Risk management is a diverse topic. It can be the simple intuitive risk handling that we do in our everyday lives. We are born with a survival instinct, or a risk aversion , that helps us avoid falling off roofs and other dangerous things. Risk management can also be a highly regimented and mathematically advanced as used in nuclear power plants and other high risk, high complexity situations. This post won’t be about either of those situations. In this post I will describe a simple three step approach to risk management. It is a simple method that I often use with clients to help them focus on the most important risks.
Three simple steps for successful Risk Management
For everyday business use, you can apply the following three simple steps to risk management: 
- Identify risks — “Risk Identification”
- Assess risks — “Risk Assessment”
- Mitigation, contingency and avoidance — “Risk Planning”
With the simple three steps method for risk management you can perform all three steps in a single meeting. But before you start, you must decide what your focus is. As you go through the process, keep that focus in mind for yourself and those helping you.
Risk identification is the first step in risk management. You need to identify risks using an approach where you divide the risk in two parts, the trigger and the consequence. The trigger is some averse event such as lightning hitting your house and the consequence is something that happens as a result for instance that your house burns to the ground.
How should you identify your risks? Use the expertise of your team. Use issues and risks from previous and parallel projects. Use standard risk lists. But use them in a meeting where you make use of Delphi techniques like brain storming to make sure that you leverage each of your team members.
How big a risk is that? Which are the biggest risks for us? Risk assessment is the process that tries to answer that question. First of all, let’s agree on a defintion of risk. I propose that risk is simply the product of the probability that something will happen and the impact if that happens. This is actually why we made a clear distinction in the previous phase between the trigger and the consequence. What we need to estimate is the probability of the trigger and the impact of the consequence.
Calculating the risk level
Using full mathematical rigour is not required here. It is enough to divide probabilities and impact into a 3- or 5-point scale. I prefer a 5-point scale. For probability the scale starts with 1 = low probability, it most likely will not happen (0-20%). The scale ends with 5 = high probability, it most likely will happen (80-99%). Why not 100%? If the problem is certain to occur, it is not a risk but an issue and those we need to handle in a different way. For impact, the scale starts at 1 = low impact and ends with 5 = high impact. A 5 should be grave enough that it threatens the existence of the whole project or product or other focus that you are assessing the risks for.
To obtain the risk level, multiply like this . The range for risks with a 5-point scale goes from 1 (=1*1) to 25 (=5*5). If you are using Microsoft Excel, you can calculate the risk as “=D2*E2” but you can keep your sheet a bit more elegant by using “=IF(D2*E2>0;D2*E2;””)”. The advantage with the latter is that you will have an empty cell instead of a 0 for those risks that have not been assessed yet. I often use conditional formatting, color scale, red-yellow-green. If you have used my second formula, the result will be that you have the highest risks highlighted in red and the lowest risks in green. At this point, you should have something like this:
Needless to say, you should also considering sorting your risks from higher to lower risks. Sometimes showing the risks in a table format might help people understand them better. Here is an example for the same data:
You should note that the same actual event can appear more than once in your risk analysis. For instance, touching the electric wires could either kill you or lead to a fine or both. If you were doing the risk analysis for a nuclear power plant, you would create risk trees and calculate the risks for each branch of the tree. Here we just include both.
Mathematically, if you sum up all the risks you have identified you should get the expected (as in mean) impact on your analysis focus. With the simplified analysis we have performed risk comparisons between two projects can be less meaningful. But using the same risk list, you can apply it either to two different projects or to the same projects at different points in time. I like to talk about this as comparing risk loads. If you are working properly with risk management, risks should decrease over time as more of your mitigations and preparations take effect.
Risk Assessment in practice
By now you should have a good idea on how the risk assessment is done in two steps. What you should not do, if you can avoid it, is to assess the risks alone. It will be much better if you do it as a team. Wisdom of the crowds, Oracle of Delphi and all that.
Now you have identified your risks and you know which are the biggest risks. It is time for you and your team to find ways to avoid problems and issues arising from these risks. Logically, you can do one of the following things: Decreasing the probability that there will be a problem (risk avoidance) or lessen the impact of the problem (risk mitigation).
Let’s take an example. Let’s say you have identified “fire” as one of your main risks. You can avoid fire by using non-flammable materials, avoiding electrical hazards, foregoing open flames and so on. You can limit the damage by installing protections such as sprinkler systems, fire extinguishers, fire alarms and by training evacuation procedures.
Order your risks by descending risk levels and start adding mitigations from the top and going down. You should cover all of your top risks. That probably means all risks above 15 or 20. It’s a bit hard to give more details on how you should handle your risks.
Next steps for risk management
There is one additional step that you need to take. You need to monitor your risks continuously and take action when the trigger is detected. And of course, follow up and update your assessment regularily. And if you want to comply with ISO 31000 you need to document all of this. 
And remember, it doesn’t matter if you are using a plan driven or an agile approach. You still need to manage your risks. 
- Gundremmingen Nuclear Power Plant: Felix KÃ¶nig - Eigenes Werk (own work) - Samsung S750 via Wikimedia Commons | CC BY SA 3.0
- three steps for risk management: Owned by the author
- risk assessment complete: Owned by the author
- Touching wires causes instant death: Steve Jurvetson on Flickr | CC BY 2.0
- Risk: A Syn on Flickr | CC BY SA 2.0