Risk Managementby Peter Parkes
Step 3: Communicating risk
Once you have drawn a risk register, or preferably held a risk workshop to come up with a more comprehensive and moderated list, the next step is to communicate your conclusions to your stakeholders.
The principal stakeholders, in other words those affected most by the risk management process, will include:
- Higher levels of management, so that they can form a coordinated view of risk to the business
- Any professional risk management function within the organisation
- People you have involved in any risk workshop
- Those people most affected by individual risks (especially safety related risks)
- Those people you have identified as able to take action to reduce (mitigate) risk.
As we enter an era of ever-increasing partnership working, it is useful to share what we can of our risk register with our partners. Most contracts now include a schedule – referred to as a heads of risks schedule – which summarises the main risks to the partnership section and agrees how they will be shared.
A risk register forms a very effective tool with which to communicate and share your map of risk, as long as it is kept simple and easy to understand.
Organisations with professional risk management functions start to use very complex risk registers which soon fall out of use with those in operations and projects whose job it is to manage the risks. Don’t complicate things and thereby introduce unnecessary barriers to getting people to help you.
Remember that you want people to take actions to help reduce risks, so it is important to keep things as simple as is practicable so that they can update actions with progress.
Many people use colour for management reports in general to indicate the need for management attention. These are usually referred to as traffic light or RAG (Red Amber Green) reports. In this context, actions that are on track would be coded green, while those which are behind would be coded red. Red is often used to codify high on risk severity (the product of impact and likelihood).
The Probability impact grid is a very good tool for illustrating our map of risks, in other words, how many ‘big ones’ or ‘red ones’ (high probability and high impact) we have. Are we doing anything to reduce their probability or impact, or are we spending our resources dealing with the everyday risks which the average worker sees and deals with anyway as part of their job?
If the management team doesn’t yet accept the use of risk management tools in management meetings, then at least you need to get the risk actions onto the general actions log.