From economic instability to pandemics, it may feel impossible to predict the next big risk to your enterprise — but if you know how to make a risk management plan, you don’t need to be at the mercy of uncertainty. Developing a risk plan will enable you to get ahead of problems, vulnerabilities, gaps, and compliance issues, and to target your project’s specific weaknesses, capitalize on your strengths, take advantage of opportunities, and offset threats. While the science of risk analysis and risk management can be complex, and your enterprise’s context is important for determining the scope and specifics of your risk management plan, there are a few universal standards that you can adapt to match your needs.
Controlling your risks will free you to innovate. Read on to learn concrete steps you can take to build a risk management plan, how to manage risk in general, and how to identify, evaluate, control, and mitigate potential risks to your enterprise or project.
What Is Risk Management?
The idea that we could understand and manage risk in order to build more successful structures and organizations isn’t new — scholars have traced risk management theory back to ancient Athens. However, the contemporary science of risk management arose after WWII, which disrupted and changed peoples’ lives on a global scale and left industries considering what they could do differently to predict large scale change and loss. Post-war, risk management practices became more systematic, to address technical risk to engineering projects and personal risk and loss-control in insurance practices. These practices slowly grew into a robust science and field of study in its own right. In the 70s and 80s, risk management became a staple subfield of corporate finance and business.
Since the 1950s, risk management has evolved a robust set of strategies that help identify, assess, and mitigate threats to an organization’s existence, earnings, and value. Certain risk categories have garnered their own specific risk management approaches, including enterprise risk management (ERM), compliance risk management, strategic risk management, operational risk management (ORM), and IT risk management.New industries, products, and world events are constantly changing the risk landscape, and the field of risk management follows suit. More recently, risk management methods have evolved to address sustainability, climate change, politics, and AI. You might not imagine, for example, that someone designing or reconfiguring an airport might need to specifically consider rising sea levels, but a group of scholars from Newcastle University discovered that even a small rise in sea level could flood and disrupt operations for 100 global airports by the year 2100!
Why Is Risk Management Important?
Risk managers are keenly attuned to the double-sided coin of threat and opportunity — these two pillars of strategic planning go hand-in-hand. Risk management is crucial to project management and enterprise building — the same risks that can deliver great entrepreneurial benefits also bring inherent uncertainty. Risk management offers tools for auditors to help organizations avoid risks for fraud, liability, environmental hazard and natural disaster, noncompliance fines for SOX or HIPAA, and more.
Every year the World Economic Forum (WEF), releases a report assessing new risks to the global economy — most of these risks are large-scale, systemic, and very hard to control. But, ultimately, while the COVID-19 pandemic, economic instability, or new avenues for cybertheft and data breaches may seem out of our control, risk management makes uncertainty, threat, well… manageable. Your organization likely can’t control the global spread of COVID, but it can conduct a pandemic risk assessment and take steps to reduce the spread internally, like enabling remote work, enhancing air filtration and flow, and staggering employee schedules. We can apply the principles of risk management to anticipate worst-case scenarios, plan for them, and help to ensure that our business, enterprise, or project survives.
What Should Be Included in a Risk Management Plan?
The principles and components of a risk management plan have to be adaptable to different industries, organizational structures, and contexts. But there are standards — the International Organization for Standardization, an NGO responsible for creating standards adopted across industries worldwide, has outlined these components in their manual ISO 31000, and risk managers across contexts refer to this manual as a gold standard. Any risk management plan should identify, define, and document all possible knowable risks, including an assessment of the likelihood, impact, and consequences to those risks. It should break down the risks into categories, assign risks to specific owners, and consolidate data that shows that risk mitigation efforts will be worthwhile.
What Are The Components of a Risk Management Plan?
Most risk management plans include five core components that can be adapted to different industries and risk environments, including risk definitions, a map of assumptions and biases, a risk assessment matrix, an estimate of costs and schedules, and a risk register. Read on to learn more about each component:
When you develop a risk plan, first create a set of clear definitions for the potential risks that your project or enterprise faces. In defining each risk, consider the following criteria:
- Are the risks internal or external to your organization? Internal risks may include not meeting deadlines or record-keeping errors; external threats may be changes to federal guidelines on compliance.
- Can they be controlled or are they uncontrollable? An organization can control for most risks in some capacity, but cannot control risks like natural disaster or pandemic.
- What risk categories are most likely to impact your work? For example, one organization’s risks may be predominantly strategic or market-oriented, while another organization’s risks may be predominantly physical or safety-oriented.
- Is the risk you are defining inherent or residual? If you are in a mature risk-environment, for instance, you might have already put controls into place to deal with one risk and another risk has arisen as a result. All of this goes into developing clear definitions for each risk.
2. Assumption and Bias Analysis
The most challenging risks to identify are those that surprise us because we thought we knew something we didn’t. Or, we get so excited about a new project or opportunity that we have unwittingly created blinders. A 2019 Harvard Business Review article examined this phenomenon in organizations that want to be cutting-edge with projects incorporating AI and machine learning, put a ton of time and effort into the technical aspects of their project, and then run into major roadblocks when it comes to governance, privacy, and accountability.
A risk management plan also takes human factors into consideration, and any user researcher or organizational psychologist can tell you that we human beings are not great at predicting our own behaviors. We may not be able to catch all of our assumptions, but we can take simple steps to confront our biases and make our risks visible to us. Transparent communication between stakeholders will help this process — open lines of communication and make sure you are talking to each other! Conducting interviews, brainstorm sessions, and think-aloud protocol can expose hidden costs, losses, and pain points.
