The Risk Management Process

Our Risk Management Approach was created over 20 years ago and has been continually improved and refined using two decades of managing risks “at the coal face”.  Our consultants have worked in private sector and government institutions of all shapes and sizes across Europe and North America.  Whilst our method is it is a prescriptive framework, it is flexible enough to be equally applicable across all industries and was recently incorporated within the Management of Risk (M_o_R) guidelines issued by the UK Office for Government Commerce (OGC).

We set out a brief overview of this method below. For more information on the method, or on the additional tools and experience that an Istria Risk Management Specialist can bring to your organisation, please contact us

Set up Risk Management Structure

Determine Risk Appetite: Understand the acceptable level of risk that can be absorbed by the organisation, department, project or programme. The costs of avoiding risks beyond this risk appetite (often called risk tolerance) mean that it is no longer beneficial to attempt to avoid them.

Develop Risk Language: From a change management perspective, it is imperative that people within the organisation understand each other. Developing a common risk language or “risk glossary” is a vital step to ensure that wires are not crossed

Implement Organisational Structure: In order to manage risk effectively, the organisation or project must set up an appropriate organisational structure. Individuals and groups should be set up with clearly defined roles and responsibilities, together with an appropriate reporting structure and meeting schedule.

The structure clearly varies according to the size and complexity of an organisation or project, ranging from a series of overlapping risk sub-committees through to no more than a part-time risk manager. In all cases, however, the objectives, responsibilities and respective authority of each group and individual should be clearly demarcated.

Identify Risks & Issues

• Understand and validate the strategic objectives of the organisation / project to help determine what is at risk
• Consider the various types of risks that the organisation is exposed to (Strategic Risk, Operational Risk, Project Risk etc)
• Ensure a common risk language permeates the organisation / project
• Identify specific risks that may occur. Include all stakeholders in the risk identification stage, utilising industry and functional expertise, together with lessons learned from similar projects
• Consider the probability and potential impact of each of these risks occurring
• Assign Responsibility: Each risk should be allocated a “risk owner” to ensure someone is accountable for the management of that risk going forward
• Categorise each risk and set up a risk breakdown structure
• Document each risk and set up the risk register

Evaluate & Plan

• Develop overall risk reduction strategy and approach
• Specify the “trigger” for each risk - the event or date that indicates the occurrence of the risk
• For each risk, decide whether to mitigate, monitor or ignore
• Develop Mitigating Actions: Specific action steps should be determined in order to reduce the probability or impact of each individual risk
• Develop Contingency Plans: Contingency plans come into force once a risk has crystallised. These reduce the impact of the risk or return business as usual at the earliest opportunity (e.g. Disaster Recovery Plans)
• Integrate Risk Actions within overall Programme Management Plans

Mitigate & Control

• Initiate the risk mitigating actions.
• Exposure to avoidable risks should be reduced at the earliest opportunity
• Monitor the outstanding risks
• Populate Risk Matrix / Risk Register and update regularly
• Implement contingency plans for risks that do crystallise

Report & Review Risks

• Risk Management should be inherently embedded within the organisation and / or project. Regular Management reports should provide clear visibility on the risk exposure and enable prioritisation of the risks.
• As the internal and external environment is constantly changing, risks should be regularly reviewed and updated
• Maintain the Risk Register and update Risk Matrix and Risk Action Plans
• Quantify risk exposure using Monte Carlo statistical analysis and assess in conjunction with stated risk appetite. Cumulative time and cost analyses can be generated, scheduling issues identified and the relative cost / benefit of mitigating activities continually reviewed.

Throughout this process, organisations should embed a risk aware culture. This will increase sensitivity to warning signals and ensures continual improvement in the identification, assessment and management of risk.

Using this framework, organisations can ensure that appropriate strategies are planned well in advance of any risk occurring. In this way, the probability of a risk occurring is reduced, or its impact minimised. Through increased awareness of problems across the organisation or project, companies and government agencies can generate enormous value and process improvements through effective risk management.