Evaluate Your Risk Management Strategies.
How can you evaluate the outcomes of risk management strategies
When you want to evaluate the outcomes or effectiveness of the risk management strategy you need to define key performance indicators (KPI) that you can measure. KPIs need to be defined on the company specific tailored towards the risk management and strategy.
Possible KPIs for evaluating can be:
- Percentage of risk issues outside the risk tolerance without a response option
- Number of non-identified risk that occurred
- Cost incurred for any unidentified risk, which occurred
- Deviation of estimated impact to real impact for risks occurred
- Percentage of non-implemented risk actions
- Mitigation cost vs cost of impact
Another way of measuring is by introducing a maturity model for the management of risk. The higher the maturity in an organization the more successful the implementation of the risk management strategy is. There are ‘pre-defined’ models already; there is a comparison of these maturity models in the Table 2: Comparison of maturity model levels (Office of Government Commerce, 2010)(Office of Government Commerce, 2010).
Managed planned and tracked
Table: Comparison of maturity model levels (Office of Government Commerce, 2010)
Determine actions to respond to outcomes of risk strategies
By using a continuous improvement process that aligns the strategic risk management process with the business management process you can capture the strategic risks in the organizational business plans.
The output or lessons learned from earlier outcomes will be incorporated in the risk management strategy that will define how the current strategic planning cycle or investment decisions are handled.
In the strategic risk register you will have all the captured risks that are identified, assessed and their agreed and planned risk response.
As in every framework are using, you need to be aware that it helps you to become better and that people are not doing this because this is a ‘mandatory action’. The big risk with risk management is that people feel that there is nothing done with the real risks detected or that they are just filling forms. Therefor the (top)management needs to live the risk strategy in the organization, actively discuss and ‘defend’ the policies.
To see if the risks are still valid or counter measures are still the right choice regular checks need to be made on risks registered. A risk that was low at the beginning can become high during the time or a risk that was very high at the start is gone when you finish your project. The same for the countermeasures that were taken (or not) can need some change based on recent changes in the organization or regulations.
Risk management needs to be ‘companywide’ and not only a team, department, branch solution. The benefit of having this overall view is that possible risks for a single entity can maybe easily be mitigated in the whole, or when it is a companywide risk, one solution that will benefit all individual risks.
What’s your best advice to evaluate your Risk Management Strategies?
Source: Original text, based upon first hand knowledge and the following bibliography:
· Mintzberg, H. (1990). The Design School: Reconsidering the Basic Premises of Strategic Management. Strategic Management Journal, Vol. 11 , 171-195.
· Office of Government Commerce. (2010). Management of Risk: Guidance for Practitioners 2010.London: The Stationery Office (TSO).Image: © Pressmaster – photodune.com