The processes and procedures that you use in relation to your WeTrack risk log form your Risk Management approach. This is your internal plan that defines how your organisation approaches risk. It defines responsibilities for managing risk, what the risk tolerances and thresholds are, how risk impact and likelihood is measured, and how risk review is built into your organisational governance.
A risk management approach does not need to be complicated, but you do need to have one. This will ensure everyone understands their roles, and risk planning is built into your everyday activities. When building your Risk Management Approach, try to answer the following questions.
What are the roles, and who holds them?
It’s important to define who in your organisation is responsible for recording, managing and reporting on risks, who is responsible for making decisions on risk, and who is responsible for carrying out the actions. For larger organisations, these roles can be variable depending on the severity of the risk being managed.
How are risks categorised?
WeTrack uses two 5-point sliding scales to classify risks: one for impact, and one for likelihood. The risk/issue rating is then calculated based on these values. A good risk approach should set guidelines for each of these scales, and their combinations, so that classification is consistent across all risks. For financial risks, as an example, it makes sense to set thresholds for each impact level based on the overall project budget. A financial impact of £0-£1,000 could be classified as 1, whereas a financial impact of £100,000+ could be a 5, with appropriate thresholds in between.
How often are risks discussed, how are they reported, and who are the stakeholders?
It’s important to make sure that risks are regularly discussed, and at a variety of levels. As part of your planning it’s important to decide levels of responsibility for risk management to ensure decisions are taken at the right level. Top-level executive time and resource is always limited – make sure that they are only seeing the key risks that are business critical. Keep the less critical risks at the department level or lower, as appropriate. An efficient risk management approach will ensure that when executive time is needed to manage risks, it is available.
Thank you for reading. Why not check out the rest of our introductory risk and issue management articles?