How do I introduce a basic risk management process?
My experience of Risk Management comes from two places. Firstly a very good and experienced risk manager who runs a "good" risk meeting but also an internal project that got named "sleepless nights". Following a service breach we found ourselves in an embarrassing position whereby the breach occurred due to an issue we knew about but due to a period of instability and consolidation in the company, was not part of the immediate agenda to address. Following the breach, the board realised that their were issues that really needed to be addressed to maintain the recovery program and we were asked as an IT team to record all of the things that "kept us awake at night". The first pass of this list ranged from people who were single points of knowledge to servers that were not on dual power to applications that were not supported. This list of "sleepless nights" issues, soon became the starting point of our risk database.
The next stage was to create a basic risk management group who reviewed the risks on a regular basis. Each risk was set a rating of Low, Medium, High or Priority and allocated to a senior manager dependent on whether the risk related to their area of ownership. On a regular basis the risk group meets together and discusses the progress of each risk. The key aim is to either accept, mitigate or remove the risk. The overall risk management process is managed by a nominated risk manager whose role is to maintain and update the status and progress of each risk and to capture all new risks and add them onto the risk database for review at the next risk meeting.
What has been outlined above the premise for an effective risk management process that would compliment any SME. The key implementation phases and considerations are as follows:
1) Nominate someone to be your risk manager. Create a basic method of recording the risks that as a minimum includes details of the risk, a section for updates, the risk level and an owner.
2) Capture all of your risks. Start off with a vision of how you define a risk and build from their. For us it was what kept us awake at night. For you, it might be something different.
3) Set up regular risk meetings but also have a clear intention of what your aim is. Are you planning to remove all of your risks or just understand and accept them? Without this vision and purpose it can easily turn into a paper chase and you still end up with all of the risks.
If you would like more information about setting up a risk management process please contact us.
