Risk management is a process to identify, assess, manage, and control potential events or situations, and to provide reasonable assurance regarding the achievement of the organisation’s objectives. Risk is an uncertain event or set of events which could have an effect on the achievement of objectives.
1. Risk identification
Risk identification is the process for discovering, recognising and documenting the risk an organisation faces. The risk identification establishes an inventory of the risks present in the organisation. A risk inventory can be carried out through interviews or specially organised risk sessions. Existing risk data is regularly updated to include new risks.
2. Risk assessment
Once the risks have been identified, they must be assessed for the potential severity of their impact (usually a negative impact, such as damage or loss) and the probability of occurrence. Riks assessment is a process to evaluate risk and its potential effect, with a focus on the critical functions of the organisation. The outcome of the risk analysis is therefore a risk value or at least a ranking of the risks. A risk heat map is a useful tool to get a clear picture of all the risks identified at a glance.
The risk appetite, i.e. the level of risk an organisation is willing to take, is indicated in the risk heat map. This indicates the level from which control measures must be taken.
3. Risk response
The risk response phase of risk management focuses on the decisions made regarding the correct way to respond to risk, and implies taking risk mitigation measures, which are usually selected among these four following risk options (4Ts):
- Terminate by not carrying out a certain activity (a new service is not offered in order to avoid the associated risk);
- Treat by reducing the likelihood of occurrence or limiting the impact (e.g. the risk of cyber-attack can be reduced by introducing anti-intrusion systems and the consequences can be limited by continuous monitoring with quick intervention);
- Transfer to a third party (e.g. by an insurance policy);
- Tolerate the risk through a deliberate and well-reasoned decision to accept the risk and therefore the possible consequences. Usually smaller risks are accepted in order to avoid investing time and resources.
Preventive, detective and corrective control measures can be formulated for each risk.
- Preventive measures aim to reduce the likelihood of occurrence or to eliminate the cause (fire prevention measures);
- Detective measures limit the consequences of any occurrence of the risk (a fire detection does not remove the cause of a fire, but reduces the impact of the fire by activing a fire extinguishing system).
- Corrective measures can be:
- repair activities reducing the impact;
- alternative measures through which the activities are performed in a different way;
- temporary measures that can limit further damage.
4. Monitoring and reporting
The identified risks and agreed management measures must be monitored and reviewed in an advisory body:
- monitoring the progress of the control measures;
- measuring the effect of the control measures;
- adjusting the control measures if necessary;
- evaluating the existing risks on changes;
- assessing the topicality of the identified risks.