Risk Management Software is complex and unwieldy to manage. Keeping your risk profile up to date soaks up precious time. Getting the control and improvement processes to happen is a struggle.
And don’t even mention reporting!
There are common causes for this. Provided people understand risk management the way ISO 31000 explains it, it usually comes down to not having the right tools to do the job. You need tools to automate the communications processes. These need to seamlessly flow through to mitigation and improvement. The system must engage everyone in risk management, rather than centralise it to one person. Finally, any good risk management software must make what’s happening (or not happening!) transparent, with great reports.
This draws on extensive experience and understanding of how organizations actually work. It works because it reflects how you work. It takes the ISO 31000 risk management approach and turns it into a logical workflow.
RelianSys® Risk Management Software is a powerful tool for people who want a practical solution. It sweeps the barriers away so that you can manage risk properly across your organization. It’s flexible and easy to use. It’s equally effective from the smallest to the largest organization, and across the range of industry types.
The first step is to involve the people who have an interest in the process, and therefore the risks, which are to be managed. Broad and inclusive communications will enable as much relevant information as possible to be gathered. This ensures the correct context, identification, prioritisation and analysis of risks. Buy-in at this stage is also important to ensure the involvement and commitment needed for the achievement of risk management outcomes.
Establishing the context need not be a difficult concept to understand and apply. Risk is defined as “an opportunity for something to occur that can impact objectives”. Objectives are normally derived from the organisational strategy, so the first step is to understand the strategic and business objectives. We can then look at the influences that will impact on those objectives; for example, political/legal, economic, social, technological, trends and global issues. Within organisations there will generally also be operational or internal objectives at the business unit level. By clarifying these objectives, it becomes easier to understand the context and the environment in which those risks exist. When we have clarified the objectives of and throughout the organisation, we can determine the scope of the risk management activities we are going to undertake. Clear boundaries or reference points, as well as intended outcomes can be established, together with a logical approach to identify and manage risks throughout the organisation.
We develop our criteria for measuring risk in terms of how likely risks are to impact on our objectives, as well as the consequences if they do occur. This is commonly known as a risk matrix . It is needed in order to rate the severity of risks for our organisation. Most organisations tend to choose 4 or 5 levels of likelihood, from rare through to almost certain. Consequences can fall into many categories. These may include financial, quality, environmental, health and safety, asset, business disruption. When we have established these categories we need to ‘calibrate’ them across the consequence categories. By combining the various levels of likelihood and consequence, we can apply our risk ratings throughout the organisation. Examples of risk ratings could be from low through to extreme. For example if something is almost certain with a consequence of fatality, we would obviously give that the highest risk rating of Extreme.
This is done by systematically reviewing processes and questioning what could possibly go wrong, or what could possibly be achieved. Risk identification is best undertaken using a multidisciplinary team. This provides a better opportunity to identify all risks and their causes. It is wise to have one or two people who have a very good understanding of the processes involved, and include all levels of management. Other stakeholders from interfacing processes can provide valuable input, as well as stakeholders who may incur the consequences of risks turning into negative or positive consequences. Risk Identification should be undertaken using a systematic approach, starting at interfaces, working through processes and finishing with down stream interfaces. If ad hoc or intuitive approaches are used, important risks may not be identified.
Analysis enables us to make informed decisions about prioritisation of risk treatment. It involves starting from the basis of the existing controls we have in place. Then we consider the likelihood and consequences of the risk, in the context of a range of factors, such as historical information, performance, experience, research and stakeholder input.
Once risk analysis has been completed, we can determine the ranking and prioritisation of risks for treatment purposes. This is based on the criteria we established in the risk framework. For our higher level risks, we may undertake some further investigation and analysis to determine treatment plans.
Risk treatment strategy is the major work of risk management, and depends on what the organisation wants to achieve. For example, the organisation may limit its treatment activities to what is the accepted normal practice in that industry, or it might aim for the absolute minimum risk no matter what the cost. There are generally a number of priorities and methods of treating risk.
For negative risks:
For positive outcomes, we want to exploit the opportunity. This may involve:
Risk treatment should be undertaken using a planned approach that can be monitored and evidenced. Some analysis does need to be undertaken to determine the best method of treatment, taking into consideration the cost and the benefit, legal and social issues, and perception of stakeholders.
We need to ensure that once the previous steps have been implemented, that the risk management process is monitored, with regular review and reporting. Risk likelihoods and consequences can change over time. Risk profiles should be monitored to identify changes, and to ensure that the treatment plans are in accordance with the parameters we set, including time, resources, and responsibilities. Management need to be able to measure the improvements made and demonstrate due diligence in the treatment. Appropriate KPIs may be established, trended and monitored to support this.
Risk management is a fundamental element of due diligence. We need to ensure that we have sufficient auditable evidence of how risk management is being applied, both for decision purposes, and to demonstrate integrity in the processes of risk management. This means that we should have documented evidence of each stage including our methods and sources of information and risk treatments.