Most know the principles of risk management, but are vague on implementation. There's no need for confusion. We can cover the basics in just 3 minutes. (First in a series of 4 articles)
Risk management is just a practical approach to improving efficiency through directing resources where they produce the greatest effect.
Join me Thursday August 29th at 10:00am AEST for a live presentation: 3-Minute Guide to Enterprise Risk Management. (Registration opens next week.)
Risk is the level of uncertainty in any situation. Risk management is a system that identifies, quantifies and attempts to reduce or eliminate that uncertainty. An event in one part of an organisation can affect other unrelated parts, which is sometimes called the butterfly effect. Enterprise risk management is a coordinated linking of all organisation risks into a single model so everyone is aware of the effect immediately. ISO 31000 is a new international standard that lays down the components and objectives for a good ERM system.
A good risk management system must start with a set of corporate objectives, not with the details. List objectives that cover all aspects (financial, operational, marketing, as well as occupational safety, health and environment goals) and apply at all levels (such as strategic, organization-wide, project, product and process). Linking all risks back to these objectives is how you create an integrated ERM and ensure the system produces a good return on investment.
Uncertainty includes lack of information related to, or understanding of, an event, its consequence, or likelihood.
A risk assessment is a preventive evaluation by an internal subject matter expert of each uncertainty in a specific area of operation. By their very nature assessments are subjective, so for standardisation we use the risk matrix shown here to grade the importance of the impact of a risk based on likelihood of it happening and the effect (consequences) if it does. The key is to look at PRACTICAL risks. Assessments can be refined when they are periodically reviewed and updated.
A job-safety analysis is a specific type of risk assessment immediately prior to starting a job, considering situational effects at that specific time.
A control is an action or measure that can alter an uncertainty (hopefully for the better) and can include any device, change of practice, use of equipment, re-design of product or process. Some controls have better effects than others, so they should be ranked accordingly. Generally, of course, the best solution is to eliminate a risk.
Here it is important to understand the "risk appetite" of the business unit. This is the level of risk that can be tolerated on an on-going basis. It will vary dramatically from department to department, e.g. Marketing vs Finance. Be aware that elimination of a risk is not always the objective. Sometimes it's not even desirable. But the risk is still worth recording as it may have an effect on other areas.
Mitigation is a fancy word for an action that reduces or eliminates a risk. In other words, it's how a control is applied to risk. Controls regularly do not act as intended, so mitigation requires change management, i.e. planning, approval, monitoring and review of its effect. The assessment prior to applying a control is referred to as its initial risk. Then the evaluation of the risk still outstanding after applying the control is referred to as the residual risk.
Review is the key to effective risk management. Set milestones throughout the mitigation step, and review the affected area on completion. If properly implemented, the review is where your risk creates value and facilitates continual improvement.
Hang on to this quick tutorial as you talk to others. It can be useful when you need to break down some of the walls surrounding implementing risk management. Use it to show that risk management is just a practical approach to improving efficiency through directing resources where they produce the greatest effect.
|10 Essentials Decision Guide
Helps you compare software suppliers.
See recorded demo or request a live one.
Technical specifications, pricing, and more.