by David Hillson, PhD, The Risk Doctor

What should a good risk management process cover? Anyone undertaking a risky or important venture should ask themselves eight simple questions:

  1. What are we trying to achieve?
  2. What might affect us achieving this?
  3. Which of those things are most important?
  4. What shall we do about them?
  5. Have we taken action?
  6. Who needs to know?
  7. Having taken action, what has changed?
  8. What did we learn?

Basic Risk Process

These questions describe the steps required to manage risk. They can easily be expanded into a basic risk process, with one process step to answer each question:

1. Getting started (risk process initiation)

Risks only exist in relation to defined objectives, and these are what we are trying to achieve. We cannot start the risk process without first clearly defining its scope and clarifying which objectives are at risk. It is also important to know how much risk key stakeholders are prepared to accept, since this provides the target threshold for risk exposure.

2. Finding risks (risk identification)

Once the scope and objectives are agreed, it is possible for us to start identifying risks, which are the things that might affect us, including both threats and opportunities. We should use a variety of techniques to help us find as many risks as possible.

3. Setting priorities (risk assessment)

Not all risks are equally important, so we need to filter and prioritise them, to find the worst threats and the best opportunities. When prioritising risks, we could use various qualitative characteristics, such as how likely they are to happen, what they might do to objectives, how easily we can influence them, when they might happen, etc. We might also use quantitative methods to analyse risk exposure.

4. Deciding what to do (risk response planning)

Once we have prioritised individual risks, we can think about what actions are appropriate to deal with individual threats and opportunities. Each risk needs an owner who should decide how to respond appropriately.

5. Taking action (risk response implementation)

Nothing will change unless we actually do something. Planned responses must be implemented in order to tackle individual risks and change the overall risk exposure, and the results of these responses should be monitored to ensure that they are having the desired effect. Our actions may also introduce new risks for us to address.

6. Telling others (risk reporting)

Various stakeholders are interested in risk at different levels, and it is important to tell them about the risks we have found and our plans to address them.

7. Keeping up to date (risk reviews)

We have to come back and look again at risk on a regular basis, to see whether our planned actions have worked as expected, and to discover new and changed risks that now require our attention.

8.  Capturing lessons (risk lessons learned)

At the end of exercise we should take advantage of our experience to benefit future similar endeavours. This means we will spend time thinking about what worked well and what needs improvement, and recording our conclusions in a way that can be reused by ourselves and others.

Any good risk process will follow these steps to ensure that we identify, assess and manage our risks effectively. These are not difficult to implement, but without all of these steps a risk process is incomplete.

About the Author

Dr David Hillson, PMP FRSA HonFAPM FIRM FCMI, is internationally recognized as a leading thinker and practitioner in risk management. He is Director of Risk Doctor & Partners (http://www.riskdoctor.com), and has worked in over 40 countries. He is a popular conference speaker and award-winning author on risk, with six books on the topic. David is an active member of the Project Management Institute (PMI) and was a founder member of its Risk Management Specific Interest Group. He received the PMI Distinguished Contribution Award for his work in developing risk management over many years. Since 1998 he has been a core author for the risk chapter of the PMBOK Guide®, and is a core author for the PMI Practice Standard for Project Risk Management. David can be contacted at .(JavaScript must be enabled to view this email address).