Many, many books have been written about risk management, and there are hundreds, if not thousands, of consultants offering to help you to manage the risk for your project and/or business. But is risk management really that complicated?
In its simplest terms, risk management is thinking about what could possibly go wrong, deciding how likely and/or catastrophic that would be, and taking action to avoid either the problem or its consequences.
((Risk comes from not knowing what you’re doing))- Warren Buffett
If Warren Buffett is right, then the only sin is ignorance. And there is a simple solution to that: a really comprehensive risk analysis and then a strong strategy for managing those risks. This is actually a fairly simple process, although it can seem quite involved at the time.
Risk management is a team or whole organisation business.
The best way to carry out a risk analysis is with all those involved talking around the table. Only that way can you have a sensible and complete discussion about all the risks and how to mitigate them. And it follows that revisiting your risk register on a regular basis is also a team activity, not an individual one.
Write down everything that could possibly go wrong, whether it’s big or small.
Include every last little thing that you can think of is relevant. Brainstorming is ideal here, as it’s likely to get all the ideas out. Then you might want to group the ideas into themes. Although this is not absolutely essential, it can be helpful where you have identified a lot of risks, as you can then produce a summary risk register, with one over-arching risk for each theme. You can also see where your risks overlap, and ensure that each one is genuinely different, and it’s easier to think about who might take responsibility for each.
Every risk needs a date by which it will either have happened, or no longer be at risk of happening.
Agree this date, and enter it in your risk register. It is not good practice to put ‘Ongoing’ under this column, so do try to quantify it if you possibly can.
Now, on a scale of 1–5, where 5 is high, decide how likely each risk is to happen (likelihood). Then decide, again on a scale of 1–5, how much of an impact it would have on the project if it happened (impact).
Again, discussion is very helpful. Agree first what each value means, where, for example, on impact, ‘5’ means that the project could not continue, ‘4’ means that it would have a significant effect on the bottom line, and so on. As you get further down the list of risks, you might want to revisit those you did earlier to make sure your analysis is consistent.
Now multiply ‘likelihood’ by ‘impact’ to give you an overall rating for each risk, from 0 to 25. This will show you where to concentrate your effort. You can use a traffic light system for this, where Red is anything over about 18, Amber is 10–18 and Green is anything under 10. And if you feel that any of them don’t come high enough up, then revisit your analysis. You have to be comfortable with this. Any risk which rates Red or Amber should be mitigated in some way.
There are four main types of mitigation action or strategy: acceptance, avoidance, limitation and transference.
Have another look at each risk. How much does your mitigation reduce the likelihood and/or impact? Recalculate the overall rating for each risk. Any which are still Red or Amber need further mitigation.
Every risk needs to have a single owner. That’s not necessarily the person who is going to carry out all the mitigation. It’s the person who is responsible for ensuring that the mitigation happens, and who answers to the Board or project manager for the risk. It is no good assigning risk ownership to someone who is not present, as they are unlikely to accept it. Every risk should be owned by someone who is round the table and part of the risk discussions. If you don’t have the right people round the table, get them there.
Every few months, at least, you should review the risk register, and check:
A risk is an event that might happen at some point. Once it happens, it is no longer a risk, but an issue, which also needs to be managed.
Alongside the risk register, you also need to maintain an active ‘issues list’, which includes all those risks which have already happened, and therefore become issues, and how you are managing them. This may be the same as the original mitigation, or it may require different action now the event has definitely happened.
One final point, and one to ignore at your peril.
It’s no good having the best risk analysis in the world if nobody has read it, and nobody takes action as a result.
Risk management, and crucially, the thinking about ‘what could possibly go wrong, and what should we do to prevent it?’ should be a key part of your strategy development. It needs to be integral to your organisation at all levels.
You may be surprised at the previously unmentionable concerns which become discussable in the context of a conversation about risks and how to manage them.