So we all know the importance of a great risk register but so many people think that risk management starts and stops with it. Of course, we all know that isn’t true.
Risk, if not properly managed, can have a catastrophic impact on your business (indeed they can end it if you’re not careful) so effective ongoing risk management and issue mitigation is not only required but it’s crucial. If you get it right you’ve not only highlighted the risk but have looked at avoidance/mitigation options and reduced your potential exposure. Get it wrong and….well bad things could happen.
So let’s assume you’ve got a fantastic Risk Register that you’ve got populated through a risk review. You’re sitting back thinking you have managed your risk. Afraid not.
What then?
Identifying risk is only a primary step in risk management you also need to:
1/ Review the register regularly
Your exposure to risk will change over time, old risks diminish and new risks emerge. Risk reviews should have regular cadence and your team should brainstorm new potential risks and update existing ones. Establish a review cycle to ensure complacency doesn’t set in. Clearly this review should include the right personnel. Remember brainstorming risks doesn’t have to include analysis it’s merely a method of identifying issues before they become issues.
2/ Write mitigation steps around your risks
So you’ve highlighted some risks. The next step is to review what steps can be taken to reduce the possibility that the risk materialises into an issue. Let’s look at an example – there might be a risk in supply of a particular product. Let’s say you make motorcycles but your paint supply could be temperamental so there is a risk that not having paint supply might impact your sales forecast. Your mitigation could be in this example that you might look for alternate supply – you might give this action to Jim and ask him to do it within the next 30 days. If Jim is successful this will reduce the opportunity of the risk becoming an issue by 50%.
3/ Ensure that the mitigation tasks have owners and that they report back on their implementation actions.
In the above example – if you had just identified that paint supply might be an issue but had failed to attribute an owner, what would happen? Probably not a lot. Make sure you choose owners for mitigation tasks that have the ability to execute the required activity.
4/ Review the impact of the mitigation after you’ve done it – has your risk exposure reduced?
So Jim has successfully introduced a 2nd paint supply to mitigate the issue. You choose to monitor the risk over the next few risk review cycles to monitor the success (or not) of the steps taken.
5/ Brainstorm new risks
Risks do not stay the same. Business changes and new risks emerge. In our example we have mitigated the paint supply but a new risk emerges that the original manufacturer has announced that it is carrying out a review that it will stop making certain types of paint. This now creates a new risk that will require new mitigation steps.
The above is merely basic steps you should be carrying out as part of your risk reviews while the process is one of the more obvious business processes you’d be surprised how many don’t effective one.
Got some thoughts on risk processes? – let us know in the comments below.