The risk management process consists of five steps – identify, assess, plan, implement, and monitor. It is intentionally repetitive due to the ever-changing environment and resulting risk universe. The governing principles mentioned in A Practical Approach to Risk Management Part 1: Understanding the Risk Management Process, will apply to all steps of the process. If you have not already read the article, start there before proceeding.
This is usually the most challenging step because it’s where people tend to stumble. How do you identify risks? What risks are—or could be— relevant? Risk must be defined in the right context – internal or external – and be relevant to your organization.
There are many ways to identify the context and specific risks – horizon scanning, SWOT and PESTLE analysis, group techniques, individual interview, constraints and assumptions analysis. Whichever technique you choose, consider the possible business risks, financial risks, information security risks, legal risks, HR risks, operation risks, and Force-majeure risk categories. A few common risk categories that I’ve seen impact business objectives are market trends, innovation, customers, partnerships, workforce, legislative frameworks, assets security, financial resources management and reporting, contracts, payroll and benefits, onboarding and offboarding of employees, skills and knowledge, monitoring and change control, and dependency on third-party services.
The outputs of the identify risks step should include documented stakeholders and a risk register populated with threats and opportunities.
Once you’ve identified the risks, the next step is to prioritize them based on probability, impact, and proximity, and then identify potential dependencies between risks. Impact can be measured as a score resulting from probabilistic models or as an expected monetary value. Monetary value risk impact is important when you’re presenting data to executive management or the company board, as it allows them to compare the potential impact to other financial data.
The monetary value of risks can be derived from the perspective of lost revenue, cost of assets replacement, or time spent on handling materialized incidents instead of regular production activities. You should take into account the penalties that are associated with a breach of contractual obligations or regulatory requirements.
Two methods to account for profit loss are time-based contribution margin (CM) and customer lifetime value (CLV) impact (observable via customers retention rate changes).
Example 1 – Contribution margin-based risk valuation
Contribution margin (CM) per unit of product is $100
A production line output is 50 units/hour – with a total contribution (CM) per hour of $5,000
|Level of risk impact (outage duration)||Risk occurrence probability|
|Small||1 hour||Small||up to 20%|
|Medium||4 hours||Medium||up to 50%|
|High||8 hours||High||up to 80%|
Expected $ value for a risk with medium impact and low probability will be:
4 hours * $5,000 * 20% probability = $20,000 * 20% = $4,000
Example 2 – Customer Lifetime Value (CLV)-based risk valuation
An average Customer margin (CM) is $500, and customer lifecycle duration is 1.5 years with a retention rate of 60%, and financial market interest is 10%
|Level of risk impact (reduction of retention rate)||Risk occurrence probability|
|Small||20%||Small||up to 20%|
|Medium||40%||Medium||up to 50%|
|High||60%||High||up to 80%|
To calculate CLV for the customer, we will use a margin multiplier as follows:
Margin multiplier = Retention rate / (1 + Interest – retention rate)
Margin multiplier (without risk) = 60% / (1+10%-60%) = 0.6 / 0.5 = 1.2
Customer Lifetime Value (CLV) = CM + Margin multiplier * CM
Customer Lifetime Value (CLV) without risk = $500 + 1.2 * $500 = $1,100
Margin multiplier for a risk with medium impact and low probability will be:
(60% – (40% * 20%)) / (1 + 10% – (60% – (40%*20%))) = 0.52 / 0.58 = 0.897
CLV if the risk above occurs = $500 + 0.897 * $500 = $948.5
The risk impact on a single customer will be CLV without risk – CLV with risk:
$1,100 – $948.5 = $151.5
Multiply this impact value by the number of customers potentially affected by the risk to obtain the total risk value.
The output of the risk assessment step is an updated risk register with prioritized risks based on the risk thresholds and risk appetite of the organization.
Plan Risk Response
Focus your attack plan on reducing threats and maximizing opportunities. Risk response planning will often involve cost-benefit analysis and decision trees, as you work to ensure that the cost of mitigation efforts don’t exceed the risk impact. Remember that part of the criteria used for response planning will be associated with your company’s risk appetite and tolerance thresholds. Once you have completed your plan, you will have a risk register that shows each risk along with possible responses—accept, reduce, transfer, avoid, exploit—making it easier to get buy-in from all stakeholders on your plan of action.
Implement Risk Responses
Now it’s time to translate the planned responses to actions that will affect the probability of the risk occurring or the scope of its impact. Risk controls can take many forms – design or process changes, implementation of new systems, new user experience, buying insurance, changes in legal documents and terms and condition sheets, introduction of new products and services, branding and marketing communication adjustments, and more. Communication, documentation, and alignment of those changes across the organization, with details of their possible impact, is necessary to avoid unintended consequences. This risk management step should produce reports on risks mitigation status and potential remaining gaps in risks coverage.
Monitor Implemented Mitigations
After all risk responses have been implemented, you should monitor over time to measure the effectiveness of your risk management efforts and track whether or not they deliver on the expected results. You may find out over time that the intended controls are not as effective as initially planned, and adjustments—or an entirely new mitigation strategy—may be in order. How long you should monitor depends on the specific risks and the amount of time required to obtain evidence as to whether or not the mitigation works.
Consistent risk management fosters continuous organizational improvement through awareness and proactive planning. While it will not prevent all issues, it will help you prepare for the unexpected and manage any negative impact.
OnRamp, a LightEdge company specializes in helping organizations keep their data safe.