Risk management process
|Risk management process|
|Methods and techniques|
Risk management process is a sequence of activities which aim at reducing the risks to acceptable level. This includes identification, analysis, evaluation, treatment and monitoring of risks and risk related activities. The ISO 31000 standard defines risk management process as systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk.
Risk management process can be applied to project management, financial management, quality management and others areas. It is an universal approach to risks. Therefore it is recommended to implement one risk management process in whole enterprise which will be able to serve for different functional areas.
The risk management process consists of several steps. There are different descriptions of that process in the literature. The most comprehensive is version proposed by D. Cooper described below. The ISO 31000:2009 uses this process description in its risk management model (framework).
Establishing the context
The top management expects that all risks will be identified and treated before they happen. Therefore the most important objectives are:
- reporting current and incoming risks,
- consolidation of risks and opportunities (as two sides of the same coin),
- effective information system,
- transparency of decision process,
- possibility of monitoring risk related actions,
- many warnings, no surprises
The key stakeholders are:
- top management
- business units
- business partners
- customers, users
- regulatory bodies
- local community and society
Depending on the area under investigation, the object of analysis should be divided into parts. In case of project, the key elements will be work packages in work breakdown structure. In case of quality management the key elements are related to process or product being analysed.
Identifying the risks
What can happen?
The first step of identification is determining what can happen to the key elements. In order to establish possible situations it is convenient to use tools such as: brain storming, experience analysis, check-lists, surveys, etc. The typical sources of information are: data from earlier projects, lessons learned, good practices, literature on the subject, audit reports, experiments.
How can it happen?
Apart from what can happen, the research team should also identify how it can happen. The understanding of causes and ways is essential for dealing with risks. It is not enough to treat the risk. Usually the best option is treating the causes.
Analysing the risks
The likelihood is determined on quantitative scale (if data is available) or qualitative scale. The typical levels of likelihood are:
The consequences should be evaluated in many aspects, among others: costs, time, reliability, politics, social, integrity, employees, health and security, information security, environment, legislation, reputation. The scale is usually qualitative:
Level of risk
- Acceptable level of risk is the level of likelihood and consequences that is regard as usual risk related to normal operation.
- Increased level of risk is not comfortable for the team, enterprise or project, but it will not lead to defeat.
- Unacceptable level of risk is the level above which the risk can be too dangerous for the enterprise or project. The unacceptable level should never be exceeded.
Evaluation of the risks
The current level of risk is determined based on likelihood and consequences. The greater the product of those two, the greater the risk level. The risk level can be also shown on risk management matrix.
The risks can be ranked based on the evaluation. The most important risks should be dealt first.
The typical options in risk treatment are:
- risk avoidance
- hazard prevention
- risk reduction
- risk sharing
- risk retention
- acceptance of residual risk
Select the best responses
The best response depends on level of risk, impact how difficult is to remove causes, etc. The response should decrease risk level by decreasing the likelihood or consequences. The economy of risk response should be taken into account. There is no need to eliminate all risks. It would be too expensive and very difficult.
Develop risk treatment plan
Risk treatment plan is required for risks that were not eliminated. In case of risk appearance there should be a plan describing how to treat the risk to minimise the bad results.
When the risk appears there is no time to read the plans. Implementation should include training and other actions.
Communication and consulting
The risk assessment team should consult with different departments of the enterprise in order to identify all the risks and find the best way of treating them. The communication should happen on every step of risk management process.
Monitoring and review
The monitoring and review is a set of activities that should identify problems in risk assessment and help return to earlier steps if needed.
- Cooper D., Grey S., Raymond G., Walker P., Project Risk Management Guidelines, Wiley & Sons, Chichester 2005
- ISO 31000:2009 Risk Management - Principles and Guidelines, Geneva:ISO
- Olsson, R. (2007). In search of opportunity management: Is the risk management process enough?. International Journal of Project Management, 25(8), 745-752.
- Tummala, R., & Schoenherr, T. (2011). Assessing and managing risks using the supply chain risk management process (SCRMP). Supply Chain Management: An International Journal, 16(6), 474-483.
Author: Slawomir Wawak