risk management
A risk is something that might happen in the future, and could be expected to affect the project, service or programme.
Risks have two aspects:
1. Probability: how likely is the particular risk?
2. Impact: what are the likely consequences of the event if it does happen?
The trick is to not spend your effort on risks that are either unlikely or won't have a significant impact. Concentrate instead on how you might reduce the impact or likelihood of the significant risks.
Risk management includes:
- Identifying the risks. As a group, brainstorm the question "what could possibly go wrong?" Look at areas such as your reputation, people - staff, volunteers, clients etc, financial and other resourcing, external events.
- Rating the risks. How likely is this risk, and what would the consequence be - on a scale of 1 to 3 (some groups use a 1-5 scale).
- Chart this on a risk scoring matrix (see Figure 1). To manage risks, you need to try and reduce the risks in the 7-9 band, and then look at how you can manage or reduce the risks in the middle 4-6 band. Don't waste time on the low risks 1-3 band.
- Enter the risks in a risk register (see Figure 2).
- Risk management plan. Concentrate on how you can reduce the risks that score 7-9 on the matrix. Some ways of dealing with the risk are:
- Avoidance - perhaps you can arrange things differently to avoid the risk.
- Transfer - so that someone else takes on the responsibility. This option is usually quite limited.
- Mitigation - if you can't avoid the risk, how can you reduce it? For example, if the risk relates to staffing, a mitigation strategy might be to make sure there is staff back-up available.
- Acceptance - some risks will not go away and some you will be prepared to live with. These are the ones to keep a close watch on. You might look at a fallback plan for these risks.
- Monitoring and reviewing. Keep the risk register up to date. Things change and your strategies should reduce some risks. Update the register and review it at each (project) management meeting.
- Closure. Risks are about uncertain events in the future. Time passes and the risk either becomes a reality in which case you cope with the event, or not. Either way, the risk is closed. Apart from reviewing your risk management, you do not need to spend any more time on it.
Figure 1: Risk Scoring Matrix
|
Impact
(if risk happens) |
severe |
6 |
8 |
9 |
|
moderate |
3 |
5 |
7 |
|
minor |
1 |
2 |
4 |
|
|
|
unlikely
|
possible |
probable |
|
|
|
Likelihood (of risk occurring) |
Figure 2: Risk Register
|
Risk no |
Date Logged |
Risk Description |
Risk score |
Management Strategy |
Status
(i.e. open/closed) |
Risk management update |
|
date |
detail |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|