What is Risk Management?
Risk management is an important task for all organisations to carry out in order to operate a healthy and safe environment. Depending on the industry your organisation is operating in, there will be many different risks involved that need to be investigated, controlled and managed.
5 Steps for Risk Management
- Identify the Risk
This first step relates to figuring out anything in your organisation that may create health and safety risks within the workplace. You need and your team need to ask ‘what could possibly go wrong?’. When identifying risks, it is important to not only think about what is internal to your organisation. You have to adopt a wider view of thinking so that aspects such as the physical environment and other stakeholders are taken into consideration. As the risk environment is continuously changing, this should be visited regularly. A good way to get started on identifying all risks could be to ask existing employees risks they have come across while working for this organisation, or for other organisations, that could have similar implications. It is during the identify stage, that you and your team should start to create the project risk register. A project risk register is used to serve as a reference point for the last time you identified risks. This will mean you can see if any risks have been mitigated since the last time you did this activity.
- Analyse the Risk
Once the risk has been identified and placed into the correct classification, it is time to analyse the risk. This will involve figuring out how likely it is that these risks may occur. This step will require your team determining the probability of each risk, which will help in identifying where to place most of your efforts. Some organisations find it helpful to use a heat map during this step, which will identify which risks may be likely and have sever impacts.
- Evaluate or Rank the Risk
Evaluating or ranking the risk will involve determining how much harm each risk may cause the organisation and it’s employees. The image below outlines the harm that could come from risks, and is categorized into 3 main classifications. These may vary across industries and organisations, but can be categorized into the same sub-topics – acute, chronic or catastrophic.
Once you have evaluated the harm that may come from each risk, this needs to be looked at in relation to how likely the risk is to occur. The combination of these two factors will help in ranking how serious the risk may be. The more serious, the risk, the higher ranking it will have, which means it needs to be treated quickly.
- Treat the Risk
The way risks are treated will depend on the type of risk they are to the organisation. If something is deemed to be catastrophic, but highly unlikely, the organisation may choose to put together a plan for what to do if this occurs, but not put too much time into this. If a risk is deemed to be chronic and relatively likely, the organisation may need to treat this with urgency and in an effective manner. This may involve coming up with a list of potential solutions to mitigate the risk, then deciding which will be most efficient and cost-effective. Treating the risk may involve finding resources or employees that are going to make this step run as smoothly as possible. A formal process often needs to be taken when treating the risk, and it is important this is documented in the project risk register, so that other employees can see it has been treated.
- Monitor and Review the Risk
The final step to risk management is to monitor and review the risk. You cannot implement risk management steps and then simply forget about the risk. If the risk has been treated, this will involve checking that the implemented solution to mitigate the risk is still working and is within the organisations capabilities. If the risk has not been treated, this may involve checking to see that the likelihood or severity of this risk has not changed, to ensure it can stay untreated for the time being. Due to the risks needing to be monitored and reviewed, this is why it is important to record any changes made in a project risk register.
Having the records written and saved, means that any employee can see that the risks have been identified, and may now understand why they do not need to be treated. For risks that were not likely and of low severity, the recording of these can be simple and may just include you writing that you have acknowledged the risk, and why no further action needs to be taken.
This will also be an easy way to prove to auditors that you are managing your organisations risks, meaning you can spend your time on more important activities in the future.