Risk Management Guide
One of the important documents for risk management is a risk management guide which lays out the basic definitions and rules under which a company performs its risk management. The following paragraphs contain some general explanations, definitions and rules which may be applicable for your own risk management guide. Some placeholders marked with ??? are very company specific and therefore should definitely be defined by yourself.
Key Terms, Descriptions, and Principles
Risk
Risks are characterized by probability of occurrence and consequence. Through risk management, the organization applies resources to lessen the likelihood of a future event occurring and/or the consequence should it occur. As risks increase in probability, the organization should anticipate that the events will occur and should put plans in place early to mitigate the consequences.
Risk Components
Risks have three components:
- A future cause (yet to happen), which if eliminated or corrected, would prevent a potential consequence from occurring
- A probability (or likelihood) assessed at the present time of that future cause occurring
- The consequence (or effect) of that future occurrence
Risk Management Objective
The objective of the risk management is to lessen the likelihood of a future event occurring and/or the consequence should it occur in order to protect patients, customers, suppliers, employees, environment, business stability, affiliated parties, etc.
Risk Management
Risk Management Process
Risk management is a continuous process. It is an organized methodology for continuously identifying and measuring the unknowns; developing mitigation options; selection, and implementing appropriate risk mitigations; and tracking the implementation to ensure successful risk reduction.
Risk Management Process Model
The following figure depicts a four-step management process.
Top-Level Guidelines for Effective Risk Management
- Assess the causes of risks and develop strategies to manage these risks
- Identify as early as possible, and intensively manage those that critically affect the organization.
- Include tests and evaluations as part of the risk management process.
- Include industry knowledge in risk management. Likelihood and consequence should be compared with experiences from similar industries.
- Use a proactive, structured risk assessment and analysis to identify and analyze root causes.
- Utilize risk assessment checklists if applicable
- Establish risk mitigation plans and obtain resources for such plans
- Include internal processes as part of risk assessment.
- Clearly define a set of evaluation criteria for assigning risk ratings for identified root causes.
Risk Identification
The intent of risk identification is to answer the question “What can go wrong?” by:
- Looking at current and proposed staffing, processes, suppliers, products, resources, dependencies, etc.
- Reviewing potential shortfalls against expectations
- Analyzing negative trends
Risk identification is the activity that examines each element of the company to identify associated causes, begin their documentation, and set the stage for their successful management. Risk identification begins as early as possible and continues with regular analyses.
Risk Categories
- Operational Risk
- Financial Risk
- Compliance Risk
- Strategic Risk
- Other Risk
Risk Analysis
Risk analysis answers the question “What are the likelihood and consequence of the risk?” and “How high is the risk?”. The following tasks are part of the risk analysis:
- Estimate the likelihood the risk event will occur
- Estimate the possible consequence in terms of cost, schedule and performance
- Determine the resulting risk level and prioritize for mitigation
Risk analysis provides an estimate of each risk’s likelihood and consequence, and the resulting risk level in order to more effectively manage risks and prioritize mitigation efforts. Consistent predefined likelihood and consequence criteria provide a structured means for the evaluating risks so decision makers can make objective comparisons.
Likelihood
Risk likelihood is the evaluated probability an event will occur given existing conditions. The estimated likelihood of the risk should be tied to a specific well-defined risk event or condition and risk statement. The following table provides the criteria for establishing the initial assessment of likelihood of a risk occurring.
| Level | Likelihood | Probability of Occurrence |
|---|---|---|
| 5 | Near Certainty | > 80% |
| 4 | Highly likely | > 60% ≤ 80% |
| 3 | Likely | > 40% ≤ 60% |
| 2 | Low Likelihood | > 20% ≤ 70% |
| 1 | Not Likely | > 0% ≤ 20% |
The initial assessment of probability of occurrence needs to be considered in combination with consequences, should the event be realized, and also the effectiveness of mitigation actions when making decisions on whether a given probability level is too high and would preclude proceeding on a planned course of action. Depending on the circumstances, there may be cases in which a risk (probability and consequence) is high enough to change course, in the absence of assured mitigation.
While dealing with individual risks, decision makers should understand the overall risk exposure of the company and the threat that cumulative or compounding effects of multiple risks pose to successfully satisfying business objectives. Multiple risks may expose the company to a greater risk than any individual risk due to complexity, stretched resources, risk interactions, or the aggregate likelihood of the risk realization.
Consequence
During analysis, each risk should be evaluated in terms of impact should the risk be fully realized. Risk consequence is measured as a deviation against historic company or business specific baselines.
| Level | Likelihood | Cost | Schedule | Performance |
|---|---|---|---|---|
| 5 | Critical Impact | ??? | Schedule slip will require a major schedule rebaselining | ??? |
| 4 | Significant Impact | ??? | Schedule slip puts funding at risk | ??? |
| 3 | Moderate Impact | ??? | Schedule slip impacts synchronization with interdependent expectations by greater than ??? months | ??? |
| 2 | Minor Impact | ??? | Some schedule slip, but can meet dates within ??? month | ??? |
| 1 | Minimal Impact | ??? | Minimal schedule impact | ??? |
Risk Matrix
The primary goal of risk reporting is to provide the management and other decision markers with a consistent method for managing and communicating risk to make data-driven decisions. The risk matrix is an effective tool to relay risk estimates in a visual display. This characterization also aids in prioritizing risks for risk mitigation.
