Tools and techniques for risk management
28 October 2015
Creating a risk management plan is a must for your business. However, your plan will only be as effective as the tools and techniques you use. Choosing the rights tools and techniques will help to reduce the complexity of risk management.
The identification, evaluation and mitigation of risks can be carried out with both formal and informal tools and techniques. Your choices must allow you to have control over your company’s risks. Although nothing is ‘set in stone’, there are good practice examples of risk management tools and techniques.
Risk management normally involves five stages:
- Risk identification.
- Quantitative analysis.
- Qualitative analysis.
We have some established tools and techniques for each stage.
The risk register is the ‘mother of all’ risk management tools and techniques. It tracks the risks throughout the project lifecycle. It acts like a snap-shot of what’s going on with project risks. Risk registers are normally Excel spreadsheets. As well has helping to keep the project on track, they’re useful for providing information for the lessons learnt document.
To successfully identify risks, you must think of every possible eventuality. The problem is that there are some things that you just won’t know. This is where the following tools and techniques help to discover hidden risks:
- The Delphi technique is where a panel of experts are asked to answer questionnaires in a series of rounds. The idea is to question ‘deeply’ enough to get unbiased information that the experts agree on.
- Root cause analysis is looking at the cause of the problem to find out whether the full effects can be prevented.
- Diagramming techniques are compact versions of the risks. They can include cause and effect diagrams, flow charts and influence diagrams.
- Benchmarking is a comparison between periods or departments. Anomalies in benchmarking data can spot risks that may have been missed, if analysis was done in isolation.
Quantitative risk analysis
Tools and techniques can be used to numerically analyse the impact a risk will have on an organisation. Quantitative techniques are generally more complex than qualitative ones. Popular quantitative risk analysis methods include:
Failure modes and effects analysis (FMEA) is an evaluation to determine how and where a process might fail. Action is then taken to address the parts of the process where failure is likely.
Sensitivity analysis is where different variables are introduced to show the impact on the risks. This analysis shows what would happen if predictions fail to materialise.
A decision tree (see the example below) is a diagram with branches that show the outcomes of different decisions and random events. Decision trees should be coupled with the expected monetary value technique to show the financial impacts of different outcomes.
Qualitative risk analysis
Qualitative risk analysis tools and techniques can help you to decide which risks to focus on.
There are ‘tons’ of different qualitative techniques, we’ve listed some of the most common below:
- Red, amber, green (RAG) status is a method that divides risks into three groups. The criteria for each group will normally depend on the quality and time impact, as well as the likelihood of occurrence. Red risks are the ones that will have the biggest impact and green risks will have no or a very low impact.
- Risk categorisation makes dealing with risks more manageable. Grouping risks by different categories, for example the root cause, will allow for a coordinated risk management approach.
- Risk urgency assessment can be used to narrow down the risks identified in the RAG status. This technique focuses on the timing element of risks. Priority is given to the most imminent risks.
Responses to risks
After the quantitative and qualitative analysis has been done, you then need to put together suitable responses to address the risks. The following responses can be used on their own, or as a combination:
- Avoidance or removal is where a circumstance around the risk has been changed, so the risk no longer exists.
- Mitigation is also known as risk reduction. This action is taken to lessen the chance or impact of the risk.
- Transference is shifting the risk and the impact to a third party, for example, an insurer.
- Acceptance of the risk involves drawing-up a ‘plan B’ or contingency plan to deal with the impact.
Keeping a watchful eye on the risk management plan will ensure that nothing ‘slips through the cracks’. You should familiarise yourself with risk triggers to know when action needs to be taken. The systems below will help you to track your risks:
- Status meetings should be used to report on the progress of risk management. Frequent status meetings ensure that risks are at the forefront of people’s minds.
- Risk audits need to be done to evaluate how effective the responses to risks have been. Audits can also be used to assess the risk management process. The format, objectives and findings of a risk audit need to be clearly documented to improve the risk management process.
Tools and techniques that aren’t used effectively won’t help with your risk management. It could take some time to find which ones suit your business. The good news is that there’s plenty to choose from so you can move on to the next if a particular tool or technique isn’t working out.