In Threats, Risk and Co, we established some of the basic concepts around risks. Not it’s time to dig a bit deeper in managing that risk.

Introduction To Risk Management

Managing risk in an ongoing process. Here, we’ll look at the basic steps and the expected outcome for each.

1. Establish the context

   Define what we're trying to achieve. Are we looking at the whole organisation or just some critical business functions? Are we looking at third-party providers? What is our risk appetite? All these questions are essential to frame the following parts of this work.

   Outcome:

   • Risk Management Context

2. Identify Inherent Risks

   Identify potential risks that could affect your organisation, regardless of the controls you have in place. These risks are called inherent risks. Starting here helps break down the process by not immediately going into the details of the controls or the existing vulnerabilities in systems and processes.

   Outcome:

   • Threat register

   • Risk Register (partial, inherent risks listed only)

3. Assess Risks

   Evaluate the likelihood and impact of each identified inherent risk. Consider the potential consequences on various aspects, such as finances, operations, reputation, and safety. This step will help prioritise risks based on their severity

   Outcome:

   • Updated Risk Register (updated with inherent risks evaluated)

4. Prioritise Risks

   Prioritise the identified risks based on their potential impact and likelihood. This lets you focus on addressing the most critical risks first and allocate resources accordingly.

   Outcome:

   • Control Evaluation Plan

5. Evaluate Existing Controls

   Evaluate the existing controls to understand better what is in place and how well it works.

   Outcome:

   • Control Assessment report

6. Reprioritise the Risk Register

   Update Inherent Risks to their actual values based on how well (or poorly) the existing controls work. We can readjust our risks to picture our current risk posture accurately.

   Outcome:

   • Updated Risk Register (updated with current risk values)

7. Develop Risk Mitigation Strategies

   Develop strategies to mitigate or manage the identified risks. This may involve implementing additional controls, transferring risks through insurance, or accepting certain risks that are within acceptable limits

   Outcome:

   • Risk Treatment Plan

   • Updated Risk Register (updated with links to RTP)

8. Implement or Improve Controls

   Put the identified risk mitigation strategies into action as per the Risk Treatment Plan. Ensure that the controls are effectively implemented and integrated into existing processes, systems, and procedures.

   Outcome:

   • Updated Risk Treatment Plan

   • Updated Risk Register (both updated as we progress)

9. Communicate and Train

   Effective communication and employee training are essential for risk management. Ensure that employees know and understand the identified risks, the implemented controls, and their role in managing risks.

   Outcome:

   • Awareness Plan

10. Monitor and Review

    Regularly monitor and review the effectiveness of the implemented controls. This includes assessing whether the controls are functioning as intended, identifying any emerging risks, and making necessary adjustments to the risk management approach.

    Outcome:

    • Updated Risk Treatment Plan

    • Updated Risk Register (both updated as we progress)

11. Repeat

    Risk assessment is an ongoing process. Regularly review and update your risk assessment to account for changes in the business environment, emerging risks, and lessons learned from incidents or near misses.