Share this
Mister Wong
Digg
Del.icio.us
Slashdot
Furl
Yahoo
Technorati
Newsvine
Googlize this
Blinklist
Facebook
Wikio
Hear this text
Export PDF
Print
E-mail
Tags
Eight steps to risk process management
A recent Risk Doctor briefing listed eight steps as essential components of a basic risk process. These are: (1) Getting started (risk process initiation); (2) Finding risks (risk identification); (3) Setting priorities (risk assessment); (4) Deciding what to do (risk response planning); (5) Taking action (risk response implementation); (6) Telling others (risk reporting); (7) Keeping up to date (risk reviews); and (8) Capturing lessons (risk lessons learnt).
- 28/02/2011 13:24 - Energy
- 18/01/2011 12:40 - Honest Abe and the power dilemma
- 18/01/2011 12:20 - Planned recycling
- 18/01/2011 09:55 - Review, reflect and renew
- 18/01/2011 09:01 - The state of the art
- 18/01/2011 06:54 - Don't kill the world
- 17/01/2011 13:19 - An unholy mess
- 17/01/2011 13:04 - Top Trends
- 05/10/2010 08:34 - The Cuban lesson
- 05/10/2010 07:47 - Breaking down the code
Although logically this sequence of steps makes good sense, many organisations often do not include all eight steps in their risk process.
There are three important ways in which the typical risk process is flawed.
The most significant problem is a failure to turn analysis into action. Despite agreeing risk responses and allocating actions to risk owners, it is common for nothing to get done.
One reason for this lack of action is that most risk processes do not have any formal “Risk Response Implementation” (step 5 in the aforementioned list). Instead, we simply hope that risk owners will do what we ask and complete their agreed actions.
One way to encourage action is to make a clear link between the work plan and risk responses. Risk actions need to be treated in the same way as all other tasks, with an agreed owner, a budget and timeline. Then they should be included in the plan, reported on and reviewed.
If risk responses are seen as “optional extras”, they may not receive the degree of attention they deserve.
Without “Risk Response Implementation”, it is likely that many risk responses will not happen and risk exposure will be unchanged.
Secondly, it is common not to have a separate focus on “Risk Reporting” in the risk process (step 6), despite everyone saying that communication is
really important.
Instead, the risk process produces its outputs – usually the risk register and one or more risk reports – and we hope that anyone interested in risk will find what they require in these documents.
It would be much better to have a structured approach to risk communication. This should produce tailored risk outputs that present specific risk information to particular stakeholders, telling them what they need to know.
This will encourage each stakeholder to use the results of the risk process to help him/her do the job better, with risk-based decision-making and action.
A specific “Risk Reporting” step will ensure this communication happens.
A third equally vital flaw in most risk processes is the lack of a “Risk Lessons Learnt” review (step 8). This is linked to the wider malaise of failure to identify lessons to be learnt at key points such as the end of a project or after a significant business decision.
Not capturing these lessons denies the organisation the opportunity to learn from its experience and improve performance in future.
There are many risk-related lessons to be learnt in each uncertain situation, and the inclusion of a formal “Risk Lessons Learnt” review will help to capture these – either as part of a more generic review meeting or as a separate event.
Such lessons include identifying which threats and opportunities arise frequently, finding which risk responses work and which do not, and understanding the level of effort typically required to manage risk effectively.
So perhaps there is still something new to be said about the risk management process. Despite our long history in attempting to foresee the future and address risk proactively, we would do better if we addressed these weak spots in the risk process.
If your risk process is missing steps 5, 6 and 8, then you may want to consider including them. This will ensure that agreed risk responses are actually implemented, that each stakeholder receives useful information from the risk process, and that the organisation learns risk-related lessons to improve future performance.
These simple and practical additions will enhance the effectiveness of your risk process, and help you succeed more often.
Dr David Hillson
HonFAPM, PMI Fellow
Dr Hillson was recently honoured at the PMI Global Congress in Washington, DC for his ongoing contributions in the important field of project risk management by being named a PMI Fellow.
Each year, one new fellowship is conferred at the Global Congress in North America. He thus joins a distinguished group of project management personalities who have received the PMI fellowship over the past few decades.
E-mail: This e-mail address is being protected from spambots. You need JavaScript enabled to view it
