Risk management is the process of identifying, assessing and managing risk – both negative and positive.
These risks can be caused by a wide variety of sources, including but limited to, financial uncertainty, legal liabilities, management errors, accidents and natural disasters. As a result, successful organisations ensure the implementation of risk management processes for identifying and managing risk.
Risk Management Standards
Industry and government bodies provide regulatory compliance rules that scrutinise risk management plans, policies and procedures; and in many cases, boards of directors or trustees must review and report on the adequacy of the organisation’s risk management process.
Organisations, including the ISO, have developed risk management standards. These standards help organisations identify risks, assess risks, identify ways to manage risks and then implement risk control and mitigation efforts according to the organisational strategy.
ISO 31000, for example, “provides principles, framework and a process for managing risk. It can be used by any organization regardless of its size, activity or sector.”, and is designed to “increase the likelihood of achieving objectives, improve the identification of opportunities and threats, and effectively allocate and use resources for risk treatment.”
As stated by the Institute of Risk Management, the ISO 31000 guidelines provide a statement of risk management principles. The eight principles are:
- Framework and processes should be customised and proportionate.
- Appropriate and timely involvement of stakeholders is necessary.
- A structured and comprehensive approach is required.
- Risk management is an integral part of all organisational activities.
- Risk management anticipates, detects, acknowledges and responds to changes.
- Risk management explicitly considers any limitations of available information.
- Human and cultural factors influence all aspects of risk management.
- Risk management continually improved through learning and experience.
ISO standards and others, such as the IRM guidelines help organisations implement risk management best practices. The goal for these standards is to manage risk by establishing common frameworks and processes.
Risk Management Planning
All risk management planning follows the same steps:
The organisation identifies and defines potential risks (threats and opportunities) that may negatively or positively influence an organisational operation, project or process.
Following risk identification, the organisation should determine the likelihood of it occurring, as well as its impact. The objective of the analysis is to understand each specific instance of risk and how it could influence the organisation’s strategic and tactical goals.
Risk Assessment and Evaluation
The risks are then further evaluated after determining the overall likelihood of occurrence combined with its impact. The organisation can then make decisions on whether the risk is acceptable and, based on its risk appetite, whether the organisation is willing to take it on.
Risk Control and Mitigation
During this step, an organisation assesses the risks and develops a plan to manage them using specific risk actions. These plans include risk control and mitigation processes, and contingency plans in the event the risk comes to fruition.
The mitigation plan must include following up on the risks and a plan to continuously monitor and track new and existing risks. The overall risk management process should also be reviewed and updated accordingly.
Risk Management Strategies
After the organisation’s risks are identified, and implementation of the risk management planning process, there are several different strategies companies can take regarding different types of risk:
While the elimination of all risk entirely is rare, risk avoidance attempts to avoid as many risk threats as possible; this prevents the costly and disruptive consequences of a damaging event.
Organisations are sometimes able to reduce the amount of effect certain risks can have on a process. Risk reduction can be achieved by adjusting certain aspects of an organisations plan or process, or by reducing or changing its scope.
Sometimes, the consequences of risk are transferred or distributed among several organisations including third-parties such as suppliers or business partner, or internally with other departments.
Sometimes, organisations decide a risk is worth it from a business standpoint and choose to retain the risk and deal with any potential fallout. Organisations will often maintain a certain level of risk if the anticipated return is higher than the costs of its inherent risk.