Risk a corner stone of every business, the unfortunate flip side of the "reward". Every day every business owner, manager, and executive struggles with making the right decision and minimizing risk. This article provides a baseline model for understanding general business risk and establishing a Risk Management function within the business enterprise.
There are many definitions of risks. For the purpose of this article, risk is defined as the probability of an event occurrence that may impact the business finances, operations, product line, or customer base. It is important to remember that risk by itself is not bad. Risk in fact is essential to progress and growth of the enterprise. The essential part for management and owners is to control and manage the risk to a degree that it minimizes the exposure to the business enterprise.
Risk Management is defined as a business practice with processes, methods, and tools for managing risk within an organization. It provides a disciplined environment for proactive decision-making to, (a) assess continuously what risks are present during the course of business, (b) determine what risks need immediate attention, (c) implement strategies to mitigate these risks, and (d) create and implement contingency plans when necessary.
The rationale for developing and incorporating a Risk Management program within your business is to develop a collective understanding for the need to minimize risk exposure to the business enterprise. The program should function as a tool to bring together staff and management into one collective risk assessment team. Finally, each program should value and encourage the individual involvement and perception of risk.
Risk Management at all levels
A Risk Management program can only be successful if it is adapted and communicated throughout the organization. The start-up of a formal program involves the establishment of a functional infrastructure such as a Risk Management Committee, a Risk Management Plan, and a Communication Plan to communicate all efforts throughout the organization.
To pursue the above objectives, management should pursue the following standardized risk management principles and operating guidelines:
Value Individual Perception
Enable unique/Subject Matter Expert knowledge and insight to the Risk Identification process.
Open Communication
Encourage free flowing information at and between all staff levels. Enable formal, informal and impromptu individual and team communications.
Integration into Program and Project Management
Incorporate Risk Management into standard Program and Project Management processes and adapt these processes to the enterprises infrastructure and culture.
Shared Business Vision
Share business/corporate vision based on common/collective purpose, ownership, and communication.
Routine and continuous process
Identify and manage risks routinely through all areas of the enterprise.
Systematic and adaptable Methodology
Implement a systemic process that is flexible and adaptable to a changing business environment.
Proactive Strategies
Create proactive Strategies involve planning and activities based upon future anticipated events.
Forward Looking View
Identify uncertainties by anticipating (near) future outcomes, deliverables, and consequences.
The below component definitions are most commonly used as a means to derive at a common understanding of the Risk elements. In addition, the use of these components will facilitate the classification, scoring and prioritization of Risk events.
| Component | Definition |
| Impact | Qualifies the impact on the enterprise or the business function, and the resulting "ripple" effect throughout the organization. |
| Urgency | Refers to the immediacy of the event and the time frame required for resolution. |
| Severity | Quantifies the impact on the enterprise or the business function. |
| Duration | Measures the expected time-frame the Risk is to exist or occur. |
| Probability | Determines the likelihood a certain Risk is to occur. |
Quantifying and qualifying risk is a most important part of an effective Risk Management Program. It is recommended, therefore, management enacts a common and sustainable practice and methodology of Risk "scoring". Scoring allows for distinguishing "shades of gray" and greatly assists the management of Risks. The following paragraphs will assist you in establishing a framework for scoring risk components.
Risk Priority Definitions & Priority Components
In defining the priorities during Risk Assessment, the following guidelines are recommended for the priority assessments of Risk:
| Level | Priority | Impact | Urgency | Severity | Duration | Probability |
| Critical | 1 |
Event impacts 1 or more business functions | Immediate Correction should be within 24 hours | Show-stopper. No workaround available. | Immediate | Will occur |
| High | 2 |
Event impacts 1 or more business transactions | Short-term Correction should be within 72 hours | Impaired usability. Incorrect, incomplete, or inconsistent operations | Short-term | Most Likely to occur |
| Medium | 3 |
Event impacts 1 or more business function with work-around available | Near-term Correction should be executed as soon as possible | Incorrect, incomplete, or inconsistent operations. Not critical to the enterprise - business functionality not impaired | Near-term | Likely to occur |
| Minor | 4 |
Event impacts 1 or more business transaction with work-around available | Near to Long term Correction should be executed within 30 - 60 days | Minimal impact, however, situation needs to be addressed | Near to Long term | Might occur |
| Low | 5 |
Event impacts part of a business function or transaction work-around in place - to be fixed at later date | Long-term Correction should be planned | Non-conformance to a standard. Event has no effect on operations, but improvement is recommended. | Long-term | Possible, but not likely to occur |
The Risk Management consists of five sequential steps identification, analysis and assessment, planning and mitigation, tracking, and finally controlling. The following table summarizes each step and identifies the methods and tools available and/or used during these steps:
| Risk Management Process | Description | Methods and Tools | |
| Step I. Identification |
Search for current, near future, and future Risks before they become issues and problems | Periodic Risk Reporting Periodic Individual interview sessions Group interview sessions Risk Management Committees | |
| Step II. Analysis and Assessment |
Translate risk information into decision-making information. Evaluate Risk impact, probability and time frame. Classify and prioritize Risks. | Team Reviews Risk Scoring Risk Classification Comparison Risk Ranking | |
| Step III. Planning, and Mitigation |
Translate Risk Analysis and Assessment into decisions and actions concerning mitigation, prevention, and contingency planning and implement those actions | Risk Mitigation Plans Risk Prevention Plans Strategize Brain-storming | |
| Step IV. Tracking |
Monitor Risk indicators and mitigation actions | Risk mitigation reporting Risk mitigation status meetings | |
| Step V. Control |
Corrections implemented to mitigate and/or prevent risk, contingency plans developed and implemented |
Risk actions and corrections Risk Prevention, Risk Contingency Planning | |
*
Derived from the widely used Carnegie Melon- Software Engineering Institute Risk Management ProcessStep I - Risk Identification
Risk identification is a process where uncertainties and issues are transformed into tangible risk statements. The following table describes the components of risk identification, the methods and tools used to support identifications are found below.
