What is a risk management process and why is it necessary?
Risk represents any kind of uncertainty that can improve or reduce the ability to achieve your objectives. It can take many forms, including risks affecting projects, finances, security and privacy, and the environment. For both positive risks (opportunities) or negative ones, you need an intentional approach to understand the balance between risk and reward. This article focuses on the process for managing risks that could have a negative impact on your organization; similar processes apply to determining how to exploit beneficial uncertainty, i.e., positive risk.
Recent history has highlighted the impact that risk factors can have on how businesses and individuals operate -- and on whether they can continue to do so. The ability to navigate risk better than competitors will certainly contribute to the enterprise's success. Failure to do so could spell disaster, perhaps beyond recovery.
For these reasons, it is important to apply a proven and consistent risk management process. When built upon a solid foundation of understanding the organization's goals, objectives and internal/external context, a risk management process will help ensure your organization's success.
What are the 5 steps of the risk management process?
Many bodies of knowledge have documented risk management, but perhaps the best known is that of the International Organization for Standardization, or ISO. The ISO 31000 standard, Risk management -- Guidelines, includes extensive information on how to communicate about, manage and monitor various risks. The process is essentially the same for any type of entity and comprises the following five steps:
- Identify the risks.
- Analyze the likelihood and impact of each.
- Prioritize risk based on enterprise objectives.
- Treat (or respond to) the risk conditions.
- Monitor results and use those to adjust, as necessary.
While these steps are straightforward, every business has unique factors that affect how it should manage and monitor risk. To determine and apply those factors, it is helpful to apply a risk management framework as part of a comprehensive approach to planning, executing and tracking overall management of the various risks.
It's also important to keep in mind that the goal of the risk management process, in the context of a broad framework, is not to completely eliminate all risk but to determine acceptable levels of risk, given your objectives, and then work to keep those risk factors within agreed-upon boundaries. The steps below will help to determine and apply specific actions to do so.
1. Identify risks
The first step is to determine the potential risks themselves. That requires some context: To consider what could go wrong, one needs to begin with what must go right.
Begin the process with a review of your goals and objectives and the various resources or assets that enable them. Risk practitioners often apply a top-down, bottom-up approach to thinking about what might impede those objectives.
The top-down portion considers mission-critical programs that should not be impaired (like sales transactions in a retail store or manufacturing processes in a factory); it then lists the conditions that might impair those programs.
For the bottom-up portion, one can consider various known threat sources (like earthquakes, ransomware attacks or economic downturns) and ponder what impact those might have on the enterprise.
Because risk is, by definition, any uncertainty that affects objectives, a risk is only a risk if it has impact. The more impactful a risk is, the higher the priority. The analysis of that priority will occur in the next step, but first one needs to consider the various risk factors to create a scenario that can be measured.
NIST Interagency Report (NISTIR) 8286A -- "Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management (ERM)" -- provides guidance on developing risk scenarios. According to the report, the following four elements are necessary to be present to describe a negative risk (see Figure 2):
- a valuable asset or resource that would be impacted;
- a source of a threatening action that would act against that asset;
- a preexisting condition (or vulnerability) that enables that threat source to act; and
- some harmful impact that occurs from the threat source exploiting that vulnerability.
With these building blocks, one can compose a broad set of risk scenarios to be analyzed, sorted and treated. Describing the risk as a scenario helps with communicating the risk conditions and analyzing the likelihood and impact of the risk. It also makes it easier to consider how to respond. An example scenario might be, "The manufacturing plant is affected by a power outage resulting from a tropical storm, disrupting plant operations for several days."
While hindsight is never perfect, it provides useful insight into what risk events might occur in the future. In particular, it can be helpful to review headlines about risks that similar businesses have faced, the conditions that enabled them and how the risks impacted the organizations.
In considering various types of risk, it may be helpful to organize them into categories. That categorization enables each type of risk to be considered and tracked by individuals or teams that are familiar with particular topics. For example, the Committee of Sponsoring Organizations of the Treadway Commission, a joint initiative of professional organizations that provides risk management guidance, has suggested that risk can be organized into the following four areas:
- strategic risk (e.g., reputation, customer relations, technical innovation);
- financial and reporting risk (e.g., market, tax, credit);
- compliance and governance risk (e.g., ethics, regulatory, international trade, privacy); and
- operational risk (e.g., information and technology security and privacy, supply chain, labor issues, natural disasters).
