You’ve successfully identified the risks that are facing your organization. (If you’re just joining us, check out our blog post from last week!) But now what? Risk management isn’t just about figuring out what risks there are: you have to know what to do about them and create a thorough plan for staying on top.
1. Analyze the risk for frequency and severity.
This will allow you to determine what risks are the most dangerous and require the most resources and attention, and which are not as worrisome. Frequency is the likeliness that a risk will occur or how often it is likely to happen. If a risk has the potential to happen every day, a lot more resources should be directed to preventing it than if there’s a low chance it will occur. (That being said, you cannot assume that a risk will never happen just because it is unlikely- you simply don’t need to pay quite as much attention to it). Severity is the measure of how much of an impact the risk would have it did occur; in terms of financial damage, reputational damage, or other losses. The most severe risks must be dealt with more carefully than those that won’t have a big effect on your ability to operate. This process allows you to prioritize the risks facing your organization and decide what ones you should work on first.
2. Determine the method of risk control.
Now that you’ve decided what risk to manage, you have to figure out what process you will use to control it. The key here is to find the solution that strikes the best balance between affordability and effectiveness. Your choice of solution needs to bring a good return on investment. Some possibilities of risk control include:
- Transfer: passing the liability and risk onto someone else through waivers, contracts, or insurance policies. You are holding someone else responsible if something else goes wrong.
- Acceptance: taking the risk as it is. You cannot allow your business to become risk adverse; without risk, no one could ever make a profit. If the risk comes with some kind of benefit, such as the inevitable risk of investment leading to a large payout, sometimes it’s best to just accept the risk.
- Avoidance: if a risk is perceived to be too dangerous to be worth the benefit, you can avoid it by not taking the risky action at all or discontinuing the practice.
- Prevention: Creating policies and procedures that decrease the likelihood that the risk will occur (the frequency). For example, you could implement hourly inspections for hazards in a setting prone to customer slips, trips, and falls.
- Mitigation: Creating policies and procedures that decrease the impact a risk will have if it occurs (the severity). For example, you could install a sprinkler system that will reduce damage if a fire breaks out.
3. Determine how you will finance the risk.
You can either retain the cost of the risk or transfer it. Transfer is when you buy an insurance policy that will cover the financial loss of the risk if it occurs. Retention is bearing the cost of the risk yourself, either through choosing to absorb the cost totally or through paying out a higher deductible on your insurance. For this step, you must determine how much the risk is likely to cost you and if you will be able to pay it while remaining financially stable.
4. Implement your chosen methods.
After you’ve decided how you’re going to address the risk, it’s time to put the plan into action. To do so, you must ensure you have senior management buy-in and the necessary resources (whether that’s time, personnel, or money). Then, create a procedure that will address the risk consistently and regularly. Give training to all staff on the new policy, and get everyone on board in following the procedure.
5. Monitor your results.
A risk management plan cannot simply be made and then forgotten. As your organization and the landscape it operates in continuously change, so do your risks. New risks may present themselves or adopted policies may become too in-depth or inadequate. Or, the method you chose to control a particular risk may simply be ineffective. It is important to track whether a risk management procedure is actually working; if not, it is pointless and you need to try a new tactic. Continuous monitoring and improvement is the only way to get a real handle on properly managing risk in any industry.
Was your chosen method successful? Great! But a risk manager’s work is never done. Now it’s time to move onto the next most dangerous risk facing your organization. For more details on addressing risks as well as identifying them, check out our whitepaper on the Risk Management Process.
ClearRisk’s Risk Management Information System provides multiple tools for identifying, analyzing, and addressing risks. If you’re having trouble managing risk in your organization, request a demonstration today to see what benefits we can bring to you!