Once the analysis of likelihood and consequence is complete, program teams should then use the risk matrix. This matrix converts the combination of likelihood and the maximum of the cost, schedule, and performance consequence scores to form a risk level for each risk: low (green); moderate (yellow); or high (red). While these values are used to define the risk level, additional factors should be considered to prioritize risks. The cost-effectiveness of perceived risk mitigation options is a primary consideration in establishing priorities for the allocation of scarce resources among competing risks. Other considerations include the frequency of occurrence, time frame, and interrelationship with other risks.
In summary, the prioritization approach should consider the following:
- The likelihood and maximum of the cost, schedule, and performance consequence
- The cost and expected ROI of risk mitigation strategies
- Time frame, frequency of occurrence, and interrelationship with other risks
- Weighted expected return
Risk Register
A risk register is a central repository to describe and track risks as well as record actions. It includes information for each risk such as risk category, likelihood, consequence, mitigation measures, risk owner and documentation of changes.
| Risk No. | Owner | Category | Status | Risk Event | Likelihood | Consequence | Mitigation Strategy | Changes | Comments |
|---|
Expected Value
In addition to the consequence and the likelihood at is important to evaluate the expected effect/value. The expected value should give you a realistic effect of a risk by multiplying the consequence with the likelihood.
Risk Mitigation
The risk mitigation strategy includes the options or combination of options and the specific implementation approach. It answers the question “What is the plan to address the risk?” or “Should the risk be accepted, avoided, transferred, or controlled?”. After analyzing the risks, the company should develop a strategy to manage risks by evaluating the four risk mitigation options:
- Avoiding risk by eliminating the cause and/or the consequence
- Controlling the cause or consequence
- Transferring the risk to other entities
- Assuming the level of risk and continuing on the current plan
Some risk mitigation activities may be implemented as contingency plans when a specific triggering event occurs. The level of detail in risk mitigation depends on the nature of the risk to be addressed. When selecting the mitigation option(s) and formulating the implementation approach, the risk owner should address questions such as:
- Is the risk mitigation plan feasible (options and implementation approach)?
- Is the risk mitigation plan affordable in terms of funding and any needed additional resources (e.g. personnel, equipment)?
- Is adequate time available to drop and implement the risk mitigation plan?
- What impact does the risk mitigation plan have?
- Are the expectations realistic given circumstances, constraints, and objectives?
Risk Acceptance (and Monitoring)
By accepting the risk, the company acknowledges that the risk event or condition may be realized and is prepared to accept the consequences. Accepting a risk does not mean it should be ignored. The company should continue to track the risk to ensure the accepted consequences do not change for the worse or the likelihood increase. Monitoring implies the company establishes knowledge points that provide opportunities to reevaluate the risk. Before accepting the risk, the company should identify the resources and schedule that would be needed should the risk be realized.
Risk Avoidance
Through risk avoidance, a program the company reduces or eliminates the risk event or condition by taking an alternate path. It eliminates the source of the risk and replaces it with another solution.
Risk Transfer
Risk transfer includes reassigning or delegating responsibility for tasks to mitigate a risk to another entity. This might include transferring the financial responsibility as well. This approach may involve reallocating risk management tasks from one party to another. The same risk may be carried by multiple entities. However, it should be recognized that the transference of risk does not eliminate all responsibility and risks must be monitored for potential consequences.
Risk Control
The risk control option seeks to actively reduce risk to an acceptable level. Control generally entails taking action to reduce the likelihood, or the consequence, of a risk to as low as practical in order to minimize potential impacts.
Control options should result in reduced risk likelihood and/or consequence. Risk control activities often reduce the likelihood of the risk event occurring or accelerate knowledge affecting the likelihood. The result may be a new risk description with revised consequences and an updated prioritization and mitigation strategy.
Risk Monitoring
Risk monitoring answers the question “How has the risk changed?” or “How are the risk mitigation plans working? Based on results, should additional actions be taken to mitigate or control the risk?”.
Risk monitoring includes a continuous process to systematically track and evaluate the performance of risk mitigation plans against established metrics. Not all risk mitigation will be successful. The company should reevaluate the risk mitigation approach and associated activities to determine effectiveness and whether action is needed.
Risk monitoring includes recording, maintaining, and reporting risks, risk analysis, risk mitigation, and tracking results. If a risk changes significantly, the company should adjust the risk mitigation strategy accordingly. If the risk is lower than previously analyzed, the company may reduce or cancel risk mitigation activities and consider freeing resources for other uses. If risk severity increases, appropriate risk mitigation efforts should be developed and implemented.
Review
The Risk Management System needs to be reviewed on a regular basis in terms of effectiveness and efficiency. The review should be performed by independent personnel (either internal or external) and adjusted to changes accordingly.
The review should be performed on an annual basis.
Report
Annually a Risk Report should be issued summarizing the key risks. This report needs to be submitted to the management. Severe changes that endanger the future of the company need to be reported and dealt with immediately.