Categories of risks also help to integrate information as managers communicate about, track and adjust risk response. For each risk category, an intentional process for developing the scenarios will ensure that the list is sufficiently comprehensive. Many tools are available to help visualize and evaluate the scenarios. Examples include the following:
- risk breakdown structures for project risks (e.g., "Use a risk breakdown structure (RBS) to understand your risks");
- threat trees for cybersecurity risk (e.g., Carnegie Mellon's OCTAVE Allegro methodology); and
- Delphi exercises for considering investment risk.
The final component of this first step, risk identification, is to record the findings in a risk register. The risk register provides a means of communicating and tracking the various risks throughout subsequent steps. The NISTIR 8286 report cited above provides an example of such a register, along with a sample risk detail template in which to record many of the results of the risk management process steps.
2. Analyze risk likelihood and impact
As noted above, a risk is only a risk if it has impact, so the second step of the risk management process is to analyze how likely it is that a risk will occur and that it will have a measurable impact.
There's a whole science to risk analysis, but essentially this step is a calculation of the probability of a risk event occurring and an estimation of the impact of the consequences if that happened. While there is often an immediate impact, there may be other subsequent consequences, as well, so it is important to consider each of these factors in the calculations. Consider the loss of a laptop containing patient health records -- there will be an immediate property loss, but the loss of that patient information could result in fines, lawsuits and reputational damage that far exceed the cost of the lost device.
Risk analysis should include time factors as a part of the calculation. Financial reporting systems are often considered critical, but during tax preparation time their integrity and availability needs might be particularly important. The frequency of risk events is another time-based factor to consider.
Many organizations use general, or qualitative, terms to express those values. For example, we often use terms such as "high risk" or "low probability" to communicate risk, or perhaps use red-yellow-green color schemes. Organizations may benefit from a more scientific and specific quantitative approach to risk analysis. For example, the Factor Analysis of Information Risk (FAIR) approach, instantiated in the Open Group's OpenFAIR standard, can be used to perform detailed risk calculations that may be more helpful than colors for estimating.
There are dozens of methods to perform both qualitative and quantitative risk analysis, many of which are described in the ISO/IEC (International Electrotechnical Commission) standard 31010, "Risk management -- Risk assessment techniques." That publication points out that the techniques "are used within the risk assessment steps of identifying, analyzing, and evaluating risk as described in ISO 31000, and more generally whenever there is a need to understand uncertainty and its effects."
3. Prioritize based on enterprise objectives
The results of risk analysis enable the risks to be sorted and ranked based on their importance. Since resources are likely to be limited, prioritization helps to highlight those risks that will be most likely and most impactful. Reflecting these results in a risk map helps to visualize the relative importance of each risk and may also be helpful in sharing risk observations with other stakeholders -- particularly those who may be providing (or authorizing) resources to respond to those risks.
While the initial prioritization of risks may be based on the combination of likelihood and impact, the final ranking might be influenced by factors that are important to those stakeholders. For example, if leadership has expressed that customer trust is a key value for the enterprise, then risks that might impact customers could be highlighted.
4. Treat risks in a cost-effective manner
With a prioritized list of risks in place, the next step is to evaluate the options available to treat those risks and apply various methods and controls to achieve an acceptable level of risk. There are several options available to do so, including the following:
- If the risk, based on leadership's risk appetite, is already at an acceptable level, no further treatment is necessary.
- If it is possible to share some of the impact with another entity (e.g., an insurance firm, an external service provider), then some of the risk may be transferred in that manner.
- Where practical, various management, technical and administrative risk controls may be applied that will help reduce the likelihood or impact of each risk to an acceptable level.
- If none of these risk response methods can be applied, then risk managers must avoid the risk by eliminating the activities or exposures that would enable the scenario being considered.
It is important to be sure that the methods applied are both effective and cost-effective. This approach explains why a bank might use a 20-cent chain to protect an ink pen and a million-dollar vault to protect its cash reserves. The resources required to treat the risk should be commensurate with the assets being protected.
5. Monitor risk management results
Even after each of the above steps, it is important that results be tracked and monitored to ensure that risks remain within the limits established by the organization's leaders. Risk conditions can change rapidly, asset values can fluctuate and stakeholder preferences can change. A critical part of monitoring is ensuring that managers and senior leaders are informed about progress toward risk goals and changes that might have organizational impact. The cycle is similar to the PDSA (Plan-Do-Study-Act) cycle popularized by Dr. W. Edwards Deming, enabling continual improvement of the risk management process. As various teams throughout the organization take actions to identify, analyze and respond to risk, the results inform and refine the next iteration.
Through application of these steps, in the context of a broader framework of governance and management, organizations can consistently identify those risks that are likely to have a harmful impact, then prioritize cost-effective treatment and monitor the results to maintain continual improvement.