The 5 key stages to the risk management lifecycle
13 June 2018
Risk management, governance and compliance requirements are becoming increasingly complex. The risk management lifecycle deals with numerous statutory requirements and ever-changing risk registers, becoming an increasing burden to organisations both financially and on an operational level.
It is common for businesses to approach risk management in a siloed fashion but when this information isn’t shared throughout the wider organisation, this leads to ineffective, timely and inconsistent risk management processes. The best approach to risk management is a lifecycle, with one step logically leading on to the next. The key thing to note in this is that risk is evolutionary, meaning these steps must be repeated continuously so that risk management becomes proactive.
By being aware of the risks you face, it’s more likely that you will achieve your objectives and, should a risk occur, be better placed to deal with it.
An individual’s needs within a risk management process will vary depending on their function in the organisation:
- Senior executives need to know where the higher-rated risks are and who is managing them. For example, ensuring that there is not a shortage of skilled, experienced staff.
- Line and project managers need to help identify, assess, and manage higher-rated risks. For example, ensuring all factory floor staff are aware of health & safety risks.
- Service heads need to understand and manage the operational risks that exist within their business area, such as a lack of space within the office that could cause hazards and impact the ability to work effectively.
- The Board needs to have a clear view that the organisation is on target to achieve their overall objectives, ensuring they are compliant with regulatory standards to maintain accreditation and avoid financial loss and reputational damage.
The risk lifecycle
To achieve all this, the following basic outline details the five critical steps of the risk management lifecycle:
- Identification: You can’t manage your risks if you don’t know what they are, or if they even exist. The first step is to identify the events that influence your ability to achieve your objectives, define them and assign ownership.
- Assessment: Once the risks have been identified they need to be examined in terms of likelihood and impact. It is important to assess the probability of a risk, and the consequences of this risk occurring. This will help to pinpoint which risks should be prioritised and which have the lowest impact. This is known as a risk appetite.
- Treatment: Once the risk has been assessed, an approach for treating each risk should be defined. After evaluation, some risks may not require any actions but just need to be monitored. Others will require an action or mitigation plan to prevent, reduce, or transfer that risk.
- Monitoring: Once the risk is identified, assessed and a treatment process defined, the risk cannot be left. Things can always change so the review process is essential for managing risk proactively.
- Reporting: Reporting at each of the four stages above is a core part of driving decision making ineffective risk management. The reporting framework should be defined at an early point in the risk management process by focusing on report content, format and the frequency of production.
This brief outline only scratches the surface of the risk management process. Each step seems logical, but the importance is in the detail. Organisations may follow this risk lifecycle but, in our experience, few effectively execute all these steps at any given time. There are a number of factors that tend to contribute to this: not having the infrastructure to carry out all steps from one location; the risks being located in one silo with the treatment plans in another; all without any real ownership.
Related blog posts
Here are some more blog posts that you might be interested in.
Risk management, and an organisation’s approach to it, is a matter that will have been make or break for many businesses in 2020, with the benefits of risk management software becoming more and more evident. The coronavirus pandemic and subsequent...Continue reading
During the last 6 months, one of the most frequent questions I am asked from Chief Risk Officers is ‘What is Integrated Risk Management (IRM) and should we be looking at this model?’In short, the answer is a resounding yes. IRM takes a more holist...Continue reading