top of page

Setting Up a Risk Management Policy, Identifying Risks, and Assessing Risks

The following is a quick guide to developing the risk management policy and procedure for your organization's projects, operations and tasks.


Establishing a Risk Management Policy


A standard risk management policy breaks down risks into 4 Levels:


Accept: Risk is low enough that it does not pose any threats to the organization’s objectives.

Monitor: Risk is manageable enough to accept. Proceed with work but monitor risk periodically.

Reduce: Risk must be reduced and any work affected by the risk must stop. Unrelated work can proceed. 

Immediate Action: Risk must be reduced immediately and all tasks, related and unrelated to the risk, must be stopped for the entire project or operation.


Note: For assistance in establishing these thresholds based on your organizations policies, contact CornerThought


Risk can be calculated using the following formula


Risk = Probability X Impact


When assessing the probability of a risk event occurring, data may or may not be available at an organizational or industry level. As a quick and easy way to determine the probability of a risk event occurring, use the following scale:


Levels of Probability


Possible: Has not occurred, but is conceivable (<0.01%)

Very Unlikely: Has occurred but is very uncommon (0.01 - 5%)

Unlikely: Has occurred and happens occasionally (5 - 20%)

Fairly Likely: Has occurred and happens a considerable amount, though isn’t the norm (20-50%)

Likely: Has occurred and happens more often than not (>50%)


Note: These definitions are used for conducting a rough estimate when large sums of data are unavailable. As well, the percentage thresholds are adjustable based on how frequent the type of project/operation/task is for your organization or industry. For assistance in gathering data to make higher accuracy probability assessments, contact CornerThought.


Impact Assessment:


Impact can be viewed through whatever KPIs your organization uses for it's projects. Common KPIs include cost, schedule, safety, reputation, quality, etc.

 

Assessing the risk is done through your risk matrix:



Note: For assistance in creating your risk matrix, contact CornerThought
Note: For assistance in creating your risk matrix, contact CornerThought

The standards for each level can be set at a task, project, department or organizational level.


For example, if your project charter deems any incident which results in a cost overrun of $10 Million as an issue which would require a full shutdown of the project, this would be an Immediate Action risk. If a given risk event has the following parameters:


Worst case scenario impact: $50 Million Overrun

Probability: Has occurred and happens occasionally (5 - 20%)


Then the risk level would be calculated as follows:


Risk Level = Upper Probability Limit X Worst Case Scenario Impact = 20% X $50MM =

$10MM (Immediate Action)

 

Note: For the risk assessment formula, risks defined by qualitative KPIs like reputational damage can’t be directly calculated by multiplying by probability. Our team can assist you in conducting risk assessments for these types of qualitative risks.

 

Project, department and organization policy defines how risk is categorized for all 4 levels of risk.


Conducting a Risk Assessment:

Identifying and Gathering Risks:


Before assessing the risks to your project or operation, you need to first identify those risk. Here are some of the sources to gather information:


Historical Data


Looking back at similar projects or operations can provide insight into what can come up. Sources to consider include:

  • Lessons learned from previous projects/operations

  • Issue logs from previous projects/operations


The types of previous projects/operations that you should examine shouldn’t necessarily be limited to just projects or operations that had similar deliverables. Your team should also look at projects/operations that had similar scope parameters that defined them. Those similar scope parameters could include things like:

  • Projects done in the same state, town, etc.

  • Projects executed by the same contractors

  • Projects done at the same time of year

  • Projects done in similar geographies, climate conditions, economic conditions, etc.


Use your project charter, WBS, and other project scope documentation to enable your risk identification search.


Note: Extracting granular data at this level can become a burdensome task. CornerThought offers its services to navigate through your data to identify the risks applicable to your projects and operations


Additional Ways CornerThought Can Help With Risk Management


In addition to the notes above, there are other ways in which CornerThought can assist your team in managing risk to ensure project success, which include:


  1. Identifying and assessing black swan risks

  2. Conducting workshops

  3. Building a risk register

  4. Utilizing risk data to effectively do a cost/schedule analysis


Book a call with us today.

Comentários


Featured Posts
Check back soon
Once posts are published, you’ll see them here.
Recent Posts
Archive
Search By Tags
Follow Us
  • LinkedIn Social Icon
  • Twitter Basic Square
bottom of page