You identified risks, then chose and implemented a mitigation strategy. You’ve decided whether you’ll accept, avoid, transfer, or reduce risk.
Unfortunately, you have not completed the job. Monitoring risk, including tracking identified risks and evaluating the performance of risk mitigation actions, is critical to the risk mitigation process. Systematically monitoring risk feeds information into other risk management activities, such as identification, analysis, mitigation planning, and implementation.
The process for risk monitoring includes setting a structure for how often you review your risk, what to monitor, how to report changes, and how to redefine your risk strategies.
How Often to Monitor Risk
For many enterprises, normal risk assessment occurs on a regular schedule. These are often annual occurrences, but monitoring the ongoing risk mitigation and state of identified risks should be a continuous activity.
We monitor and react to risk constantly in our daily lives; a conscious monitoring of our organization’s risk mitigation position should occur as well. It’s a good idea to schedule periodic risk reviews ahead of time. Take the time each month to review the highest probable and largest impact risk along with the mitigation strategy that will allow for continuous improvement.
Monitoring Risk Changes
The Risk’s Condition
Periodically reexamine the risk. Has the environment changed in a way that has impacted the risk? Will you require more or less mitigation?
Triggers
A risk trigger is an indicator that signals that the risk event has occurred or is about to occur. In other words, what may cause the impact or the risk to occur? This provides you with a level of reaction that may limit the impact to your organization if the risk event occurs.
Mitigation Plan Progress
Ongoing review of the risk mitigation plan is required to ensure that it is meeting the needs of the organization. Review all mitigation strategies, including the status and effectiveness of the actions you have taken. Surveying those strategies not implemented also ensures that your plan is moving forward. Ensuring that all requirements of your risk management plan are being implemented is critical – otherwise the mitigation strategy can become an unconscious acceptance of the risk, and may be identified as an additional risk itself.
Identify new risks
The modus operandi of your business is always evolving, and even if it’s doing so slowly, new risks may pop up. Your risk mitigation strategy will be ineffective if you’re not tracking new risks based on personnel, vendor, and software changes. Updating your list of risks is another critical part of maintaining an effective risk management plan.
Validate Your Plans
When reviewing the risks you’ve previously identified and taken action on, remember to validate your previous risk assessments based on your risk’s likelihood and impact. Changes to your risk may result in changes to either or both of these. Therefore, it is essential to adjust the risk’s priority accordingly. It’s also a good idea to validate previous assumptions and state any new assumptions as this will help you monitor your risk over time.
How to Report on Risk Changes
Leverage the reporting already in use as part of the risk analysis. There is no need to have multiple reporting mediums. A quick monthly dashboard with changes and status of risks and mitigation strategies (which are monitored) and/or changes to the profile can be enough to provide constant visibility to the state of risk and potential impact.
Keeping this up-to-date should not take much time if the monitoring is performed as described above. Remember, without information, you cannot make appropriate decisions. Having consistent reporting will help you convey any changes to your risk strategy to management and interested parties.
Redefining Risk Strategies
When there is a change to the risk impact or its probability, it may make sense to adjust the mitigation strategy or the regular risk assessment schedule. Use of current implemented strategies would be the ideal to use, making changes as warranted. A complete change in the strategy may not be necessary, but adjustment to the implementation may be an option.
Risk management is not a project to complete, nor is it a task to check off the to-do list. It is ongoing and should become part of your overall business continuity culture. As with most activities, continual attention provides better and more efficient execution, less effort overall, and better results. Monitoring risk mitigation strategies is actually one of the most important activities you can undertake. You never know when the event being mitigated may occur.
Richard Long
Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.
