Risk Management Part 2 of a Series: The Risk Analysis Process
“People overestimate their ability to influence events that, in fact, are heavily determined by chance. We tend to be overconfident about the accuracy of our forecasts and risk assessments and far too narrow in our assessment of the range of outcomes that may occur.”
April 2, 2019 – As humans, we’ve been dealing with risk since the beginning of time. We may think we have risk under control, but most people manage risk using emotion by hinging their estimates to evidence despite the known danger of making assumptions without considering unknowns. What makes the matter worse is thoughts are usually compounded by confirmation bias. It is not uncommon to see a company irrationally directing even more resources to a failed course of action.
In the first part of this blog series, I emphasized that commercial risk management is more than just placing insurance policies. True risk management serves the goal of protecting assets through the process of identification, analysis, control, and finance of hazards that can attack a company’s resources. To this end, it is essential that a company have a replicable process in place that addresses this propensity of bias so risks can be addressed before they become something more ominous.
The way an organization establishes a risk assessment program should fit the organization’s culture and risks. With that in mind, change is constant and may occur unpredictably. Because of this, it is critical that the program include all stakeholders and be regularly reevaluated.
The Risk Analysis Process
The Risk Analysis Process is a problem solving process. Quality and assessment tools are used to determine and prioritize risks for assessment and resolution. Let’s drill down on the parts of the process and why they are important.
1. Risk Identification
The risk identification stage concentrates on identifying and naming the risks. As mentioned earlier, there are different types of risk. What to do with each type must be decided on a project-by-project basis.
1. The first step is brainstorming. While reviewing the lists of possible risk sources as well as the project team’s experiences and knowledge, potential risks are identified.
2. Risks are then categorized and prioritized by using an assessment instrument such as a Risk Register. The number of risks identified usually exceeds the time capacity of the project team to analyze and develop contingencies. The process of prioritization helps them to manage those risks that have both a high impact and a high probability of occurrence.
2. Risk Evaluation & Analysis
Risk Analysis involves developing an understanding of the risk. Risk Analysis provides an input to Risk Evaluation, to decisions on whether risks need to be treated, and on the most appropriate risk treatment strategies and methods. Risk Analysis can also provide an input into making decisions where choices must be made, and the options may involve different types and levels of risk.
Risks are initially assessed on an inherent basis, considering the likelihood and impact of the risk without taking into account the controls in place in the company. The assessment of risk provides insight to significant inherent risks from a practice perspective and links these to a company’s objectives, strategies and business processes. This helps to understand the importance of controls in mitigating risk. However, before trying to determine how best to manage risks, one must identify the root causes of the identified risks.
This is when questions like “What would cause this risk?” and “How will this risk impact the project?” come up. For each risk identified, a company needs to develop the criteria by which all risks will be assessed.
Assessment of likelihood of the risks – what is probability if no controls in place
Almost certain, likely, possible, unlikely, and rare are some qualitative examples of likelihood that are suitable for use by small to mid-sized companies. It is important to note that an assessment of likelihood and consequence is subjective, so constructive challenge of ratings by a range of stakeholders is important and can assist in the development of robust risk assessments.
Assessment of consequences of the risks – What is the extent of the most likely impact of the risk event occurring
When it comes to consequences, our focus should be on the potential outcome of a risk event that affects a company’s business objectives on the assumption that an event has occurred, and the most probable consequence has resulted rather than the worst-case scenario. It is NOT just the worst case we need to consider, but the most probable case that is key. Qualitative examples of consequences can be catastrophic, major, moderate, minor, and insignificant.
3. Risk Handling
Risk treatment plans may involve the redesign of existing controls, introduction of new controls or monitoring of existing controls. Low impact risks may require periodic monitoring while major risks are likely to require more intense management focus.
It is at this point that the project team is ready to begin the process of assessing possible remedies to manage the risk or possibly prevent the risk from occurring. Sometimes there are alternatives. The Risk Management Process will show the potential ways to treat the risk and of these, which strikes the best balance between being affordable and effective? Organizations usually have the options to accept, avoid, control, or transfer a risk. With this data the company’s leadership can decide, based on their business goals and risk tolerance, what actions to take.
Risk Response generally includes:
Avoidance…eliminating a specific threat, usually by eliminating the cause. To avoid a risk, the organization simply has to not participate in that activity.
Mitigation…reducing the expected monetary value of a risk event by reducing the probability of occurrence. This may be emphasis on your safety program to limit the amount of exposure the company is comfortable with. In this case we have assumed that an event will happen, but actions are implemented to minimize exposure. This is often accomplished by developing a contingency plan to execute should the risk event occur. In developing contingency plans, the project team engages in a problem-solving process. The result will be a plan that can be put in place at a moment’s notice. The goal is to have the ability to deal with blockages and barriers to their successful completion of the project on time and/or on budget. Contingency plans will help to ensure that they can quickly deal with most problems as they arise. Once developed, they can just pull out the contingency plan and put it into place.
Acceptance… Accepting the risk means deciding that some risks are inherent in doing business and that the benefits of an activity outweigh the potential risks or consequences. Companies sometimes make a deliberate decision to accept it without engaging in special efforts to control it. A best practice here is to require the approval of project or program leaders.
Finally, Risk Transfer involves giving responsibility for any negative outcomes to another party, as is the case when an organization purchases insurance.
4. Risk Controlling
In this step the team uses a Risk Register to document your risk responses as well as track and review identified risks to ensure they have been treated. The critical point is that risk management is a continuous process and as such must not only be done at the very beginning of the project, but continuously throughout the life of the project. At each stage of the project’s life, new risks will be identified, quantified and managed. By identifying and managing a comprehensive list of project risks, unpleasant surprises and barriers can be reduced and golden opportunities discovered.
Risk Management…A Continuous Process
Just like risk is about uncertainty, initial risk management plans will never be perfect. If you put a framework around that uncertainty, then you effectively de-risk your project. That means you can move much more confidently to achieve your project goals. To ensure success, your risk management plan will need vigilance and rebalancing. If risk management is set up as a continuous, disciplined process of problem identification and resolution, then the system will easily supplement other systems. This includes organization, planning and budgeting, and cost control. Surprises will be diminished because emphasis will now be on proactive rather than reactive management.
With proper knowledge of risk and use of proven processes, company leadership and stake holders can rest easy knowing that they have effectively cut out the confirmation bias. With full leadership commitment, the risk management process helps resolve problems when they occur, because those problems have been envisaged, and plans to treat them have already been developed and agreed upon. You avoid impulsive reactions and going into “fire-fighting” mode to rectify problems that could have been anticipated. This makes for happier, less stressed project teams and stakeholders. The end result is that you minimize the impacts of project threats and capture the opportunities that occur.