| Description | Content |
| Risk Statement | Risk description, Risk conditions, Potential losses. Potential consequences |
| Risk Context | Supplementary information to the Risk Statement capturing circumstances, events, and interrelationships not capture in the Risk Statement |
Risk Identification needs to occur on all levels and all areas of the business enterprise e.g. individual, committee, team, project, and functional/operational business area. The Risk Identification process has two main components: (1) Baseline Risk Identification, and (2) Periodic Risk Identification
Baseline Risk Identification
The first step of the Risk Management process is to baseline the current Risk environment. Regardless of the functional area, in order to jump-start the Risk Management process an initial participant survey needs to be conducted in order to form a baseline of perceived project and business risks.
- Periodic Risk Identification
The second step to undertake is to establish the infrastructure to periodically survey staff and management on risk perceptions. It is important to approach all employees whether technical, operational, management, permanent or temporary. The most efficient way to include all individual risk perceptions is to establish (a) formal risk committees with a regular schedule of team Risk Identification meetings, and (b) establish a fixed schedule to interview individual staff or management members for individual Risk Identification.
Team Risks Interview Sessions and Team Risk Management
Risk Management is all about communication. Team Risk Identification Interviews or "brainstorming" are highly recommended for identifying risks within the project as it recognizes the subject matter expertise of the group. Interviews provide great information detail and create an overall Team Management perception and involvement that is immensely valuable to any project. It can not be stressed enough; Risk Management is a collaborative effort. Operational, functional or project teams are the logical infrastructure to assess, review and communicate risks within the organization. As such, managers should be encouraged to establish such infrastructure and to periodically facilitate the Risk Identification, Analysis, Planning, Tracking and Control processes within operations
Individual Interview Sessions
Effective Risk Management takes into account the knowledge of the Team/Group, as well as the knowledge of the individual participant. While group meetings help identifying functional area risks through the "power" of brainstorming, individuals project participants often identify risks on a daily basis. Senior management should always promote and encourage individual participation, and should establish a process to periodically interview individual staff members in order to capture those risks that might not surface during group meetings.
Step II Risk Analysis and Assessment
Risk analysis and assessment is the process during which the identified risks are examined in detail. This phase takes the Risk Identification to the next level through qualification, quantification, and classification of risk events. By quantifying and classifying risk, we convert risk data into risk decision-making information. The purpose of this phase is to determine the extent of the risks, how they relate to each other, and which ones are the most important.
Step III.- Risk Planning and Mitigation
Now that Risks have been identified, analyzed and assessed, the stage is set for Risk planning and Risk mitigation. Risk Planning turns risk information into decisions and actions. Planning involves developing actions to address individual risks, prioritizing risk actions and creating and integrated Risk Mitigation Plan. It is this plan which ultimately will eliminate or reduce the impact of business risks to the enterprise.
Step IV Risk Tracking & Reporting
Tracking serves as the "watchdog" function of the Risk Management function. Tracking consists of monitoring the status of risks and the actions taken to mitigate them. Appropriate risk metrics are identified and monitored to enable the evaluation of the status of as well as of risk mitigation plans. Senior management and/or each Risk Management Committee should distribute periodic status reports on the risks identified.
Risk Control corrects deviations from planned risk actions. Once risk metrics and triggering events have been chosen, there is nothing unique about risk control. Risk controls melds into operational and project management and relies on existing business processes to:
- control risk action plans
- correct variation of plans
- respond to triggering events, and
- improve overall risk management processes.
Risk Prevention and Contingency Planning
While not always feasible, Risk Committees should always strive to attain Risk Prevention. Risk prevention means the identification of a potential risk, before it is an actual risk. In the context of Risk Management practices, therefore, it is the best action step to take to create a successful Risk Management Plan. However, certain risks can not be avoided. Hence a comprehensive Risk Management plan must include a methodology for Risk Contingency Planning. Risk Contingency Planning is the realization that actual mishaps can and will take place. Risk Management Committees, therefore, should strive to identify alternative actions in case certain identified risks occur. Contingency Planning should focus on the "what if" scenarios and should contain as many work-arounds or manual processes as can be identified.
Risk closure is a decision the Risk Committee will make after it is confident the Risk has been properly addressed, mitigated, and/or prevented, and that a sufficient contingency plan has been developed in case of an occurrence. However, there are certain risks that may re-establish themselves. Most risks when identified assessed, and mitigated can be closed without much concern. Some risks, however, might re-appear. In order to capture these risks, Risk Management Committees should implement a practice of periodic Risk Audits. In its most elementary form, these Audits may consists of a review by Committee members of past Risk statements dating back a minimum of 3 months.
If you recognize that twirling feeling in your stomach you recognize the signs of Risk. Risk can not be avoided and is inherent in what we do in our personal or business lives. A well functioning Risk Management Program, however, is viable methodology that can eliminate, reduce, or mitigate some business risks. An act of God can never be prevented, but the deferred maintenance of a delivery truck can. Hence identifying, recognizing, classifying, prioritizing, and mitigating risk are all components which will allow any business to be able to maximize the extent of managing the risk exposure to the enterprise.