Building a Risk Management System

Increased emphasis is being put on risk management within organizations. This is, among others, shown in the latest revisions of the most used standards worldwide: the ISO 9001 on quality management systems and the ISO45001 on Occupational Health and Safety in which risk assessments are increasingly referred to.

Another interesting aspect is the increase in root causes stating that the absence of a risk assessment has led to the accident happening. Though a discussion can be started on whether the absence of a risk assessment can be stated as a root cause, it does show the focus on this specific risk management.

But, what is risk management exactly? How and why should someone design and implement an effective risk management system within an organization? 

What is risk management? The process of managing risks – obviously. It is a process that helps identify and asses what risks may be posed to an organization and then moves to determine control or mitigating measures that should be implemented. 

Risk management does not come into play as soon as a crisis pops up. That is crisis management. Rather risk management is part of day-to-day operations and involves preventing crises from occurring and mitigating their consequences if they do.

Risk management can help organizations in their day-to-day business as well as in making strategic decisions by knowing what potential threats could cause business to be delayed, interrupted or worse. Risk management can be used as well to identify opportunities and whether they are worth chasing.

Though the word risk is mostly associated with the negative side of its meaning, there is also a positive annotation to it. The definition of risk is the “effect of uncertainty upon objectives.” The most well-known manner to express risks is to multiply the estimated likelihood of a certain event happening with the estimated consequence this event could have. These consequences can be negative – threats
– but may be positive as well – opportunities.

Solid risk management may therefore help to identify and evaluate both threats and opportunities, helping an organization to structure and prioritize action as an on-going business process.

Five steps to set-up a proper risk management strategy

So, where to start setting up a proper risk management strategy? Five steps are provided below in order to follow a structured approach in implementing a risk management framework within an organization.

1. Identify the main processes within the organization

Many risks can be identified during all kinds of processes within an organization, including specific risks that only apply to certain projects. It is essential to prioritize and monitor all such risks for a structured and transparent approach.

2. Design a framework / process linked to your operations

A risk management framework can be developed from the insights into the business processes. What processes should it include? And how should it be divided? When your organization is project orientated, working for a variety of clients, this framework can be used:

It incorporates the following risks:

• Corporate risks – risks that are related to the environment the business is operating in. Think of a corporate risk assessment as a context analysis. Who are stakeholders, and what are their stakes? What value can the organization add? What legal requirements or political influences influence the organization? Both positive and negative. With this assessment, it is easier for an organization to steer along their strategic direction.

• Project risks – risks that are typically related to a specific project. 

Contract risks – risks related to the winning and managing of the contract. Are stated terms and conditions in the contracts acceptable? What is the likelihood that the organization can fully comply with the terms and conditions? Are the risks bearable?

Project preparation risks – risks that are identified in the preparation phase. What hazards should be taken into account during project execution, and what can be done to control these hazards? Such risk
assessments can also take into account logistics and planning, for example.

Project execution risks – risks that are specifically related to the execution of the project. For example, should a Job Safety Analysis be undertaken for a specific hazardous activity.

The framework has various areas that include their own scope of risks. Note that the outcome of the corporate risk assessment may serve as input for the project risks. For example; think of the decision of an organization to buy Equipment A with certain specifications, instead of Equipment B with other specifications, for which the decision is made at a corporate level. This leads people in the project phase to take into account the specifications and limitations of Equipment A in their risk assessment. Of course, many other examples can be thought of, e.g. related to training requirements, marketing strategy, the risk appetite of an organization, etc.

3. Define risk assessment tools, (monitoring) frequencies, people involved

After determining what areas involve risks, it is time to define what risk assessment tools are needed, when, and which people should be involved. Corporate risks will not be assessed by personnel that only work in project execution, for example, though you might ask for specific input, and the managing director will not be assessing the risks related to execution.

Risk assessments will be most effective if the perspectives of various people are included. More people with different experience, knowledge and background, means that together they capture more insight and knowledge, and a view as complete as possible can be structured, with associated control and mitigating measures where deemed necessary.

4. Find tools that may help structure your thinking

How to identify risks? This might be hard and guidance could be found in the PESTLE and SWOT analysis techniques. These techniques are especially helpful in context analysis / corporate risk assessment.

The PESTLE technique is a technique focusing on the areas of:

• Political;
• Environmental;
• Social;
• Technical;
• Legal;
• Economic.

Taking these into account helps to bring structure to deliberations. The outcome may be used in a SWOT analysis which helps identify Strengths, Weaknesses, Opportunities and Threats.

These two techniques are mostly used in assessing organizational risks. However, a SWOT analysis might also help to gain insight in the activities of various departments within an organization.

5. Build in continuity

Once started, it is important to keep the process of risk management going. The organizational landscape will change over time, and these internal - and external factors need to be re-assessed. Projects will change, and new ones will be added, and therefore risks will as well.

Takeaways

• Risk management is beneficial for business continuity;
• Risk management may lead to better insight into business activities;
• Structure a risk management strategy by first determining what areas are present in the organization;
• Select the correct assessment tools, and involve the right personnel;
• Use guidance – PESTLE may help in gaining insight in the organizational environment, and SWOT can help in gaining insight into the organization / service / product as a whole, as well as various processes within the organization.
• Risk management is a continuous process, not a one-time thing.

Karen van Vliet is a senior consultant for Quattor P.