What is implementation of risk management about

Last updated: 2024-12-16
Was this article helpful?
9 of total 11 found this helpful.

Implementing a risk management system is a daunting task to most people. Especially when they are forced to do something like this under the threat of heavy fines like now due to the Cyber Act and NIS2 obligations. Let's look at it together from a practical side.

Risk management is actually about common sense

  1. Risks are potential problems that may or may not occur.
  2. Risk management is nothing more than trying to estimate and predict these possible problems and having a plan for what you will do about them and how you will react to them. You will be ready for them. It's the same as when you plan an insurance policy. You simply assess what is at stake.
  3. A risk management system means that you do the whole thing systematically, in a controlled manner. So it is a systematic approach to prevent possible problems.

What do we need to be aware of about the risks?

  • You can never predict all the risks, no matter how hard you try
  • You can influence some risks, especially those inside your organization
  • Some risks may appear or may occur without your influence. These are primarily external risks.
  • Once you have a list of risks, you should know what you want to do with each individual risk

What can you do with risks?

  • You can try to avoid them
  • You can try to mitigate them
  • You transfer them to someone else (for example through insurance)
  • You will ignore them

What do you need to do to say you have a risk management system in place?

A risk management system in place effectively means that:

  1. You have created a list of risks – i.e. a catalog of risks corresponding to the scope where you want to deal with your risks everywhere
  2. You evaluate individual risks. You know which ones are the most dangerous for you and you focus on the most problematic ones
  3. You have a plan to deal with individual risks - that is, you have measures and a plan to eliminate or mitigate risks
  4. Once in a while, you will reassess everything - whether you have set the plan well and whether there are any new risks

Do you address all risks or just one area?

Before you start, you need to be clear about whether you want to address all the risks that threaten your business or if you are focusing on just one area for some reason (for example, you are forced to do so by a legislative obligation, such as NIS2 compliance). The scope, i.e. the width of the scope, must be determined before starting the risk analysis. So you can look for and manage risks either completely for the entire company or only for one area, most often:

  • Risks throughout the company
  • Workplace safety risks
  • Financial risks
  • Information security risks
  • Cyber security risks
  • And more

Create and maintain a risk list

Based on the scope, you create a list of risks. So, for example, if you only address NIS2 and cyber risks, your list will only contain risks that threaten your information and systems. You will not deal with the risks of, for example, accidents in the workplace.

You can only create a list of risks on paper, in Excel or using some tool. The more people involved in the risks, the more likely you will need a tool like Aptien. How important it is that all the people involved can share information and solve the assignment as a team. Only then does it all make sense. If you just put it in a file, the papers stay in the drawer and risk management makes no sense. Thanks to the list (catalog) of risks, you can:

  • describe each individual risk so that you can evaluate it
  • share risk information across the whole team, with all the people involved
Aptien TIP: Use Excel or create a risk catalog using the risk register. For each risk, you create a separate risk card on which you store detailed information such as impact, probability, and at the same time measures to eliminate, mitigate, or impact them. You keep the risks in context, so you know which risk is linked to which asset - to the project, property, process and other assets, as well as information about who is responsible for which risk.

The risk register is not just a list, it is a living environment

  • The risk register is an important place that serves to record and monitor potential risks
  • Whatever happens, put it in the register. Whenever there is a possibility that something could affect your business, you should assess it and record it in the risk register.
  • The risk register contains key information about each risk, including the impact of the risk, the likelihood of it occurring, its rating or priority level, who oversees the risk, and what measures will be used to manage and mitigate the risk.
  • A shared risk register is an integral part of the risk management process and can help your project succeed.
  • As a business grows, more people are involved in the process, it becomes increasingly difficult to keep track of what is important. This is where a risk register can be of great value. It documents potential risks in one place and allows you to easily reference it for risk management and monitoring.

You assess the risks to know what can cause you the biggest problems

Analyze and evaluate risks. The purpose of a risk assessment is to let you know what is likely to cause you the most problems. You can never take care of everything and therefore you have to draw a clear line on which risks you can take care of as a matter of priority and which you simply will not take care of. This is what their prioritization is for. Risk prioritization is important for which risks to address.

Determining importance and priorities can be done in many different ways. The simplest and most obscure way is to determine the impact of risk and probability.

  • the impact of a risk means how big a problem the risk can cause, what consequences it will have
  • probability determines how likely a risk is to occur
Once you establish this for each risk, then you can easily determine the magnitude of the risk = probability x impact.

You have a plan to deal with individual risks

  "The goal is not just to draw devils on the wall, but to try not to bring the devils to life."

Once you have a list of the most dangerous risks, for each of them you determine what you want to do about the risk. For the selected risks, you create a plan for what to do with them - corrective measures in a separate record (organizer) of corrective or preventive measures.

How will you respond to them? For each risk, you decide what to do with it, focusing on the biggest risks.

  • You will try to avoid them
  • You will try to mitigate them
  • You transfer them to someone else (for example through insurance)
  • You will ignore them

You will bring plans to life

For each risk, you start doing what you set out to do.

  • In the case of risks that you will try to prevent or avoid, you will simply not do the given thing. For example, if a particular device is unsafe to use, you stop using it
  • For the risks that you will try to mitigate, you will take measures that will reduce the likelihood of their occurrence. For example, you reduce the risk of slipping by making the floor non-slip
  • For risks that you want to transfer to someone else, you can, for example, take out insurance (you transfer any financial losses to the insurance company). Another example is the transfer of risk to the supplier, i.e. you start buying the given service from the supplier or you outsource the given process
  • For risks where you have specified that you will ignore them, you will ignore them. You won't do anything

Nothing is static, work on it continuously

  • The world and circumstances are constantly changing and one must adapt. Over time, new risks emerge, existing risks increase or decrease, risks no longer exist, risk priority may change, or risk "treatment" strategies may no longer be effective.
  • Completely different circumstances may arise tomorrow - some risks may not apply, other risks may appear. This does not mean that you will evaluate your risk list every morning. But have such processes and thinking set up that will allow you to react to a change in the situation and update your list of risks to match the current situation in your company and in your surroundings.

Once in a while you reevaluate everything

Even if you will naturally do this on an ongoing basis, it is always a good idea to do a major review at least once a year - that is, to go through the complete list of risks and related measures and assess whether everything is still valid and there is no need to reevaluate anything. Again, the same principles apply as in the ongoing reassessment - you may find that a particular risk no longer applies, or that the probability of it occurring has radically decreased or increased.

Therefore, in order to declare your risk management system as working, you must review and reassess the risks once in a while - at least once a year. And concretely:

  • If the dangerousness of the risks identified by you has not changed
  • How does your plan work, if it's better to solve it another way
  • No new risk has been added or
  • Some risk did not disappear by itself

You can do it in the form of audits or company management team sessions, departments, etc. It should be assessed, written down and recorded in the risk catalogue.

Whatever happens, put it in the register.

Everything goes round and round

  • Like governance, risk management is a continuous process. For most people (safeguards only) this is not a daily routine and it can boil down to that one year assessment. Attention, it is not a formal session "just to avoid writing something".

A summary of what it means to have a risk management system in place

Therefore, in order to declare your risk management system working, you must:

  • Keep a risk list
  • Have every risk evaluated
  • Have listed the risks that can endanger you the most
  • Have a plan to deal with them and what to do when they occur
  • Reassess risks and plans regularly