Risk management concepts
Both Likelihood and Impact can be measured qualitatively on a sale of Low-Medium-High, or using a numeric scale from 1 (Very Low) to 5 (Very High), or, in some situations, they can be quantified based on an actual calculation of, for instance, expected frequency of occurrence in a year and (financial or other) impact on the organization if the risk occurs.
For example, if you want to calculate the risk of an earthquake disrupting your organization’s operations and you are in an area with little probability of an earthquake occurring, you can set the Likelihood to 1 (on a scale of 1-5, where 1 is very low) but the Impact if the earthquake occurs anyway, could be set to 5 (again on a scale of 1-5, where 5 is very high). The Risk Level would then be calculated as Likelihood x Impact = 1 x 5 = 5. In a 5x5 grid of Likelihood x Impact, the maximum Risk Level would be 25 and the minimum would be 1. You can see that a Risk Level of 5 would still be very low.
Impact | ||||||
| Likelihood | L x I | 1 | 2 | 3 | 4 | 5 |
| 1 | 1 | 2 | 3 | 4 | 5 | |
| 2 | 2 | 4 | 6 | 8 | 10 | |
| 3 | 3 | 6 | 9 | 12 | 15 | |
| 4 | 4 | 8 | 12 | 16 | 20 | |
| 5 | 5 | 10 | 15 | 20 | 25 | |
Table X. Likelihood and Impact calculation grid
| Risk Level (Likelihood x Impact) | Risk Level |
| 20-25 | Very High |
| 15-16 | High |
| 10-12 | Medium |
| 5-9 | Low |
| 1-4 | Very Low |
Table X. Risk Levels
Risk management practice
The practice of risk management is mostly contained in going through the motions of risk assessment, as described in the above section. You would want a number of processes and artefacts to be in place, though.
First of all, make sure there is a way to document risks: the Risk Register. This can be in a spreadsheet that is accessible to relevant staff that deals with risk management. In a more advanced environment spreadsheets may not be sufficient and a database would be more effective. In any case, make sure that there is an easy way to enter risk information into the risk register. The needed fields in a risk register should at least be the following:
- A risk identifier (serial number of the entry)
- Date of entering the new risk
- A description of the risk
- The Likelihood of the risk (1-5)
- The Impact of the risk (1-5)
- The (calculated) risk level (Likelihood x Impact, 1-25)
- The resulting risk level (Very Low, Low, Medium, High, Very High)
- The decision on how to deal with the risk (Treat, Accept, Transfer)
- Any action taken to treat the risk (the control)
- If transferred, the person or team who accepted the transfer of the risk to them
- If treated, the residual risk (Likelihood x Impact after the control has been implemented)
- Status of the entry (New, Pending, Closed, Monitoring)
With a risk register in place, there should be regular risk management meetings taking place at every level of the organization. The frequency of these meeting can vary based on the nature of the organization and the level in the organization performing the risk management activities at their level. Some organizations only do an annual risk assessment and take action based on this. Other organizations do quarterly or even monthly risk management meetings. However frequently you do it, it is important that all staff are aware of can flag risks and have a way to communicate this to their management. This awareness is known as risk-based thinking: in everything an organization does, it needs to be aware of the risk that comes with making certain decisions or taking certain actions. This makes sure that everyone in the organization, no matter their level in it, can participate in the risk management activities.
In the (monthly, quarterly, or annual) risk management meetings, entries in the risk register are added or updated, based on new risks that have been flagged or based on actions that have been taken to deal with existing risks. These meetings should have the involvement of all relevant stakeholders – these stakeholders may be outside the direct team or part of the organization that is discussing the risks. Especially in the case of transferred risks, the owner of those risks should be able to provide an update on what they did with it.
There should also be a mechanism to escalate risks. If a team discovered a risk that really needs the attention of higher management levels, they should be able to bring that risk to their attention and make sure the higher management level deals with it. This can occur for instance when a risk is not only impacting the team that identified the risk, but multiple teams that fall under the responsibility of a higher manager. Another situation may be that the team simply does not have the resources to deal with the risk and needs help to treat it. Then they should escalate the risk to a higher management level and ask them for support to handle the risk.