Risks are everywhere. It is easy to perceive and accept their presence. In another post, I wrote about the multiple applications of risk management, giving examples of where risks may occur, regardless of your company’s business activity or which department you work in. However, in this post, I want to introduce you to a practical guide that consists of 12 steps for you to create a risk plan.
This way, in addition to perceiving the risks, you can also address them, so that small risks do not turn into major concerns for you.
But first, a quick review.
Risk is the effect (positive or negative) of an event or series of events that take place in one or several locations. It is calculated based on the probability of the event becoming an issue and the impact it would have. Various factors should be identified in order to analyze risk, including:
Event: What could happen?
Probability: How likely is it to happen?
Impact: How bad will it be if it happens?
Mitigation: How can you reduce the Probability (and by how much)?
Contingency: How can you reduce the Impact (and by how much)?
Creating a complete risk plan
With these concepts in mind, let’s look at the 12 steps that will help you to create a risk management plan to address any risk in your organization.
1 – Define your scope
As we have seen, risks are present in many areas of an organization. Therefore, you need to define the scope of your risk plan. Am I going to evaluate the risks of a project? Of a process? From a list of assets? Or from my strategic planning?
2 – Get input from others
Brainstorm risks. Get several people together that are familiar with the project and ask for input on what could happen, how to help prevent these events, and what to do if an event does happen. Take a lot of notes! You will use the output of this very important session several times during the following steps.
3 – Identify risks and consequences
List the risks and associate each risk with its consequences. Be as specific as possible with each one. “Depletion of resources” is not as desirable as “Missing half of the raw material for completion of the activity.” If there is a monetary value, list it.
4 – Identify controls for each risk
Controls are activities, procedures or mechanisms that, if implemented, can affect a risk, changing its probability or its impact. Identify the controls now and consider them during our risk assessment.
5 – Assign probability
For each risk element on your list, determine if the likelihood of the risk actually materializing is High, Medium or Low. (This is just an example, you can create your own range according your needs.)
6 – Assign impact
In general, assign Impact as High, Medium or Low based on pre-established guidelines. If you absolutely have to use numbers, then calculate Impact on a scale as well.
7 – Determine the risk level
A table is oftentimes used for this, but using software is much better! If you have used the Low, Medium and High values for Probability and Impact, a simple table is most useful. If you have used numeric values, you will need to consider a bit more of a complex rating system (much easier done with software). It is important to note that there is no universal formula for combining Probability and Impact; it will vary between companies and projects
8 – Rank the risks
List all the elements you have identified from the highest risk to the lowest risk.
9 – Develop mitigation and contingency strategies
Mitigation is designed to reduce the probability that a risk will materialize. Contingency is designed to reduce the impact if a risk does materialize. You will usually only develop mitigation and contingencies for High and Medium elements. You might want to mitigate low risk items, but certainly address the other ones first.
10 – Analyze the effectiveness of the strategies
How much have you reduced the Probability and Impact? Evaluate your Contingency and Mitigation strategies and reassign the ratings to your risks.
11 – Compute your residual risk
After the contingency and mitigation plans were applied, has the evaluation improved? This means that you have attained a reduction in your risk and that it is now within an acceptable level.
12 – Monitor your risks
Now that you know what your risks are, you need to determine how you’ll know if they materialize so you’ll know when and if you should put your contingencies in place. Indicators with triggers and alerts can help with this. Do this for each one of your High and Medium risk elements. Then, as your project progresses, you will be able to determine if a risk element has become an issue.
There! That wasn’t so hard, was it? With these 12 steps, you have an excellent basis for your risk plan. However, as I said, I have only given an introduction to the topic. You can get more details about each step in the eBook: How to develop a risk management plan in 12 practical steps.