Risk Managementby Peter Parkes
- What is risk?
- If something is risky does it mean we shouldn’t do it?
- What is the job of a risk manager?
- When do I need to consider a formal risk management process?
- What is a risk register and what is it used for?
- How do I get people to agree what the real risks are and how to deal with them?
- How do I run a risk workshop?
- What is the difference between a risk and an issue?
- I have seen risks reported in different ways. What is a traffic light/RAG report?
- What do I do about risks?
- Are there any tools I should know about to help me to manage risk?
- How can I get help?
1. What is risk?
Fundamentally, risk is the uncertainty inherent in the world in which we live and do business. The consequences of uncertainty can be good or bad, but people usually think of managing potential negative impacts. The ‘good uncertainties’ are the opportunities that cross our path on a regular basis.
2. If something is risky does it mean we shouldn’t do it?
The art of life is balancing investment in opportunity against acceptable risk. In order to do this, we need to understand risk better. Once you understand both opportunity and risk, you can decide if a specific risk is worth the opportunity. Your attitude to gambling or going against the odds will have a lot to do with making your decision to do something risky, or not to do it.
3. What is the job of a risk manager?
Some organisations have a post of risk manager, whose role is to manage and communicate the risk process, rather than actually manage the organisation’s risks. The actions to reduce risks are carried out by managers and other responsible people nominated in the risk register.
4. When do I need to consider a formal risk management process?
A formal risk management process is actually just a common sense approach that we use implicitly in our everyday lives, except that it has been made explicit so that we can share it. As you start to use simple tools for a formal process, you may find that you start to use them for more mundane tasks, especially when you need to share the information with others.
5. What is a risk register and what is it used for?
A risk register captures the stages of the risk management process and helps us to view our overall risks, the ones we need to prioritise, and the status of any progress in mitigating them.
Many corporate risk registers are very complex, when supported by an in-house expert, and often involve proprietary risk management software, but the basics are the same as for more simple registers.
A basic risk register, in MS Excel format so that it can be used straight away and easily maintained, is included here.
6. How do I get people to agree what the real risks are and how to deal with them?
People have views on risk, depending on factors including
- Their knowledge of the system
- Their familiarity with the risk
- Their personal attitude to gambling.
The fact that we have a variety of opinion gives us a much stronger output from a team than from an individual’s perspective of risk and options for action. We use a risk workshop to harness these different inputs.
7. How do I run a risk workshop?
For large projects, you should always seek to organise a risk workshop to initiate your map of the risks in your environment. As with any workshop, it is usually best to get someone independent to manage the process and arbitrate. Some organisations have a post of risk manager, whose role is to manage and communicate the risk process, rather than actually manage the organisation’s risks. Some organisations have internal trained facilitators, while others buy in trained consultants when required for these purposes.
A risk workshop should include as wide a representation as possible – people from different departments and with different outlooks, old and young, and junior and senior grades. Before the workshop, ask around to discover who could usefully contribute. Ideally, meet your nominees to tell them your purpose: say, to identify risks in the new production process, and what the process and durations will be. At least send people this information before the workshop so that they have some background and expectations.
Having assessed the risks, we move on down the process to agree what we should do about them and decide who should be responsible for any actions. At this point, we are getting into resource issues and we may need to involve a different group of stakeholders, but remember to share the output from any workshop with those who have participated or contributed.
8. What is the difference between a risk and an issue?
As in any good brainstorming process, when we start our process of identifying risks it is best to suspend categorisation until we have captured a good proportion of our concerns.
A good working definition of an issue is that it is a risk with 100 per cent probability of happening; that is, an issue is a risk that has come home to roost. The fact that we spend so much time in management talking about issues is an indication that we tend not to be proactive and plan for events, but still remain largely reactive once they have happened. The risk management process helps you to become more a proactive manager – less of the fire-fighter and more of the general.
Once a risk materialises into an issue, it sometimes precipitates a secondary set of risks; in other words, we may not have certainty of the future in this new scenario.
9. I have seen risks reported in different ways. What is a traffic light/RAG report?
Many people use colour for management reports in general to indicate the need for management attention. These are usually referred to as traffic light reports or RAG (Red Amber Green) reports. In this context, actions that are on track would be coded green, while those that are behind would be coded red. Red is often used to codify high on risk severity (the product of impact and likelihood).
There are other tools to communicate risk.
10. What do I do about risks?
Our assessment of risks gives us a pecking order to work from. This is indicated by the likelihood of risk and the potential impact. If we are alerted to the combination of increased likelihood together with increased impact, then we are likely to take more drastic action.
Hence, our basic tools for communicating risk, such as our Risk register and Probability impact grid, indicate which risks to deal with first, especially when – as is usually the case – we have limited resources.
We can take several forms of action in dealing with risk. We can:
- Accept the risk
- Transfer the risk
- Reduce the probability of the risk
- Reduce the impact of the risk.
- Usually, a combination of these approaches is used.
11. Are there any tools I should know about to help me to manage risk ?
The main tool to help manage risk is the risk process.
After this, the most important tool to help manage the risk process is the risk register.
Several standard management tools and models can be applied to risk management.
There are several pieces of software designed specifically for management of risk across an organisation. These are labour intensive and in the realm of the full-time risk manager.
12. How can I get help?
Some organisations have a post of risk manager, whose role is to manage and communicate the risk process, while others buy-in trained consultants when required for these purposes.