There are several bodies that lay down the principles and guidelines for the process of risk management. The steps involved remain the same more or less. There are small variations involved in the cycle in different kinds of risk.
The risks involved, for example, in project management are different in comparison to the risks involved finance. This accounts for certain changes in the entire risk management process. However the ISO has laid down certain steps for the process and it is almost universally applicable to all kinds of risk. The guidelines can be applied throughout the life of any organization and a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets.
As per ISO 31000 (Risk Management - Principles and Guidelines on Implementation), risk management process consists of the following steps and sub-steps:
- Establishing the Context
- Identification
- Assessment
1. Establishing the Context: Establishing the context means all the possible risks are identified and the possible ramifications are analyzed thoroughly. Various strategies are discussed and decisions are made for dealing with the risk. The break-up of various activities in this stage is as follows:
a. Identification of a risk in one particular domain.
b. Planning out the entire management process.
c. Mapping the manifestations of the risk, identification of objectives of risk etc.
d. Outlining a framework.
e. Designing an analysis of risks involved at each stage.
f. Deciding upon the risk solution/s.
2. Identification: Once the context has been established successfully, the next step is identification of threats or potential risks. This identification can be at the level of the source or the problem level itself.
a. Source analysis means that the source of risks is analyzed and appropriate mitigation measures are put in place. This risk source could be either internal or external to the system. Examples of the risk source could be employees of the company, operational inefficiency in a certain process etc.
b. Problem analysis on the other hand means the effect rather than the cause of the risk is analyzed. For example a drop in production, threat of losing money etc!
c. The choice of the method varies across industry, organizational culture and other factors. However some common methods of risk identification are:
d. Taxonomy based Risk Identification: The possible risk sources are broke down, hence taxonomy. A questionnaire is made best on existent knowledge; the answers to the questions are the risk.
e. Objective based Risk Identification: An organization or any business activity has a certain objective/s. Any activity that is deemed an obstacle in the achievement of the same is perceived as risk.
f. Scenario based Risk Identification: Here various scenarios, which may be alternative ways to achieve an objective, are created. If an undesired scenario is created, a threat is perceived with the same.
g. Common Risk Check: There are certain risks that are common to an industry. Each risk is listed and checked on time.
3. Assessment: Once the risks have been identified, they are then assessed on their likelihood of occurrence and the impact. This process can be simple as in case of assessment of tangible risks and difficult like in the assessment of intangible risks. This assessment is more or less a guessing game and the best educated guess decides the success of the plan.
The industry practice or formula for arriving upon the risk is:
Frequency of occurring × Impact