As we saw in the section explaining why it’s a good idea to practice risk management, we, at Pragmatic Edge, advocate a formal framework to identify, assess, treat and continuously monitor risks, with strong buy in and sponsorship from Top Management.
Risk management can be applied to different scopes and contexts, in particular:
Enterprise Risk Management vs Project Risk Management
- Enterprise Risk Management (ERM) manages all of the risks affecting an organization’s ability to meet its goals, regardless of the types of risks being considered. Risks managed under an ERM framework cover a wide range of areas or functions such as strategic, products & services, financial, cyber security, IT, personnel, legal, geopolitical, etc.
- Project risk management manages all risks related to a particular project including technical risks, scheduling risks,resource risks, etc. The particularity of project risks is that they have a finite life-span: They are created at project creation and are systematically eliminated when the project completes or they are migrated as operational risks.
Risk Management Life-Cycle
Each risk goes through a life-cycle from creation to closing. We consider the following states:
- Draft – This state results from the identification of a new risk.
- Identified – This state is reached after a risk is fully characterized with a set of root causes, a particular risk event, and risks consequences, and when an appropriate owner for the risk has been identified.
- Analyzed – A risk is analyzed after the risk probability, impact, and exposure have been determined, and the risk has been adequately categorized.
- Assessed – A risk is assessed after a risk treatment strategy has been selected and a corresponding risk treatment plan and a contingency plan have been defined.
- Treated – A risk is treated only after all applicable risk treatments have been successfully executed and the residual risk exposure has been assessed.
- Closed – A risk is Closed when one or more of the following conditions are met:
- The risk is no longer relevant, applicable, or its impact is insignificant and is marked as invalid.
- The risk is a duplicate of another risk in the register.
- The risk is eliminated because the conditions for its occurrence have completely disappeared.
A risk is considered as Realized when it has occurred at least once. Risk realization is not a state as it can happen anytime and multiple times within the risk life cycle
Risk ownership
Each risk must have a single owner (a person, not a team) at any point in time. Ownership can evolve and be transitioned as needed, but it is of paramount importance to enforce individual accountability for all risks.
Note that risk ownership does not necessarily include ownership of the treatments for that risk. We strongly believe that it is often best to “divide and conquer” and distribute ownership of risk treatments to the most appropriate persons in the organization (the treatment owners).
Risk Identification
There should be multiple ways to identify new risks. Do not rely on any single technique or you could miss important risk events.
We believe in crowdsourcing. This requires setting up adequate mechanisms so that risks can be identified by anyone in the organization, irrespective of their position and role, not just managers or experts.
Crowdsourcing needs to be complemented by other techniques to identify risk blind spots. For example, verifying that all risk categories that you consider relevant in your organization have at least one identified risk is a good start.
Risk Exposure
Risks are measured and compared to each other according to their exposure. The exposure is a compounds value based on the risk probability of occurrence and the risk impact expressed in financial terms.
At pragmatic edge, we advocate a 5×5 risk matrix where a risk exposure is plotted based on its particular probability and impact as shown in the picture below. We consider four levels of exposure: Extreme (dark red), High (red), Medium (orange), and Low (green). Risks with an extreme exposure have the highest potential impact on an organization and as such need to be assessed carefully and treated promptly. On the other end, risks having a low exposure can often be ignored or monitored less periodically.
The monetary ranges shown below are indicative and may vary based on the organization. They are derived from the organization’s risk appetite (i.e. the maximum monetary impact after which an organization will systematically refuse to take any risk).
When a risk is first analyzed, the risk owner must determine the initial probability of occurrence and risk impact. This first exposure is referred to as inherent exposure. Estimating the financial impact of a risk can be hard and subjective. We provide a number of techniques and tools, such as three-point estimation or Monte-Carlo simulation to help you asses the financial impact with more accuracy and objectivity.
Throughout the life-cycle of a risk, the context may change, some treatments may already be in progress, and the exposure must often be re-evaluated. The term residual exposure refers to the exposure of a risk after some treatments have been successfully executed or external factors have impacted the probability of occurrence, the impact, or both.
Risk Horizon
The risk horizon defines the estimated life-span of a risk. It also defines the target review frequency of a risk.
We consider the following risk horizons:
- Strategic risks are risks that affect or are derived from the business strategy and strategic objectives. They usually have a risk horizon of5 years or longer and are typically assessed and discussed at Executive Leadership and Board of Directors levels.
- Business risks are risks that are relevant to the core business (products and services) and may directly impact revenue growth or profitability. They have a risk horizon typically between2 and 4 yearsand are typically assessed and discussed at Function or Business Unit Management Team level.
- Operational risks are risks that result from inadequate or failed internal processes, people, and systems, or from external events.They have a rolling risk horizon of approximately 18 monthsand are typically assessed by teams or individuals.
The following picture illustrates the three risk horizons:
Risk Treatment Strategy
During risk evaluation, the risk owner must select one of the four treatment strategies;
- Accept – The risk exposure is low or a mitigation plan is not justified, too costly, or unavailable. The risk owner accepts the risk impact. No treatment plan is defined.
- Transfer – The risk is better controlled and mitigated by a third-party (e.g. insurance, partner, supplier, client) and should be transferred.
- Mitigate – The risk exposure can be reduced if proper mitigation actions are executed.
- Eliminate – The risk can be avoided by not performing the activities that give rise to the risk.
Risk Treatment & Continuous Monitoring
After a risk is initially assessed, it must be continuously reviewed and monitored. Risks are rarely totally eliminated so risk handling is often a never-ending mission… The frequency of review of a risk depends on its exposure (the highest the exposure the more frequently the risk needs to be reviewed) and its horizon (operational risks need to be reviewed at least quarterly, whereas strategic risks, which are more stable, can only be reviewed annually). Documenting risk reviews is a good practice, especially for organizations seeking an ISO-27001 certification.
Risk treatment is also essential. Risks that are just assessed do not help to reduce the overall risk exposure of an organization. It is only through rigorous risk treatment that an organization will reap the benefits from risk management. Risks treatments need to be carefully identified, planned, and executed promptly. Failure to monitor the execution of risk treatments and update the risk exposure accordingly is also a common mistake that keeps the overall risk level beyond the reality, leading to potentially bad decisions and inefficiencies.
We can help you!
Whether you are interested to deploy risk management for your entire organization (ERM), a specific function, product line or domain, or simply a project, Pragmatic Edge can help you design and implement the risk strategy that is scaled to your particular needs and constraints.
Contact us at info@pragmatic-edge.com for an assessment of your current level of risk management maturity.