Effective risk management is the process of identifying, assessing and managing potential risk – both negative (a threat) and positive (an opportunity).
These risks can be caused by various sources, including but limited to financial uncertainty, legal liabilities, management errors, accidents and natural disasters. As a result, successful organisations ensure the implementation of effective risk management processes for identifying and managing risk.
Risk Management Standards
Industry and government bodies provide regulatory compliance rules that scrutinise the risk management plan, policies and procedures. In many cases, boards of directors or trustees must review and report on the adequacy of the organisation’s risk management process.
Organisations, including the ISO, have developed risk management standards. These standards help organisations identify risks, assess risks, identify ways to manage risks, and implement risk control and mitigation efforts according to the organisational strategy.
ISO 31000, for example, “provides principles, framework and a process for managing risk. It can be used by any organisation regardless of its size, activity or sector.” and is designed to “increase the likelihood of achieving objectives, improve the identification of opportunities and threats, and effectively allocate and use resources for risk treatment.”
The Institute of Risk Management state that the ISO 31000 guidelines provide a statement of risk management principles. The eight principles are:
- Framework and processes should be customised and proportionate.
- Appropriate and timely involvement of stakeholders is necessary.
- A structured and comprehensive approach is required.
- Risk management is an integral part of all organisational activities.
- Risk management anticipates, detects, acknowledges and responds to changes.
- Risk management explicitly considers any limitations of available information.
- Human and cultural factors influence all aspects of risk management.
- Risk management continually improved through learning and experience.
ISO standards and others, such as the IRM guidelines, help organisations implement risk management best practices. These standards aim to manage risk by establishing a common risk management framework and process.
Risk Management Planning
A risk management plan follows the same steps:
The organisation identifies and defines potential risk types (threats and opportunities) that may negatively or positively influence an organisational operation, project or process.
Following risk identification, the organisation should determine the likelihood of it occurring and its impact. The objective of the analysis is to understand each specific instance of identified risk and how it could influence the organisation’s strategic and tactical goals.
Risk Assessment and Evaluation
The risks are then further evaluated after determining the overall likelihood of occurrence combined with its impact. The organisation can then decide whether the risk is acceptable and, based on its risk appetite, whether the organisation is willing to take it on.
Risk Control and Mitigation
During this step, an organisation assesses the risks and develops a plan to manage them using specific risk actions. These plans include risk control measures and risk mitigation measures, processes and contingency plans if the risk comes to fruition.
The risk control and risk mitigation plan must include following up on the risks (and emerging risks) and a plan to monitor and track new and existing risks continuously through a risk register and risk matrix. The overall risk management process should also be reviewed, undergo an internal audit (arranged by the audit committee) and be updated accordingly. Corporate governance should consider creating an annual report.
Risk Management Strategies
After the organisation’s risks are identified and implementation of the risk management planning process, there are several different strategies companies can take regarding different types of risk:
While eliminating all risk is rare, risk avoidance attempts to avoid as many risk threats as possible; this prevents the costly and disruptive consequences of a damaging event.
Sometimes, organisations decide a risk is worth it from a business operations standpoint and choose to accept and retain the risk and deal with any potential fallout. Organisations will often maintain a certain level of risk if the anticipated return is higher than the costs of its inherent risk.
Organisations can sometimes reduce the amount of effect certain risks can have on a process. Risk reduction can be achieved by adjusting certain aspects of an organisation’s plan or strategy or reducing or changing its scope.
Sometimes, the consequences of risk are transferred or distributed among several organisations, including third parties such as suppliers or business partners, or internally with other departments.