Not too long ago, “risk management” was considered mainly an insurance term.
The risks a business might incur covered a fairly small and discrete range of scenarios, including the following:
- Natural disaster risk – the potential risks you’d often buy insurance to ameliorate: tornadoes, earthquakes, fire, floods;
- Investment risk – positive (gains) or negative (loss) due to changes in financial markets;
- Credit risk – The risk that someone who has borrowed money from your organization will default;
- Security risk – the risk of an unauthorized person or persons entering the building or grounds and causing harm to the business or its workers;
- Legal risk – the risk of lawsuits;
- Safety risk – the risk that employees will be injured on the job.
The times have changed, however, and so have risks.
With the advent of the digital age come a plethora of new risks as well as an increase in the complexity of existing ones. Every digital connection; every portal into and out of your systems, networks, and devices; every third party with whom you do business: these add layer upon layer of risk.
Every project, every business unit, every enterprise must now involve itself in the risk management process. No organization is an island; small and large, all are vulnerable.
And no longer is risk management solely the purview of the audit department: it’s an essential part of project management, human resources, information security, public relations and communications, finance—every function and department entity-wide, as well as stakeholders, business partners, and the board.
What Is the Risk Management Process?
The risk management process aims to minimize the negative effects of unfortunate events on a project, program, or business or to prevent those events from occurring altogether. At its best, it’s a proactive system for dealing with risks and potential risks before they materialize and become threats, incidents, or events.
The risk management process involves a series of actions, like stepping stones, each leading to the next and each important to your risk management program.
Those steps are, in order:
Risk assessment. Risk assessment comprises risk identification and risk analysis.
Risk identification means naming the risks that could harm your project, function, or enterprise. In this step, you make a list, using your imagination to think of every bad thing that could happen.
Of course, we can’t anticipate every occurrence. So it’s important to review this list on a regular basis and establish contingency plans for new and unforeseen risks.
In the risk analysis phase, you’ll examine each identified risk and assign it a score based on four factors:
- Likelihood: What’s the probability of occurrence, i.e., that the risk will materialize?
- Impact: How hard would your project, function, or enterprise be hit if the event occurred?
- Velocity: How quickly would your project, function, or enterprise feel the impact?
- Materialization: What’s the potential severity of the impact? To arrive at this score, add the impact and velocity scores and divide by 2.
Scores for impact and velocity–and, therefore, materialization–can be reduced with mitigations or risk controls.
Risk prioritization. Some risks are potentially more damaging, and so deserve more of your attention. Others may pose little danger and can be accepted or ignored. An effective risk management strategy requires risk prioritization according to levels of risk, to avoid wasting time and expense and let you focus on the risks that pose the greatest threat.
Risk mitigation. List each risk, its materialization score and rank, and your risk response or treatment on a risk register so you know where things stand. Typically, risk treatment consists of four options:
- Risk acceptance
- Risk avoidance, perhaps by not performing the action that incurs it
- Risk transfer, usually to an insurance company
- Risk reduction, usually by using risk controls.
A risk management framework such as COSO’s Enterprise Risk Management–Integrated Framework or ISO 31000: 2018, Risk management, can help guide you through decision-making in the risk management process.
Risk monitoring. Circumstances change. Regulations and industry standards get updated. Cybercriminals adopt new techniques for breaching systems. Staying on top of risk is a continuous process, and can be challenging. Fortunately, digital solutions can do much of the work for you, automating your risk management and leaving you free to focus on the business at hand: keeping your clients and customers satisfied and maximizing profits.