Yes, a budget of time and money needs to be ring-fenced for a thorough ongoing risk assessment. No, it needn’t break the bank. Indeed, the process can be completed to an adequate level by providing comprehensive answers to the following questions:
Risk identification: What could go wrong with this venture?
It’s important to retain a degree of perspective when answering this first question. It’s easy to see how debating this question could send even the most grounded professionals down a rabbit hole. Decide on around 8-10 plausible potential factors that could jeopardise the venture and work from these, at least initially. Include risks that could impact on the physical workplace, on employees, and on risk to capital and reputation.
Risk analysis: How will these incidents affect the business?
Two considerations should be made for each identified risk; probability and impact to operations. Grade the risk level ‘high’, ‘medium’, or ‘low’ and focus attention on those risks that rank ‘high’ for both.
Risk control: What should we do to minimise/avoid the risk?
The best way to plan for the worst is to simulate the worst happening by creating a timeline from an incident starting. What could trigger it? What is the immediate impact? Who is directly affected? What are the longer-term issues it precipitates? For example, a strategic supplier that interacts with your customers goes into receivership. What happens next? How do you mitigate customer impact? Do you buy the business and integrate the service? What about the people whose livelihoods are now at stake? Are you able to deal with ransom requests? Who negotiates with the receiver?
From this, it is possible to devise an action plan should the incident occur, but even better, put in place controls to reduce the risk of it occurring in the first place. For example, quarterly monitoring of key supplier financial stability and automating the monitoring of broadsheet press for supplier financial or reputation concerns.
Risk resolution: If something does happen, how will you pay for it/resolve it?
Ideally, this will be apparent having worked through the previous three questions conscientiously. It could also leave you with a more pressing question at the end of the process; if the company doesn’t have the means to resolve a probable risk from occurring, is it wise to continue with the venture in its current expression.
Having completed a thorough risk management plan, its successful enactment depends on a number of factors including:
- A commitment from all levels of management within the organisation
- Subsequent policies and procedures established from the plan to be explicitly defined for all employees
- Relevant employees having clearly defined roles, responsibilities, and accountability
- An adequate allocation of tools and resources congruent with the plan
- Ongoing training, testing, and monitoring of the risk management plan