When you chart how to make a risk management plan for your project, don’t forget to check in with stakeholders from other parts of your organization, like your legal team or accounting, to help prevent lost time, lost effort, and liability.
3. Risk Assessment Matrix
Also called a probability-impact matrix, this is a chart that helps you keep track of the relationship between how probable the risk is in relation to the severity of its impact. As shown in the example below, when you assess your risks, your team will determine where on a scale of probability each risk lies. Typically, probability is assigned on a scale of likelihood, from unlikely to likely, or low to high. Impact of the risk is assigned on a scale of severity, from minimal to catastrophic.
4. Cost Estimates and Schedule
Preventing and mitigating risk is likely going to cost both money and time; figure out how much you are willing to pay, based on your assessment of the severity, likelihood, and impact of each risk. In this section, you’ll also consider the frequency of risks to map a schedule of when you are most likely to encounter the risk and how it fits into your project timelines and fiscal schedule If you are encountering risks that are high impact, high likelihood, and high frequency, these are likely also going to be a higher cost to your organization.
5. Risk Register
A risk register is simply a table or log that integrates your risk assessment matrix with additional information related to each risk — it includes the severity, probability, frequency, and impact of each risk; the risk owner; the type of response necessary; and a place to record updates and the results of periodic internal audits.
How Do You Create a Risk Management Plan to Help Mitigate Risks? (Step-By-Step Process)
An effective risk management plan is well structured, systematic and helps you to mitigate risks. Read on to learn seven core steps you can take to create a risk management plan that you can adapt to any project or enterprise:
Step 1. Identify Risks and Root Causes
Take stock of the risks your organization may face by brainstorming with stakeholders; each stakeholders should consider risks related to their role. This is where you’ll want to define your risks, examine your assumptions, open lines of communication between stakeholders, and lay all possible risk-related data on the table, so that you can uncover the hidden risks to your work.
Step 2. Measure Risks
Risk outcomes can generally be measured in dollars, but the method of measurement will also depend on the context; measuring the potential risks of an earthquake to a structure will differ from measuring the risk of employee fraud, for example. Measuring costs and consequences to each risk can help you determine how comfortable you are taking certain risks and what your risk thresholds are.
Step 3. Assess Risks
Once you have identified and measured your risks, you’ll draft a risk assessment plan, which includes your risk matrix, qualitative and quantitative analyses of all data related to each risk, an overview of the loss controls which address or mitigate these risks, and evidence supporting your plan for designing and implementing each control.
Step 4. Designate Risk Owners
Based on the risk assessment, each risk should be assigned a risk owner who is responsible for keeping track of and responding to that particular risk. Risk should be assigned based on the owner’s role in the organization or project. Record which risk belongs to which owner in your risk register.
Step 5. Implement Controls and Preventive Measures
The first step in mitigating risk is identifying any preemptive or preventive measures you might take to reduce or eliminate risk. Implementing controls will help you get ahead of inherent risks and minimize residual risks. Controls include eliminating the source of the risk, deciding to alter or halt an operation to avoid the risk, and distributing the risk across multiple parties or organizations. You might also consider if it is possible to minimize the impact, likelihood, or frequency of a risk event. Your organization may also choose to accept, or even escalate, the risk to take advantage of an opportunity.
Step 6. Plan Your Risk Response
As part of your risk assessment matrix, create a contingency plan that provides detail about the steps that risk owners will take to address or respond to their assigned risk(s). What actions will they take? What documentation is required for them to take these actions? When creating a risk management plan and contingency plan, include the structure for this response and template documentation ahead of time, so that it is ready to roll as soon as a risk manifests in the real world.
Step 7. Create a Schedule for Periodic Audits
An effective risk management plan includes a schedule for regular audits to identify, assess, and mitigate new threats and risks, adapting the plan as the company’s needs, scope, and scale evolve. An internal audit schedule will help you keep on top of the both internal and external fluctuations, continually improve your operations, avoid liability, and make sure you are pursuing the right opportunities.
Best Practices for Maintaining A Risk Management Plan
Some best practices for maintaining an effective risk management plan include the following:
- Don’t forget to include the opportunities — use your risk management plan to track opportunities, not just threats.
- Keep track of audits with the right software to reduce your administrative load and make sure that risk plans are easily accessible by risk owners.
- Integrate your risk management plan with a robust audit and compliance platform to fortify your controls.
- Schedule regular sync meetings between risk owners, where each presents updates and shares new threats and opportunities.
- Make the risk management plan accessible and transparent to core stakeholders — if team members know where to find the right information, they’ll be free to develop innovative tools and understand potential limitations.
- When creating a risk management plan, remember that risk contexts evolve — a good risk management plan is iterative, responsive, and agile.
Get Your Risk Management Plan Started
Risk landscapes can change on a dime and a project or enterprise can encounter a new risk any time it branches into new territory or releases a new project. As you consider how to make a risk management plan that is right for your project, it is worth your time to invest in risk management software to help you keep track of your data and integrate response documents and action-plans. AuditBoard’s risk management software is a robust tool for risk management designed for all stages of the risk management journey, whether your organization is just starting to navigate risks or is already part of a mature risk environment. Get started with RiskOversight today!