Risk management involves a continuous, seven-step cycle:
1 – IDENTIFY risks faced by the organization – both opportunities (positive risks) and threats
(negative risks).
2 – Some risks are avoidable if you simply don't engage in an activity. AVOID projects and actions
that would trigger risks you don't want to face.
3 – Some risks are opportunities. DEVELOP opportunities that may be of strategic value.
Those three steps identify threats and opportunities, rule out some actions as just too risky,
and position new initiatives for testing. But what do we do with those threats we can't avoid, as well
as the potential negatives that may result from new initiatives? That's addressed in the next three
steps:
4 – REDUCE threats posed by ongoing operations and strategic initiatives by identifying and
implementing specific mitigation efforts.
5 – SHIFT threats that cannot be mitigated, using insurance, contracts, joint ventures, etc.
6 – ACCEPT the remaining risks, having taken the reasonable steps outlined above.
time:
Finally, risk management is not a one-and-done activity. Instead, it builds and improves over
7 – IMPROVE your risk management over time by making Steps 1 through 6 an ongoing process
and regular part of your operations.
How do you begin using risk management to increase clarity, build resilience, and unlock
value? Here is a checklist for implementation. Keep in mind that any risk management process
should be implemented gradually, over time.
1. We have performed a formal assessment (risk inventory) of the financial, operational, and
contextual threats and opportunities faced by the organization, involving multiple points of view
(including line personnel) to avoid bias, silos, and groupthink.
Yes
No
2. We record risks (threats and opportunities) in a consolidated document (risk register) that
avoids operational silos.
Yes
No
3. We meet periodically to review, add, discuss, update, and assign responsibility for items on
our risk register.
Yes
No
4. We use a method of recording adverse events that occur (incident log).
Yes
No
5. We use a complaint log to record customer/client complaints, employee response, and any
additional follow-up (complaint process).
Yes
No
6. We have a suggestion box or other means by which employees and customers can suggest
possibilities for improvement.
Yes
No
7. We have energized employees to look for issues that may affect the organization – both
threats and opportunities.
Yes
No
8. We monitor key performance indicators (KPI) for each of the organization’s core processes.
Yes
No
9. We have identified the amount of variance from KPI that trigger escalation and response.
Yes
No
10. In addition to variances from KPI, we have identified any additional specific circumstances
(such as key economic indicators, customer/client complaints, employee mishaps) that require
escalation, response, or evaluation.
Yes
No
11. We have identified the best resources for tracking industry developments.
Yes
No
12. We have assigned specific responsible personnel to track and report on industry
developments.
Yes
No
13. We actively reach out to peer organizations and associations to track industry developments.
Yes
No
14. We focus on building a strong network of resources beyond our peer group in order to draw
upon expertise outside of our core competencies and comfort zones.
Yes
No
15. We seek periodic input from trusted advisors.
Yes
No
1. We have a sound idea of what constitutes unlawful conduct in the way we run our
organization.
Yes
No
2. We have also developed criteria for determining prohibited behaviors that, although lawful,
would pose unreasonable threats to the organization.
Yes
No
3. We have clearly conveyed prohibited behaviors to all employees.
Yes
No
4. We have clearly conveyed the consequences of prohibited behaviors to all employees.
Yes
No
1. We have created a formal structure (committee, task force, or standard agenda item in
periodic meetings) to generate and evaluate new opportunities for strategic and operational gain.
Yes
No
2. We assign specific “owners” to each initiative deemed worthy of exploration, to ensure
follow through and accountability.
Yes
No
3. We conduct periodic reviews to ensure that the organization is generating potential new
initiatives and following through on initiatives that are worthy of exploration.
Yes
No
4. We use pilot programs with testable objectives to design and implement new initiatives.
Yes
No
1. We have identified specific efforts to mitigate each risk identified in our risk register.
Yes
No
2. We have identified a specific person responsible for implementation of each mitigation
effort.
Yes
No
3. We meet periodically to review the effects of mitigation efforts and modify efforts through
continuous process improvement.
Yes
No
1. We have reviewed contracts with vendors and customers/clients to clarify who bears
specific risks in the relationship.
Yes
No
2. We have explored and followed through on opportunities for partnerships and joint
ventures with other parties in order to reduce risk to the organization.
Yes
No
3. We are aware of the different forms of insurance available, how insurance works, and
whether the organization should purchase additional insurance coverage.
Yes
No
4. We conduct periodic reviews of insurance coverage by different potential outside vendors
over time to ensure adequate insurance coverage for insurable risks.
Yes
No
The last steps of the risk management cycle are both an end and a new beginning. Your
organization accepts what risk is left over after the other risk management steps, but always seeks
to improve. Not all at once, but in small steps, over time.
Risk Alternatives can help implement each of these checklist items. We can work with you to
implement gradually, in a way that adds value from day one. Call Risk Alternatives at (703) 6525659 or send an email to [email protected] to schedule a free strategy session.