Risk management is actually about common sense
- Risks are potential problems that may or may not occur.
- Risk management is nothing more than trying to estimate and predict these possible problems and having a plan for what you will do about them and how you will react to them. You will be ready for them. It's the same as when you plan an insurance policy. You simply assess what is at stake.
- A risk management system means that you do the whole thing systematically, in a controlled manner. So it is a systematic approach to prevent possible problems.
What do we need to be aware of about the risks?
- You can never predict all the risks, no matter how hard you try
- You can influence some risks, especially those inside your organization
- Some risks may appear or may occur without your influence. These are primarily external risks.
- Once you have a list of risks, you should know what you want to do with each individual risk
What can you do with risks?
- You can try to avoid them
- You can try to mitigate them
- You transfer them to someone else (for example through insurance)
- You will ignore them
What do you need to do to say you have a risk management system in place?
- You have created a list of risks – i.e. a catalog of risks corresponding to the scope where you want to deal with your risks everywhere
- You evaluate individual risks. You know which ones are the most dangerous for you and you focus on the most problematic ones
- You have a plan to deal with individual risks - that is, you have measures and a plan to eliminate or mitigate risks
- Once in a while, you will reassess everything - whether you have set the plan well and whether there are any new risks
Do you address all risks or just one area?
- Risks throughout the company
- Workplace safety risks
- Financial risks
- Information security risks
- Cyber security risks
- And more
Create and maintain a risk list
- describe each individual risk so that you can evaluate it
- share risk information across the whole team, with all the people involved
The risk register is not just a list, it is a living environment
- The risk register is an important place that serves to record and monitor potential risks
- Whatever happens, put it in the register. Whenever there is a possibility that something could affect your business, you should assess it and record it in the risk register.
- The risk register contains key information about each risk, including the impact of the risk, the likelihood of it occurring, its rating or priority level, who oversees the risk, and what measures will be used to manage and mitigate the risk.
- A shared risk register is an integral part of the risk management process and can help your project succeed.
- As a business grows, more people are involved in the process, it becomes increasingly difficult to keep track of what is important. This is where a risk register can be of great value. It documents potential risks in one place and allows you to easily reference it for risk management and monitoring.
You assess the risks to know what can cause you the biggest problems
- the impact of a risk means how big a problem the risk can cause, what consequences it will have
- probability determines how likely a risk is to occur
You have a plan to deal with individual risks
- You will try to avoid them
- You will try to mitigate them
- You transfer them to someone else (for example through insurance)
- You will ignore them
You will bring plans to life
- In the case of risks that you will try to prevent or avoid, you will simply not do the given thing. For example, if a particular device is unsafe to use, you stop using it
- For the risks that you will try to mitigate, you will take measures that will reduce the likelihood of their occurrence. For example, you reduce the risk of slipping by making the floor non-slip
- For risks that you want to transfer to someone else, you can, for example, take out insurance (you transfer any financial losses to the insurance company). Another example is the transfer of risk to the supplier, i.e. you start buying the given service from the supplier or you outsource the given process
- For risks where you have specified that you will ignore them, you will ignore them. You won't do anything
Nothing is static, work on it continuously
- The world and circumstances are constantly changing and one must adapt. Over time, new risks emerge, existing risks increase or decrease, risks no longer exist, risk priority may change, or risk "treatment" strategies may no longer be effective.
- Completely different circumstances may arise tomorrow - some risks may not apply, other risks may appear. This does not mean that you will evaluate your risk list every morning. But have such processes and thinking set up that will allow you to react to a change in the situation and update your list of risks to match the current situation in your company and in your surroundings.
Once in a while you reevaluate everything
Even if you will naturally do this on an ongoing basis, it is always a good idea to do a major review at least once a year - that is, to go through the complete list of risks and related measures and assess whether everything is still valid and there is no need to reevaluate anything. Again, the same principles apply as in the ongoing reassessment - you may find that a particular risk no longer applies, or that the probability of it occurring has radically decreased or increased.
Therefore, in order to declare your risk management system as working, you must review and reassess the risks once in a while - at least once a year. And concretely:
- If the dangerousness of the risks identified by you has not changed
- How does your plan work, if it's better to solve it another way
- No new risk has been added or
- Some risk did not disappear by itself
You can do it in the form of audits or company management team sessions, departments, etc. It should be assessed, written down and recorded in the risk catalogue.
Whatever happens, put it in the register.
Everything goes round and round
- Like governance, risk management is a continuous process. For most people (safeguards only) this is not a daily routine and it can boil down to that one year assessment. Attention, it is not a formal session "just to avoid writing something".
A summary of what it means to have a risk management system in place
Therefore, in order to declare your risk management system working, you must:
- Keep a risk list
- Have every risk evaluated
- Have listed the risks that can endanger you the most
- Have a plan to deal with them and what to do when they occur
- Reassess risks and plans regularly