Note (May 2019):
Since this article was originally posted in October 2015, we have refined our thinking on the elements of an effective risk management process. Here is our current view, which boils risk management down to four key elements:
Risk Management Cycle. Great organizations don’t avoid risk – they manage it. Risk is simply uncertainty, and anything worth doing involves uncertainty. Risks can be negative or positive, so risk management always involves threats and opportunities. To address risks, apply a four-step process:
1 – IDENTIFY threats and opportunities faced by the organization across all of its functions.
2 – PRIORITIZE risks according to likelihood, speed of onset, and magnitude of impact.
3 – RESPOND to these priorities by researching ambiguous risks, avoiding unacceptable risks, reducing the potential impact of negative risks, piloting opportunities, and shifting some risk to others where appropriate (using insurance, contract provisions, joint ventures, etc.).
4 – ASSESS and IMPROVE, by evaluating how your responses have played out and how each risk can be better managed in the future.
We call this process the “risk cycle,” and it is one of three tools that effective organizations use to implement a risk management program. The other two tools are the “risk inventory” and the “risk register,” as described below.
Risk Inventory. The first step in developing a strong risk management process is to take inventory of the threats and opportunities you face. Until you do, you’re in uncharted territory. You might think you know what is behind the next tree, but you can’t be sure. A risk inventory is a simple term for a simple concept. A risk inventory is a structured, formal brainstorming designed to look for risks – things that could go wrong, and things that could go right.
Why begin with the risk inventory? At the beginning of a risk management program, the first substantial task is to understand the organization’s current position. We want to find out where we are, so that we can make reality-based decisions about where we want to go and how to get there.
A risk inventory will identify many potential risks. In an average organization, a team of five taking an inventory will likely generate more than 100 items. The next step is to boil those down by removing risks that are errors or duplicates, etc. Still, at the end of a risk inventory, an organization may have 50 or more items on its list. As a result, we train the organization to prioritize those risks (and facilitate that process), so that the most important items move to the top of the list.
Risk Register. Those most important risk inventory items form the basis for the next tool: the risk register. The risk register is a simple Excel spreadsheet that lists each risk, ranks it by priority, notes who “owns” that risk within the organization, describes how the owner will address that risk, and identifies when the organization should check in again about that risk.
The risk register becomes a dynamic tool for keeping tabs on threats and opportunities throughout the organization, driving awareness and accountability. Senior staff can review the risk register periodically to see exactly where the organization stands on each issue. As risks are addressed, they may change to a lower priority or even be removed altogether.
Risk Cycle. The risk register becomes an important, evergreen resource for fulfilling the risk cycle. After identifying and prioritizing risks, the organization responds to those risks to reduce threats and grow opportunities. Staff refer to the risk register in staff meetings and one-on-one’s and share the top risks with the board of directors. As they respond to risks, staff members assess their progress and improve over time, modifying the risk register to account for shifting priorities. But they don’t stop there. Instead, they identify and prioritize new risks as they arise, adding them to the risk register. They respond. They assess and improve. In short, the organization creates a virtuous risk cycle of accountability and resilience.
If you are interested in exploring risk management further, click on the orange button immediately below or read our series on lean risk management.
Original Post (from October 2015):
Risk management depends upon a continuous, seven-step process:
1 – IDENTIFY risks faced by the organization – both opportunities (positive risks) and threats (negative risks).
2 – Some risks are avoidable if you simply don’t engage in an activity. AVOID projects and actions that would trigger risks you don’t want to face.
3 – Some risks are opportunities. DEVELOP opportunities that may be of strategic value.
Those three steps identify threats and opportunities, rule out some actions as just too risky, and position new initiatives for testing. But what do we do with those threats we can’t avoid, as well as the potential negatives that may result from new initiatives? That’s addressed in the next three steps:
4 – REDUCE the threats presented by ongoing operations and strategic initiatives by identifying and implementing specific mitigation efforts.
5 – SHIFT threats that cannot be mitigated, using insurance, contracts, joint ventures, etc.
6 – ACCEPT the remaining risks, having taken the reasonable steps outlined above.
Finally, risk management is not a one-and-done activity. Instead, it builds and improves over time:
7 – IMPROVE your risk management over time by making Steps 1 through 6 an ongoing process and regular part of your operations.
If you liked this post, please share it with your connections. We want to build healthy resilient nonprofits and startups. Your share can help.