Many, many books have been written about risk management, and there are hundreds, if not thousands, of consultants offering to help you to manage the risk for your project and/or business. But is risk management really that complicated?
In its simplest terms, risk management is thinking about what could possibly go wrong, deciding how likely and/or catastrophic that would be, and taking action to avoid either the problem or its consequences.
((Risk comes from not knowing what you’re doing))- Warren Buffett
If Warren Buffett is right, then the only sin is ignorance. And there is a simple solution to that: a really comprehensive risk analysis and then a strong strategy for managing those risks. This is actually a fairly simple process, although it can seem quite involved at the time.
Risk management is a team or whole organisation business.
The best way to carry out a risk analysis is with all those involved talking around the table. Only that way can you have a sensible and complete discussion about all the risks and how to mitigate them. And it follows that revisiting your risk register on a regular basis is also a team activity, not an individual one.
Steps for a Successful Risk Management Strategy
1 – What Could Possibly Go Wrong?
Write down everything that could possibly go wrong, whether it’s big or small.
Include every last little thing that you can think of is relevant. Brainstorming is ideal here, as it’s likely to get all the ideas out. Then you might want to group the ideas into themes. Although this is not absolutely essential, it can be helpful where you have identified a lot of risks, as you can then produce a summary risk register, with one over-arching risk for each theme. You can also see where your risks overlap, and ensure that each one is genuinely different, and it’s easier to think about who might take responsibility for each.
2 – Assign a Date by Which the Risk Will Have Occurred
Every risk needs a date by which it will either have happened, or no longer be at risk of happening.
Agree this date, and enter it in your risk register. It is not good practice to put ‘Ongoing’ under this column, so do try to quantify it if you possibly can.
3 – Quantify your Risks
Now, on a scale of 1–5, where 5 is high, decide how likely each risk is to happen (likelihood). Then decide, again on a scale of 1–5, how much of an impact it would have on the project if it happened (impact).
Again, discussion is very helpful. Agree first what each value means, where, for example, on impact, ‘5’ means that the project could not continue, ‘4’ means that it would have a significant effect on the bottom line, and so on. As you get further down the list of risks, you might want to revisit those you did earlier to make sure your analysis is consistent.
Now multiply ‘likelihood’ by ‘impact’ to give you an overall rating for each risk, from 0 to 25. This will show you where to concentrate your effort. You can use a traffic light system for this, where Red is anything over about 18, Amber is 10–18 and Green is anything under 10. And if you feel that any of them don’t come high enough up, then revisit your analysis. You have to be comfortable with this. Any risk which rates Red or Amber should be mitigated in some way.
4 – Decide on Mitigation
There are four main types of mitigation action or strategy: acceptance, avoidance, limitation and transference.
- Acceptance means accepting the risk, and taking no action to mitigate it. It’s a reasonable strategy for a risk that will only have a small impact, or is unlikely to happen, and where taking any action to mitigate it could be disproportionately expensive, but it’s not going to work for every risk on your list.
- Avoidance means making every effort to avoid the risk. This strategy is normally very expensive, and only worthwhile for really catastrophic risks that are almost certain to happen.
- Limitation is the most usual mitigation strategy, which aims to limit either the likelihood or the impact of the risk, and therefore reduce the effect that it will have on the business or project. It’s a bit like a hybrid acceptance/avoidance strategy.
- Transference is the transfer of risk to someone else who is prepared to accept it. This is a strategy used by a lot of companies to avoid having to undertake activities which are not part of their core competences but would be a problem if they went wrong. It includes, for example, outsourcing of payroll management.
5 – Re-quantify the Risks
Have another look at each risk. How much does your mitigation reduce the likelihood and/or impact? Recalculate the overall rating for each risk. Any which are still Red or Amber need further mitigation.
6 – Assign Responsibility
Every risk needs to have a single owner. That’s not necessarily the person who is going to carry out all the mitigation. It’s the person who is responsible for ensuring that the mitigation happens, and who answers to the Board or project manager for the risk. It is no good assigning risk ownership to someone who is not present, as they are unlikely to accept it. Every risk should be owned by someone who is round the table and part of the risk discussions. If you don’t have the right people round the table, get them there.
7 – Periodically Review and Close/Move to the Issues List
Every few months, at least, you should review the risk register, and check:
- Progress on mitigation, and whether the mitigation is still relevant, or if more and/or different action is necessary;
- Whether any of the risks are past their ‘sell-by’ date, and can therefore be closed (that is, you can agree that they are no longer likely to happen), or have already happened, and should therefore be moved to the ‘Issues list’.
A risk is an event that might happen at some point. Once it happens, it is no longer a risk, but an issue, which also needs to be managed.
8 – Deal with Issues
Alongside the risk register, you also need to maintain an active ‘issues list’, which includes all those risks which have already happened, and therefore become issues, and how you are managing them. This may be the same as the original mitigation, or it may require different action now the event has definitely happened.
Take Ownership of Risk Management
One final point, and one to ignore at your peril.
It’s no good having the best risk analysis in the world if nobody has read it, and nobody takes action as a result.
Risk management, and crucially, the thinking about ‘what could possibly go wrong, and what should we do to prevent it?’ should be a key part of your strategy development. It needs to be integral to your organisation at all levels.
You may be surprised at the previously unmentionable concerns which become discussable in the context of a conversation about risks and how to manage them.