Risk management process
Risk management process is a sequence of activities which aim at reducing the risks to acceptable level. This includes identification, analysis, evaluation, treatment and monitoring of risks and risk related activities. The ISO 31000 standard defines risk management process as systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk.
Risk management process can be applied to project management, financial management, quality management and others areas. It is a universal approach to risks. Therefore, it is recommended to implement one risk management process in whole enterprise which will be able to serve for different functional areas.
The risk management process consists of several steps. There are different descriptions of that process in the literature. The most comprehensive is version proposed by D. Cooper described below. The ISO 31000:2009 uses this process description in its risk management model (framework).
Establishing the context
Objectives
The top management expects that all risks will be identified and treated before they happen. Therefore, the most important objectives are:
- reporting current and incoming risks,
- consolidation of risks and opportunities (as two sides of the same coin),
- effective information system,
- transparency of decision process,
- possibility of monitoring risk related actions,
- many warnings, no surprises
Stakeholders
The key stakeholders are:
- top management
- business units
- staff
- business partners
- customers, users
- regulatory bodies
- local community and society
Key elements
Depending on the area under investigation, the object of analysis should be divided into parts. In case of project, the key elements will be work packages in work breakdown structure. In case of quality management the key elements are related to process or product being analysed.
Identifying the risks
What can happen?
The first step of identification is determining what can happen to the key elements. In order to establish possible situations it is convenient to use tools such as: brain storming, experience analysis, check-lists, surveys, etc. The typical sources of information are: data from earlier projects, lessons learned, good practices, literature on the subject, audit reports, experiments.
How can it happen?
Apart from what can happen, the research team should also identify how it can happen. The understanding of causes and ways is essential for dealing with risks. It is not enough to treat the risk. Usually the best option is treating the causes.
Analysing the risks
Likelihood
The likelihood is determined on quantitative scale (if data is available) or qualitative scale. The typical levels of likelihood are:
- rare
- unlikely
- moderate
- likely
- certain
Consequences
The consequences should be evaluated in many aspects, among others: costs, time, reliability, politics, social, integrity, employees, health and security, information security, environment, legislation, reputation. The scale is usually qualitative:
- insignificant
- minor
- moderate
- major
- catastrophic
Level of risk
- Acceptable level of risk is the level of likelihood and consequences that is regard as usual risk related to normal operation.
- Increased level of risk is not comfortable for the team, enterprise or project, but it will not lead to defeat.
- Unacceptable level of risk is the level above which the risk can be too dangerous for the enterprise or project. The unacceptable level should never be exceeded.
Evaluation of the risks
Evaluate risks
The current level of risk is determined based on likelihood and consequences. The greater the product of those two, the greater the risk level. The risk level can be also shown on risk management matrix.
Rank risks
The risks can be ranked based on the evaluation. The most important risks should be dealt first.
Reaction
Identify options
The typical options in risk treatment are:
- risk avoidance
- hazard prevention
- risk reduction
- risk sharing
- risk retention
- acceptance of residual risk
Select the best responses
The best response depends on level of risk, impact how difficult is to remove causes, etc. The response should decrease risk level by decreasing the likelihood or consequences. The economy of risk response should be taken into account. There is no need to eliminate all risks. It would be too expensive and very difficult.
Develop risk treatment plan
Risk treatment plan is required for risks that were not eliminated. In case of risk appearance there should be a plan describing how to treat the risk to minimise the bad results.
Implement
When the risk appears there is no time to read the plans. Implementation should include training and other actions.
Communication and consulting
The risk assessment team should consult with different departments of the enterprise in order to identify all the risks and find the best way of treating them. The communication should happen on every step of risk management process.
Monitoring and review
The monitoring and review is a set of activities that should identify problems in risk assessment and help return to earlier steps if needed.
Examples of Risk management process
- Developing a Risk Management Plan: This involves setting out the risk management framework and establishing policies and procedures for managing risks. This includes identifying the objectives, assessing the current risk environment and developing strategies to manage identified risks.
- Risk Identification: This involves examining the organization’s operations, processes, products and services to identify possible risks. This can be done through brainstorming sessions, interviews, surveys, research and analysis.
- Risk Analysis: This involves analyzing the identified risks to determine their likelihood and impact. This is done by assessing the probability and severity of each risk.
- Risk Evaluation: This involves evaluating the risks identified and analyzed against the organization’s risk appetite. This helps in determining which risks the organization is willing to accept and which should be avoided or mitigated.
- Risk Treatment: This involves developing strategies to mitigate or eliminate the identified risks. This can include implementing controls, implementing risk transfer mechanisms such as insurance or hedging, or avoiding the risk altogether.
- Risk Monitoring: This involves monitoring the effectiveness of the risk management program and risk treatments. This includes regularly assessing the effectiveness of the controls and monitoring the risk environment for any changes that could affect the organization.
Advantages of Risk management process
Risk management process provides many advantages to organizations, such as:
- Improved decision making: Risk management process helps organizations make better decisions through a systematic approach to identifying, assessing, and mitigating risks. This enables organizations to make decisions based on the potential impact of the risks and potential rewards of the opportunities they are presented with.
- Enhanced risk awareness: Risk management process helps increase awareness of potential risks and opportunities, allowing organizations to take proactive steps to prevent or mitigate any potential risks.
- Enhanced efficiency: Risk management process helps organizations identify and prioritize risks, allowing them to focus efforts on the most important risks and opportunities.
- Enhanced compliance: Risk management process helps organizations meet legal and regulatory requirements, as well as ensure compliance with internal policies and procedures.
- Increased stakeholder confidence: Risk management process helps organizations improve their reputation and increase stakeholder confidence by demonstrating that they are taking the necessary steps to reduce risk.
Limitations of Risk management process
- One limitation of the risk management process is that it can be time-consuming and costly. This is especially true when a risk management plan requires a detailed analysis of the risks and their potential impacts. Additionally, risk management plans may require significant resources such as personnel and financial resources.
- Another limitation of the risk management process is that it may be difficult to assess the risk accurately. This is because it can be difficult to accurately predict the impact of a particular risk or to assign probability or severity to a risk.
- Additionally, the risk management process may be limited by the availability of relevant data or information. This is because the risk management process relies on accurate and up-to-date information to be effective.
- Finally, the risk management process can be hindered by a lack of communication and engagement between stakeholders. This is because the risk management process requires all stakeholders to be involved and engaged in the process in order to be successful.
| Risk management process — recommended articles |
| Business risk management — Strategic risk management — Risk treatment plan — Risk evaluation — Project risk assessment — Implementation of information security management system — Project risk analysis — Risk management strategy — Audit scope |
References
- Cooper D., Grey S., Raymond G., Walker P., Project Risk Management Guidelines, Wiley & Sons, Chichester 2005
- ISO 31000:2009 Risk Management - Principles and Guidelines, Geneva:ISO
- Olsson, R. (2007). In search of opportunity management: Is the risk management process enough?. International Journal of Project Management, 25(8), 745-752.
- Tummala, R., & Schoenherr, T. (2011). Assessing and managing risks using the supply chain risk management process (SCRMP). Supply Chain Management: An International Journal, 16(6), 474-483.
Author: Slawomir Wawak
