Understand the Resourcing and Implementation of Risk Management Strategy.
- 1 Risk management criteria against which risk can be assessed
- 2 Techniques to identify and quantify risk, including risk interdependencies
- 3 Develop strategies to eliminate, mitigate, deflect or accept risk
Risk management criteria against which risk can be assessed
Risk management approach
By creating a risk management approach you need to setup a set of documentation comprising:
- Risk management policy
- Risk management process guide
- Risk management strategies for each organizational activity
For the execution of the risk management you need also:
- Risk register – capture and maintain information on all the identified risks (threats)
- Issue register – all identified issues that happening now and require action
- Risk improvement plan – describes how the organization plans to meet and to continue to meet all the risk management principles
- Risk communication plan – describes how information will be disseminated to and received from all relevant stakeholders of a particular activity
- Risk response plan – detailed specific plans for responding to a single or linked set of risks
- Risk progress report – provides regular progress information to risk management
Techniques to identify and quantify risk, including risk interdependencies
Techniques to identify risk areas
Techniques that can be used for identifying risk areas:
– Stakeholder analysis
- Capture who the stakeholders are (roles in the activity, degree of participation)
- Engage stakeholders with differing perceptions of risk
- Output: stakeholder map
– PESTLE analysis
- Capture understanding about aspects of the context (Political, Economic, Sociological, Technological, Legal and Environmental)
- Facilitates a wide scan of the context and actual or potential factors that would affect objectives when unmanaged
- Output: environmental analysis
– SWOT analysis (Mintzberg, 1990)
- Focusing on individual or group attention on strengths, weaknesses, opportunities or threats
- Particular strengths and weaknesses (facts) can be/cause risk (opportunities and/or thread)
- Output: greater understanding and insight into competitors and market position
– Horizon scanning
- Systematic examination of likely future developments that are at the margins of current thinking and planning
- Output: identification of changes that may affect organization’s overall risk exposure
– Probability impact grid
- Assess the impact for every risk identified, defines the impact.
- Output: a classification of the identified risks
Techniques to identify the risks
Recommend techniques for identifying risk are:
- Provide a mechanism to ensure that risks identified on previous (similar) activities are not overlooked
– Prompt list
- Stimulate thinking about the sources of risk through the provisions of risk categories and sources (internal and external), risk breakdown list
– Cause and effect diagrams (fishbone diagrams)
- Helps to understand causes/sources of uncertainty that may cause risk
- Often used to aid root cause analysis of an actual problem
– Group techniques (brainstorming, Delphi)
- Leverage the fact that groups of stakeholders with different perspective can be rich sources of ideas
- Engaging stakeholders
– Individual interviews
- Effective was of engaging senior and important stakeholder is a way that protects their time
– Assumption analysis
- Test the validity of each assumptions related
– Constraints analysis
- Test the validity of each constrain related
Develop strategies to eliminate, mitigate, deflect or accept risk
Risk response planning defines a range of response options to change the risk exposure for the least investment. For some risks a response can maintain more than one option.
Generic risk response types
Avoid a threat
Exploit an opportunity
Making the uncertain situation certain by removing the risk.
Reduce a threat
Enhance an opportunity
Making the threat less likely to occur and/or reduce the impact
Transfer the risk
Pass the risk on to a third party (f.e. Insurance)
Share the risk
Share the risk on a pain/gain basis between multiple parties
Accept the risk
Takes the change that the risk will occur
Prepare contingency plan
Only prepare a plan as response ‘if the risk occurs’ but not taking the actions defined in the plan
Table: generic risk response types
Risk response method
Methods to help to decide on the right risk response are:
– Cost-benefit analysis
- Takes in account all the cost and benefits, including social benefits, impact on reputation, to give guidance on the decision making. Some cost and/or benefits are difficult to quantify therefor is this method not a precise science.
– Decision trees
- Provide an effective structure within which you lay out the options and investigate the possible outcomes.
- Uses the expected value technique to cost different actions and allowing comparison.
A process for communicating, resourcing and managing risk management strategies
To have a proper risk management in place bigger companies should setup a specialized department that has Risk in her portfolio. They do not only look at project risks but also on other risk in the company.If you setup an overall registration and follow up tool (could be SharePoint, could be anything that works for your company) you can track your risks company wide.
For projects, let project managers add those risks in your registration tool so you have those risks also in your company wide view.
Per project you need to log your risks for every possible pre-defined risk category (f.e. financial, legal). These need to be discussed at least before the first approval of the project and ongoing every month during the project.
For every risk you need to mention the impact/probability, mitigation, owner, ‘cost of the risk’, etc.
For risks that are quit common for every project you need to decide to list it for every project individually or create them on a higher level (f.e. program or portfolio level).
In the weekly project reports the top 3 of the project risks need to be included and discussed in the monthly program board meeting.
The good thing with such an overall tool is that you really have an active risk policy in place. This helps people to think about the risks that can arise. Just be aware that it still needs human interaction, having this tool alone will not help you and people need to be aware of using it (in the right way) every time. Also use it actively in team or department meetings so that people can see that this risk register is not a paper tiger but is really used. That will make the acceptance and use within your company a lot easier.
Instead of only reviewing what was in this risk register a better approach could be to discuss the risk topics between the project managers and the ‘risk people’. The ‘risk people’ can then go through the topics they didn’t found in the risk register for this project with the project and see if there (maybe) are other non-defined risks or if risks that are now in the risk register are still valid. This also helps to make the risk topic more usable in your projects.
People would then get a better understanding of the risk management strategy of the company and adapt this in their work.
What’s your best advice to understand the resourcing and implementation of Risk Management Strategy?
Source: Original text, based upon first hand knowledge and the following bibliography:
· Mintzberg, H. (1990). The Design School: Reconsidering the Basic Premises of Strategic Management. Strategic Management Journal, Vol. 11 , 171-195.
· Office of Government Commerce. (2010). Management of Risk: Guidance for Practitioners 2010.London: The Stationery Office (TSO).