managed further through a risk response. This threshold is known as ‘risk tolerance’.
There are much more sophisticated methods for assessing risk but a Risk Matrix with an agreed tolerance threshold is a great place to start.
Stage 3 – Develop Responses
For every risk that is not accepted a response must be developed. Essentially in developing responses to risk we are asking the question, ‘how do we reduce the impact, probability and/or proximity of this risk? What we are trying to do is to take action to affect one, two or all, of these risk elements.
A risk response can take three broad approaches: avoidance, transference and mitigation.
Risk avoidance is a response that seeks to reduce the potential for harm by avoiding a hazard altogether. For example, if there is a puddle of water on the floor we avoid this hazard by walking around it and not through it. It is not always possible to avoid a hazard and in these cases we need to transfer and/or mitigate the risk.
Risk transference is when we transfer the risk to a third party. Every insurance contract that has ever been written is an example of risk transference. For example, risks arising from driving a car are to some extent managed through car insurance. The use of contractors is also an example of risk transference with project risks being managed by the legal terms and conditions of the contract, e.g. performance penalties.
Risk mitigation is a catch-all category for all other responses that seek to affect the impact, probability and/or proximity of a risk occurring. Sharing a risk with partners and suppliers, for example in a supply chain, is a common risk response. So is reducing the proximity of a risk, also known as ‘kicking the can down the road!’
Your organisation may use other names for this stage of the risk management process, for example, contingency planning, business continuity planning, emergency response planning, etc, are all examples of processes that develop risk responses.
Once you have developed the risk response it is necessary to re-assess the risk on the basis its implementation is effective. Thus a second, post-response, risk rating is calculated that should show the risk is now below the risk tolerance threshold. This post-response risk rating is known as the ‘residual risk’.
Stage 4 – Implement Responses
The risk response will be noted in the Risk Register. In many cases the action to be taken will require further planning, particularly in complex situations or where the risk response cuts across teams and/or organisations. In these cases many stakeholders will be engaged in implementing a risk response.
Effective risk response implementation largely depends on someone being responsible for the outcome of the action plan (reduced risk). This person is known as the ‘risk owner’. Anyone involved in implementing a risk response is known as a ‘risk actionee’ and they support the risk owner to reduce the risk.
In my experience the most common cause of failure is the risk owner not being empowered with the authority to implement the risk response as intended. This is particularly true when the risk response requires action by multiple stakeholders, many of whom may be outside the risk owner’s immediate team. Another common cause of failure is an inadequate allocation of resources and capabilities for implementation.
The point here is that an effective risk management process will result in actual changes to what an organisation does. Too frequently the risk management process stops at Stage 3 and this misses the point of the whole exercise.
Stage 5 – Evaluate Effectiveness
The effectiveness of the risk response, as well as the assessment of the residual risk, must be continuously evaluated by the risk owner and the results communicated to the relevant people. If a risk response is failing to reduce the risk to assessed post-response levels then the organisation remains exposed to that hazard.
In these cases remedial action needs to be taken and this may involve the commitment of additional resources and capabilities. The status of these risks is ‘active’.
Alternatively the risk response may be effective and the status of these risks is ‘closed’.
It is worth noting that implementing a response to a risk may expose the organisation to other hazards and they must be assessed, too.
The risk management process has five stages. It is a continuous process that reflects the inherent characteristics of risk – dynamism, uncertainty and ambiguity.
At each stage of the process the Risk Register should be updated as it is the tool that records and communicates the outcome of management decisions.
The risk management process does not stop at Stage 3 – effective risk management will change what an organisation is doing.
Effective risk response depends on a risk owner with the necessary authority, resources and capabilities to implement the risk response as intended.
Harry Thomsett is a consultant at the security and risk management consultancy SSI RM (https://ssi-ltd.com/). SSI RM provides security and risk management services to organisations operating in high threat areas around the world.