Summary
Changes like digitization, agile, automation, big data, etc. brings so many opportunities and possibilities.
Often, we even have to consciously take risks in order to realize innovation and profit. But it also holds massive dangers.
Organization-wide or project-specific risk management is often used to control risks. But many risk management approaches fizzle out or are toothless paper tigers.
Or on the other hand, you imaging you are safe which is not the case. For many people risk management seems to be a lot of effort that does not help.
But no risk management does not mean no risks at all. Usually, the cause is an inadequate implementation.
By Peter Roth, March 23, 2021
Weakness of Risk Management Implementation
Identifying and assessing risks is an essential and integral part of general management and project management but is also used in countless other disciplines such as sports, financial planning, insurance, industry and emergency assistance.
In practice, however, there are some weaknesses in implementation which reduces the effectiveness of risk management:
- Not all major risks have been identified
- Risks are described and assessed incorrectly or imprecisely, the assessments are interpreted incorrectly
- Risk management is not integrated
- Risk management is not carried out regularly, too little consistency
- The process is too complicated and administratively time-consuming
- Terms are used differently
What is a Risk and what is Risk Management?
Risks are relevant dangers that can occur in the future. That is why risks always have a probability of occurrence (PoO).
Risks have one or more mostly negative impact on the organization / project if the risk occurs.
Risk management is the discipline of recognizing, describing and monitoring risks and defining measures to contain them.
These measures should either a) minimize the PoO of risks, or, if the risk occurs, b) minimize the impact of hazards or c) reduce the frequency of occurrence of risks.
The purpose of risk management is to ensure that the organization understands and effectively handles risks.
Risks have to be regularly reviewed, as both the risks themselves and the environment change.
Risks can be presented in tables and graphics. The risks with the PoO and the impact are graphically displayed in a risk grid.
Example of a risk: A cable on the floor could be a risk for stumbling (danger). If someone trips over the cable, falls, and bumps their head on the table immediately next to it (scenario), this could lead to a critical injury (impact).
That is why the cable must be removed immediately when it is no longer needed (measure).
What helps for the Identification of Risks?
Describing a risk clearly is not easy and requires experience and sensitivity.
- Risks and their effects must be related to the plan / project in order for them to be relevant.
Example: The risk of flooding is usually not relevant in an IT project, unless the server rooms are nearby.
- The risks can be divided into (e.g. company, organizational or project) internal or external risks. Normally, internal risks can be influenced well.
External risks can only be influenced to a limited extent, with a lot of effort or even not at all. In the case of external risks, it is often only their impact on the own organization that can be reduced.
- In order to describe risks, it helps to capture possible scenarios. A risk should not be described in general but concretely from the perspective of the organization.
- A structure such as the breakdown into technical (systems, data, functions, etc.), organizational (structure, process, governance, etc.), economical (financial risks, market risks), legal and regulatory (legislation, authorities, etc.), and environmental risks (flood, fire, etc.) helps to capture risks as complete as possible .
- Subject matter experts recognize and understand especially external risks better than outsiders, which is why they have to be asked regularly instead of making assumptions.
How do I influence the Probability of Occurrence?
The probability of occurrence (PoO) describes the likelihood of the risk that can happen in future. The PoO of a risk can and will change over time.
- It is often rated with a percentage or with a classification (e.g. 'small - medium - high' or 'rarely - unlikely - possible - likely - almost certain'). If the PoO is 100%, the danger has occurred.
So, it is no longer a risk but becomes a problem (Engl. Issue). The PoO depends, among other things, on the exposure to the hazard.
- If you are close (geographically, organizationally, technically), the PoO is higher.
- Measures to reduce or even eliminate PoO must be planned, implemented, monitored and their effect regularly assessed as long as the risk persists. These can be one-off or recurring measures.
- If the desired effect is not achieved, the measures must be adapted or new, additional measures must be implemented.
- Although a measure works as desired, it may still have to be improved because the risk itself or the PoO has changed.
- Even if the PoO of a risk is small, it can happen, in keeping with Murphy's Law: "If anything can go wrong, it will".
How do I handle the Impact of Risks?
The impact of a risk on an organization describes the mostly negative concrete influence of a risk on one's own organization. A risk with no relevant impact is not a relevant risk.
Example: In the event of a flood, the relevant impact may only be a power outage for your own building.
- The impact is often given as a classification (e.g. small - medium - high or negligible - low - moderate - large - catastrophic). In companies, a financial assessment of the impact also comes into play.
- The PoO depends, among other things, on the exposure to the hazard. If you are close (geographically, organizationally, technically), the PoO is higher.
- Measures to reduce the impact are very important because any risk can occur. Ideally, measures are taken to completely eliminate the impact, which eliminates the risk. Organizational, structural and technical measures can be:
- Reducing the scope of the impact, e.g. through division, duplication, restoration
- Reducing the depth of effects, e.g. reducing pressure, reducing hardness so that it only has a superficial effect
- Measures to reduce repetitions for the occurrence of risks
- Many risks can be insured
Additional Risk Management Tips
- Better a simple, focused risk management, which is actively lived, then being blind.
- I would integrate opportunities management in the same way as professional risk management. Ultimately, it is a matter of weighing up opportunities and risks.
- The values of the classifications of probability of occurrence and impact and their significance should be defined internally in order to increase comprehensibility and acceptance.
- Risk management should be integrated into the organization, with clear responsibilities, communication and the inclusion of the topic on the agenda of existing meetings.
- Measures to avoid risks or to mitigate the effects should each be assigned to a responsible person and given a deadline. It should be added and processed directly in the common action item list.
- Risks should be classified (e.g. with a traffic light system), according to the classification, risks should be reassessed weekly, monthly or quarterly. New risks are to be recorded on a fixed basis, e.g. on a monthly basis.
- Risk management should be transparent and the information should be accessible accordingly.
- Often there is a mixture of terms, which makes communication difficult. See Wikipedia (“Risk”).