Tips for practitioners on risk management engagement

Many businesses treat risk management as part of their financial or project management processes and assign its use exclusively to commercial or project needs. Although there are professionals and processes that specialise solely in risk management, businesses should realize the benefits and wider impacts that a controlled approach can have on their teams and functions. Businesses often separate risk management because it’s difficult to measure how successful or effective their risk management process is. When risks are effectively managed, there are very few surprises and it becomes impossible to assess the effectiveness of the risk management actions.

Project Management Institute defines rise management as: “Risk management context is a combination of stakeholder risk attitudes and the strategic risk exposure.”

Risk attitudes and strategic risk exposure are two factors that every business controls, regardless of its risk management approach. The risk attitudes of stakeholders can be assessed using a grading system that all functions can adopt. The goal of risk attitude grading is to gain an understanding of the planned activity and how it’s affected by the wider environment as well as the potential effect it may have on that environment. Tools include stakeholder analysis, PESTLE, SWOT and Probability Impact grids. The risk appetite and functional risk profile will be defined by applying the grading system across different functions, each with its own subject matter experts. Early involvement of subject matter experts with an objective grading system reduces the sensitivity around risk management by lowering the urgency. A consideration and reflective view of stakeholder risk attitude is enabled by this method, which balances the influence of an organization's culture, priorities and personalities.

Identifying the strategic risk exposure of a business begins with understanding its risk attitude and project or business change risk exposure can also be assessed using the same grading system. This can be achieved by adding an agreed-upon risk tolerance that defines the level of risk appetite for the various business functions. The tolerance for risk is also influenced by the culture, personality and attitudes of the organisation, ranging from “risk paranoid” to “risk addicted.” By engaging early with clear, high-level criteria for tolerance thresholds, functions will be aligned, and these influences will be balanced. Once these assessments have been completed, the business is able to allocate appropriate resources and focus on the risk management activities.

As important as creating risk management engagement is maintaining that engagement during times of business change. Having senior management, subject matter experts and business stakeholders who will be impacted by the change review the risks will ensure the change's relevance and focus. There should be dedicated meetings during which general risk categories and terms, such as levels of risk, probability by type of risk, impact by type of objective, and the probability and impact matrix will be tailored to the specific change. By this point, the business has determined which combinations of probability and impact result in a classification of high risk, moderate risk and low risk. It’s possible for the business to specify the rules for risk rating in advance of the project. These rules serve as a tool that facilitates construction of the business's risk landscape and the development of the business's risk management strategy.

The facilitation of a risk workshop during the initial stages of a project assists the project manager in identifying risks early on, but it also allows the project manager to set expectations and establish a framework for the management of risks. It’s important to note that brainstorming workshops can be used, in conjunction with traditional brown paper planning exercises, to identify project risks as well as educate non-risk trained colleagues, align the project in terms of priorities, and serve as an introductory engagement tool to the project and the organization's risk management program. The goal of risk identification is to unambiguously describe negative threats and positive opportunities that may affect achievement of activity objectives; to create the initial entries in the risk log. Tools include Category Prompt lists, cause and effect diagrams and group techniques including RAID workshops and regular reviews.

To achieve the ultimate objective of risk management, it’s necessary to identify and respond to risks before they become issues. Business teams are responsible for planning, executing and leading the risk response throughout the duration of the project. The risk practitioner has access to a wide range of strategies and tools, such as contingency fallback planning and decision tree analysis. It would be helpful if project and risk managers would educate and implement these strategies and tools with the wider business teams to increase accountability and interest in the projects. A clearly defined risk management strategy will support business engagement by defining the practical steps the business teams must execute. Tools such as: risk management process flows, standardised recording and reporting, roles and responsibilities, scales for estimating tolerance/probability/impact, risk categories, early warning indicator templates and risk calendars are useful engagement tools for practitioners.