Risky Business: 4 Actions for a Successful Risk Management ProcessTerry Giles
Triaster partner, Terry Giles, from Terry AG Consulting (previously Information Risk Analyst for Barclays Direct amongst others) has a great deal of experience with the risk management process and process risk analysis.
Terry has kindly decided to share his years of experience on risk management in our new blog providing us with two risk matrix examples and 4 actions to reduce risk...
There is a lot of discussion about risks and how to deal with them, ensuring that risks are either minimised or in some cases eliminated - generally by looking from the perspective of high level processes. There is however some benefit to be had by looking at the risks associated with the individual activities that go into making the process flow, as these tend to be overlooked when carrying out a process risk analysis. However, prior to going into more detail there are two terms worth looking at:
- Risk Appetite
- Risk Tolerance
What is Risk Appetite and Risk Tolerance?
The following definitions are taken from ISACA’s IT Risk Practitioner.
Risk Appetite - can be defined as the amount and type of risk that an organisation is willing to take in order to meet their strategic objectives.
Risk Tolerance - is the tolerable deviation from the level off-set by the risk appetite and would be based upon the individual circumstances associated with a risk.
Quite often the risk appetite is set across the whole of the organisation by default based upon the culture inherent within the organisation, without much thought being put into why a certain level of risk is selected. Two very similar organisations can have widely differing risk appetites depending upon the people making the decisions and the history of any previous risks being realised. Most organisations are far more conservative (risk adverse) with their risk appetite than they need to be and therefore spend more on risk reduction than they need to.
Using a Risk Matrix to Identify Risk
The most common way of depicting risk is by using a risk assessment matrix based upon the probability of a risk occurring against the impact that risk will have if it is realised and then positioning the activities on the risk matrix to provide a heat map for the organisation. Controls can then be put in place to either reduce the probability of it occurring or minimise the impact should it happen. A typical risk matrix example for a risk neutral organisation is shown below...
Of the four risks shown above:
- Risk 1 will need to have urgent action taken.
- Risk 2 will also need to be addressed but is not as urgent as risk 1.
- The response to Risk 3 will depend upon the risk tolerance selected by the organisation for that particular risk.
- Risk 4 is within the acceptable risk level for this organisation and no action need be taken.
It may be that although it sits within the yellow range Risk 3 is very close to the green zone and may be considered in the risk tolerance zone - it will be monitored, but no action taken. If however there is a low risk tolerance in place then it would need controls to be put in place for this risk.
In a more risk adverse organisation the following risk matrix example would apply...
If you would like a more in-depth analysis on capturing your current business processes to model and reduce risk in your organisation, download the Business Analysis White Paper...
Risk Management Process Steps
However, life is not always as simple as we think and a lot of money can be wasted in applying inappropriate responses to risks. Risks are generally incurred as the result of one or more activities within a process. It is therefore worth looking in more detail at activities that occur within the processes and understanding which are the activities that give rise to high risks - this is a great basis for creating your risk management process. There are four main actions that can be taken to overcome high risks:
- We can transfer the risk - to another body. A good example of this would be by taking out insurance to compensate for monetary loss. There is an upfront cost associated with this which we hope will be less than the impact of the risk, but it will be an ongoing cost.
- We can accept the risk - even though it is over the risk appetite. Understanding the risk tolerance in your organisation will help with this. The cost here occurs if the risk materialises.
- We can reduce the risk - a good example of this would be to introduce extra checks within a process. This will add to the cost of the process, which will be valid if the reduction to the probability is sufficient to bring the level of risk to within an acceptable limit.
- We can avoid the risk - which would be the best solution if it is possible to do so with little or no extra cost. Understanding which are the high risk activities within a process flow and looking to either redesign the flow to replace the high risk activity, or to reduce the impact should the risk materialise. An example of this sort of intervention would be the addition of a time buffer in a process flow as such that if an error occurred mid-process the process could be stopped before a catastrophic event occurred.
One other factor that needs to be taken into account when dealing with risk is...time. Some risks are time bound, by which I mean that after a certain period of time the risk will either have been realised or it will no longer be a risk. Maintaining controls after the risk has expired is a waste of money. Other risks will be a constant threat, whilst a third group will vary according to conditions. For example, the risk of snow disrupting an event will only be high or very high during the winter months and can effectively be ignored during summer. Therefore, actions to mitigate the risk need only be put into effect at certain times of the year; thus reducing costs.
Understanding the processes used within an organisation and where the risks lie within those processes can help you create a more efficient risk management process model that will reduce running costs and at the same time reduce the probability or impact of an undesirable event occurring.
Learn How to Manage Risk
Not understanding and managing the risk in your organisation can be a risky business.
If you would like to know more about effective risk management, take a look at some of our other blogs below or if you are looking for a way to reduce risk and increase quality in your organisation, download our guide to Achieving ISO 9001:2015 written by ISO expert and co-author of the quality standard Mark Braham...
Written by Terry Giles
Terry Giles is a consultant for TerryAG Consultancy. He has a great deal of experience in developing Business Management Systems based around a variety of models including ISO 9001, TL 9000, ISO 14001, EFQM, Baldrige, CMMi, ITIL, RiskIT and CobiT 4.1 & 5.