Risk Management in Three Simple Steps


Risk management is a diverse topic. It can be the simple intuitive risk handling that we do in our everyday lives. We are born with a survival instinct, or a risk aversion [bibcite key=”citeulike:454986″], that helps us avoid falling off roofs and other dangerous things. Risk management can also be a highly regimented and mathematically advanced as used in nuclear power plants and other high risk, high complexity situations. This post won’t be about either of those situations. In this post I will describe a simple three step approach to risk management. It is a simple method that I often use with clients to help them focus on the most important risks.

A nuclear power plant is in need of advanced risk management.Source: Felix König - Eigenes Werk (own work) - Samsung S750 via Wikimedia Commons | CC BY SA 3.0

Risk management for nuclear power plants, such as this one in Gundremmingen, is highly complex. It is far outside the scope of this article which focuses on a simple three step process to risk management.

Three simple steps for successful Risk Management

For everyday business use, you can apply the following three simple steps to risk management: [bibcite key=”citeulike:13532392″]

  1. Identify risks — “Risk Identification”
  2. Assess risks — “Risk Assessment”
  3. Mitigation, contingency and avoidance — “Risk Planning”

A chevron process diagram for risk management in three simple steps.Source: Owned by the author

Three steps for risk management: identification, assessment and mitigation (including avoidance). Iterate as required.

With the simple three steps method for risk management you can perform all three steps in a single meeting. But before you start, you must decide what your focus is. As you go through the process, keep that focus in mind for yourself and those helping you.

Risk Identification

Risk identification is the first step in risk management. You need to identify risks using an approach where you divide the risk in two parts, the trigger and the consequence. The trigger is some averse event such as lightning hitting your house and the consequence is something that happens as a result for instance that your house burns to the ground.

How should you identify your risks? Use the expertise of your team. Use issues and risks from previous and parallel projects. Use standard risk lists. But use them in a meeting where you make use of Delphi techniques like brain storming to make sure that you leverage each of your team members.

Risk Assessment

How big a risk is that? Which are the biggest risks for us? Risk assessment is the process that tries to answer that question. First of all, let’s agree on a defintion of risk. I propose that risk is simply the product of the probability that something will happen and the impact if that happens. This is actually why we made a clear distinction in the previous phase between the trigger and the consequence. What we need to estimate is the probability of the trigger and the impact of the consequence.

Calculating the risk level

Using full mathematical rigour is not required here. It is enough to divide probabilities and impact into a 3- or 5-point scale. I prefer a 5-point scale. For probability the scale starts with 1 = low probability, it most likely will not happen (0-20%). The scale ends with 5 = high probability, it most likely will happen (80-99%). Why not 100%? If the problem is certain to occur, it is not a risk but an issue and those we need to handle in a different way. For impact, the scale starts at 1 = low impact and ends with 5 = high impact. A 5 should be grave enough that it threatens the existence of the whole project or product or other focus that you are assessing the risks for.

To obtain the risk level, multiply like this \mbox{risk}=\mbox{probability}*\mbox{impact}. The range for risks with a 5-point scale goes from 1 (=1*1) to 25 (=5*5). If you are using Microsoft Excel, you can calculate the risk as “=D2*E2” but you can keep your sheet a bit more elegant by using “=IF(D2*E2>0;D2*E2;””)”. The advantage with the latter is that you will have an empty cell instead of a 0 for those risks that have not been assessed yet. I often use conditional formatting, color scale, red-yellow-green. If you have used my second formula, the result will be that you have the highest risks highlighted in red and the lowest risks in green. At this point, you should have something like this:

First two steps of risk management performed. The user now has listed triggers and consequences and has estimated the probability and the impact and the risk levels have been calculated.Source: Owned by the author

After identifying your risks, assessing them and possibly adding some conditional formatting you should have something like this.

Needless to say, you should also considering sorting your risks from higher to lower risks. Sometimes showing the risks in a table format might help people understand them better. Here is an example for the same data:

You should note that the same actual event can appear more than once in your risk analysis. For instance, touching the electric wires could either kill you or lead to a fine or both. If you were doing the risk analysis for a nuclear power plant, you would create risk trees and calculate the risks for each branch of the tree. Here we just include both.

The same action can have different risk levels.Source: Steve Jurvetson on Flickr | CC BY 2.0

The same action can have different risk levels. Considering that I touch the wires: a) IF I get an electric shock THEN I die (risk = probability * impact = 4 * 5 = 20) and b) IF I am caught by the authorities in the attempt THEN I get a fine ( 1 * 1 = 1).

Risk load

Mathematically, if you sum up all the risks you have identified you should get the expected (as in mean) impact on your analysis focus. With the simplified analysis we have performed risk comparisons between two projects can be less meaningful. But using the same risk list, you can apply it either to two different projects or to the same projects at different points in time. I like to talk about this as comparing risk loads. If you are working properly with risk management, risks should decrease over time as more of your mitigations and preparations take effect.

Risk Assessment in practice

By now you should have a good idea on how the risk assessment is done in two steps. What you should not do, if you can avoid it, is to assess the risks alone. It will be much better if you do it as a team. Wisdom of the crowds, Oracle of Delphi and all that.

Risk Planning

Now you have identified your risks and you know which are the biggest risks. It is time for you and your team to find ways to avoid problems and issues arising from these risks. Logically, you can do one of the following things: Decreasing the probability that there will be a problem (risk avoidance) or lessen the impact of the problem (risk mitigation).

Preparing for a fire by training and placing a fire extinguisher is an example of risk mitigation.Source: U.S. Navy photo by Mass Communication Specialist 2nd Class Rachel McMarr via Wikimedia Commons | PD

Train to use a fire extinguisher and place them where you will need to avoid the consequences of a fire.

Let’s take an example. Let’s say you have identified “fire” as one of your main risks. You can avoid fire by using non-flammable materials, avoiding electrical hazards, foregoing open flames and so on. You can limit the damage by installing protections such as sprinkler systems, fire extinguishers, fire alarms and by training evacuation procedures.

Order your risks by descending risk levels and start adding mitigations from the top and going down. You should cover all of your top risks. That probably means all risks above 15 or 20. It’s a bit hard to give more details on how you should handle your risks.

Next steps for risk management

There is one additional step that you need to take. You need to monitor your risks continuously and take action when the trigger is detected. And of course, follow up and update your assessment regularily. And if you want to comply with ISO 31000 you need to document all of this. [bibcite key=”citeulike:13532400″]

And remember, it doesn’t matter if you are using a plan driven or an agile approach. You still need to manage your risks. [bibcite key=”citeulike:2371774″]



Image sources

About Greger Wikstrand

Greger Wikstrand, Ph.D. M.Sc. is a TOGAF 9 certified enterprise architect with an interest in e-heatlh, m-health and all things agile as well as processes, methods and tools. Greger Wikstrand works as a consultant at Capgemini where he alternates between enterprise agile coaching, problem solving and designing large scale e-health services ...

One Comment

  1. Pingback: Simplifying The Risk Management Process | The Vision Lab

Leave a Reply