In today’s post we’ll talk about the risk management process —the steps every organization should go through regularly to protect themselves against the hazards of doing business.
Every organization needs to do some type of risk management. If your business is caught without a process for risk management, you are leaving yourself vulnerable.
Risk management can be defined as forecasting and evaluating risks to the organization, determining impact (financial, brand, people, etc.) and identifying steps to avoid or reduce their impact.
Risk mitigation is the prudent response to the reality that life is uncertain and sometimes bad things happen to good organizations. The alternative to risk management is going through life with your fingers crossed, hoping that bad luck only ever happens to other people.
Risk management introduces rationality into the irrational world of bad luck. It’s a way of evaluating potential negative events and their likely impacts, then taking steps to protect ourselves against those events that would cause the severest damage if they occurred, or that are more likely to occur.
Risk management can help us understand where we should invest to protect ourselves, and also where we don’t need to do so (if the risk is too small).
The Risk Management Process
The risk management process is the set of steps you should be taking routinely, habitually, to assess and mitigate the hazards present in your organization and lines of business.
This should become part of your organization’s culture. It should become as habitual for your company as it is for a person to look both ways before they cross the street.
It needs to be a cycle because it can take several iterations to get where you need to be and also because things change over time. Risk management and mitigation is not a project, but an ongoing aspect of resiliency.
Most organizations should assess their risks at least once a year, depending on the rate of change in their organization, field, and environment.
The 6 Steps of the Risk Management Process
The risk cycle has six steps:
- Assessing your risks.
- Prioritizing your risks.
- Figuring out your risk profile.
- Choosing your risk strategies.
- Executing your risk strategies.
- Measuring residual risk.
We could add a seventh step: go back and do it all over again—since things are always changing, in business, life, and the larger environment, and you need to continually review to stay current and protected.
We’ll talk more about each step below.
Step 1: Assessing your risks
Everything in risk management starts with risk assessment: examining the factors at your organization and in your environment that are potentially dangerous.
You want to think about everything that has the potential to take your organization down.
Natural disasters are part of the picture but there’s a lot more to it than that.
Think also about technological risks and risks involving single points of failure (SPOFs), whether they reside in equipment or people (individuals who are the only ones who know how to do certain essential tasks).
Also think about risks that might arise from your location. Are you in an industrial area where there’s a risk of gas leaks? Near government buildings downtown where you might be affected by demonstrations?
Step 2: Evaluating your risks
Once you have made a list of the risks facing your company, you need to evaluate them.
Specifically, you should evaluate them in terms of how severe the impact would be and the likelihood of their occurring. Then you prioritize them in this order:
- High impact and highly likely to occur.
- High impact and less likely to occur.
- Low impact and highly likely to occur.
- Low impact and less likely to occur.
This process can be enlightening. It’s not unusual at this stage for a company to realize it’s protecting itself against the wrong things (e.g., by spending a lot of money on something that’s unlikely to occur and would have a modest impact, and neglecting to protect itself against something that is highly likely and would have a severe impact).
Here you can see right away how using the risk mitigation process can bring significant benefits to the organization.
Step 3: Figuring out your risk profile
You also have to figure out your risk profile, or rather your senior management’s risk profile. This is all down to them. It’s about how much risk they are prepared to live with.
Some organizations are comfortable running a lot of risk. Some will do all they can to get their risk exposure as close to zero as possible.
Risk appetite and risk tolerance both refer to how much risk an organization is prepared to accept in pursuit of its objectives.
Risk appetite is a broader statement of the level of loss exposure that management deems acceptable, given its objectives and resources. An organization with a high risk appetite might accept a high insurance deductible or even go without insurance. An organization with substantial financial reserves might have a high appetite for risk.
Risk tolerance is a narrower view of the specific level of risk the company will accept, setting an acceptable level of variation from its risk appetite surrounding specific objectives that the company is willing to tolerate.
Step 4: Choosing your risk strategies
Once it’s known how much risk management is prepared to accept, you can start choosing a risk mitigation strategy for each significant risk. There are four of them:
- Avoid the risk. Exit activities that bring on the risk.
- Reduce the risk. Take steps to reduce the likelihood of a negative event occurring.
- Share the risk. Take out insurance to help cover the risk.
- Accept the risk. Simply live with the risk, acknowledging that if the threat occurs the organization will have to bear the consequences.
Step 5: Executing your risk strategies
Implement the strategies you decided on in Step 4.
Step 6: Measuring residual risk
Residual risk refers to how much risk is left over after you have adopted your risk mitigation strategies. It’s the amount of risk left in your system after you have followed steps 1 through 5.
This is not an abstract concept. It tells you whether your risk mitigation strategies were successful.
If your residual risk remains outside your management’s tolerance, you need to go back and beef up your mitigation strategies.
If your residual risk is significantly less than the amount of risk management will accept, you might be spending too money on their risk mitigation process. Perhaps you can ease up on some of your strategies.
Rinse and Repeat
After this, it’s all about repeating the cycle—whether you are repeating particular steps as part of an ongoing effort to hit the bull’s-eye of your management’s risk tolerance, or you’re repeating the entire process as part of an annual or biannual review.
Large organizations usually have a risk management department. Small and mid-size ones can often benefit from obtaining an outside consultant such as MHA to help in implementing the risk mitigation cycle.
For more information on the risk management process and other hot topics in BC and IT/disaster recovery, check out these recent posts from MHA Consulting and BCMMETRICS:
- Rethinking Risk: A Better Way to Think About Risk in Business Continuity Management
- The 5 Most Important Risk Mitigation Controls
- Everything You Always Wanted to Know About Managing Risk but Were Afraid to Ask
- What to Look for in Business Continuity Compliance and Risk Software
- Don’t Just Hope: Choosing Strategies to Mitigate Risk
- All About Risk Management: Reader’s Mailbag