What should a good risk management process cover? Any project manager undertaking a risky or important venture should ask themselves these eight simple questions:
- What are we trying to achieve?
- What might affect us achieving this?
- Which of those things are most important?
- What shall we do about them?
- Have we taken action?
- Who needs to know?
- Having taken action, what has changed?
- What did we learn?
These questions describe the steps required to manage risk. They can easily be expanded into a basic risk process, with one process step to answer each question:
1. Getting started (risk process initiation)
Risks only exist in relation to defined objectives, and these are what we are trying to achieve. We cannot start the risk process without first clearly defining its scope and clarifying which objectives are at risk. It is also important to know how much risk key stakeholders are prepared to accept, since this provides the target threshold for risk exposure.
2. Finding risks (risk identification)
Once the scope and objectives are agreed, it is possible for us to start identifying risks, which are the things that might affect us, including both threats and opportunities. We should use a variety of techniques to help us find as many risks as possible.
3. Setting priorities (risk assessment)
Not all risks are equally important, so we need to filter and prioritise them, to find the worst threats and the best opportunities. When prioritising risks, we could use various characteristics, such as how likely they are to happen, what they might do to objectives, how easily we can influence them, when they might happen, etc.
4. Deciding what to do (risk response planning)
Once we have prioritised individual risks, we can think about what actions are appropriate to deal with individual threats and opportunities. Each risk needs an owner who should decide how to respond appropriately.
5. Taking action (risk response implementation)
Nothing will change unless we actually do something. Planned responses must be implemented in order to tackle individual risks and change the overall risk exposure, and the results of these responses should be monitored to ensure that they are having the desired effect. Our actions may also introduce new risks for us to address.
6. Telling others (risk reporting)
Various stakeholders are interested in risk at different levels, and it is important to tell them about the risks we have found and our plans to address them.
7. Keeping up to date (risk reviews)
We have to come back and look again at risk on a regular basis, to see whether our planned actions have worked as expected, and to discover new and changed risks that now require our attention.
8. Capturing lessons (risk lessons learnt)
At the end of exercise we should take advantage of our experience to benefit future similar endeavours. This means we will spend time thinking about what worked well and what needs improvement, and recording our conclusions in a way that can be reused by ourselves and others.
Any good risk process will follow these steps to ensure that we identify, assess and manage our risks effectively. These are not difficult to implement, but without all of these steps a risk process is incomplete.
This article was originally published as ‘Risk process basics‘ and has been reproduced with permission.