Risk management is an intentional, methodical system for cataloging, quantifying, and addressing the potential for future loss across the board. And like so many things in business, it’s easier to succeed in risk management when you have a plan—specifically, a “Risk Management Plan.”
Consider this article your crash course on the what, the why, and the how of risk management plans.
What is a risk management plan?
Put simply, your risk management plan is your playbook for spotting, preparing for, and responding to risk and risk factors.
The plan can be as narrow as a single project or team, or as broad as a whole global organization. They can be elaborate and complex, or simple and streamlined. Whatever the specifics, it’s a strategy that has been established, recorded, and (hopefully) implemented across the entire domain it covers.
Expert Tip:
No plan can feasibly cover every possible eventuality. No matter how careful or comprehensive, there will always be more contingencies than can be accounted for.
Regardless, nearly any plan is better than no plan. You know, “fail to plan,” and all that.
In short, no business achieves successful enterprise risk management (ERM) without establishing a risk management plan first.
What is risk management?
Defining risk management plans is difficult to do without at least a baseline understanding of what you’re planning for. Sure, it’s a plan for your risk management. Great. Now, what’s risk management?
Risk management, often referred to as enterprise risk management (especially when implemented at scale), is a methodology for handling risk and minimizing losses.
Again, that definition is more concise than it is clear. So let’s dive into some specifics.
Risk management comes in a variety of shapes and sizes. Depending on where you look for a definition, what industry you’re in, and what kind of risks you face, you’ll get slightly different answers regarding what it is, what it should be, and how you should deploy it in your organization. You’ll even see variance in the number of steps.
However a given expert decides to break up the aspects of risk management in their explanation, what remains the same is the underlying tactics. Here’s an example of what we mean, via a widely-used five-step framework:
- Identify risk
- Assess risk
- Determine risk strategy
- Respond to risk
- Monitor, report, repeat
The process begins with an audit of the risk factors in play, the potential losses, the potential gains tied to the risks, respective probabilities of outcomes, and so forth. In other words, you start by taking inventory of what can be gained, and what can be lost (and the likelihood of either).
From there, risks are categorized based on how avoidable they are, whether they can be mitigated in any way, if they’re an inherent part of the process, and if there’s any added value in addressing the risks vs. leaving them as is. This evaluation leads to determining strategies and putting them into motion.
Expert Tip:
A business that offers bungee jumping experiences may, for instance, take steps to minimize the risk of injury to participants, but ultimately use waivers to handle the portion of risk that’s baked into the whole concept (as there’s no way to remove the potential for mishap entirely).
A grocery store, conversely, may accept that carts will be damaged or lost over time, and do little to intervene beyond posting video cameras in the parking lot.
A business that offers bungee jumping experiences may, for instance, take steps to minimize the risk of injury to participants, but ultimately use waivers to handle the portion of risk that’s baked into the whole concept (as there’s no way to remove the potential for mishap entirely).
A grocery store, conversely, may accept that carts will be damaged or lost over time, and do little to intervene beyond posting video cameras in the parking lot.
Finally, effective risk management requires ongoing efforts to monitor and manage risks. This includes both tracking previously assessed risks, and identifying new risks that arise over time. Without this final aspect, there’s no way to tell if efforts are working, and no way to catch emergent risks before they become a problem.
Now, with that explanation out of the way, we can give a more meaningful description of a risk management plan: the predetermined processes, protocols, and policies that govern the work of risk management, ensuring standardized approaches and consistent results.
The benefits of risk management planning
What’s to be gained from risk management, and more specifically, building a risk management plan? That may seem painfully obvious, but we’ll cover it here anyway for the sake of completeness.
First and foremost, you cannot prevent/protect/avoid/mitigate/anticipate/remediate/etc., etc. what you aren’t aware of. In other words, until you check under the bed, there’s no way of knowing what monsters might be under there, metaphorically speaking, and thus no way to prepare to deal with them.
Second, nothing in life is completely risk-free. From a quiet evening at home, to the daily commute, to a major business conference, there is risk soaking into every portion of our lives, and there’s no expunging it entirely. The only thing we can do is account for that risk where appropriate.
We turn off the stove when we’re not using it. We wear seatbelts when we drive. We avoid the guy at the conference who’s hacking and coughing like he’s trying to donate a lung without medical assistance.
Expert Tip:
Not all risks are worth modifying our routines, processes, or plans for. Some can be avoided or removed entirely from the equation. And some can be handled sufficiently to render them a non-issue for the most part. But none of that is apparent until you start “looking under the bed.”
And, because there’s always something under there, it’s best if you have a plan in place that dictates standard operating procedure when you inevitably find something unpleasant during your search.
How to create a risk management plan
We know this is going to sound a bit recursive, but bear with us. How do you create a risk management plan?
You follow the steps we mentioned above:
- Identify
- Assess
- Evaluate
- Respond
- Monitor
Strictly speaking, the “plan” portion constitutes the first three steps, though good plans also outline how risks will be monitored and reported on.
“What about those organization-wide plans you mentioned?” Glad you asked. Those are usually referred to as “frameworks,” and they are often dictated by the specifics of a given industry or use case. For example, IT, InfoSec, and I&O pros will likely be using a cybersecurity framework when planning for and responding to risks.
Because most of the tactical-level strategizing requires more specifics than such a framework can outline without becoming too cumbersome, it’s almost always left to more focused implementations, such as project-specific risk management plans. That said, the framework will be what sets the standard for how those plans are created and implemented.
One final detail that’s critical here is the assignment of responsibility. Much as agile project management often identifies product owners, etc., it’s helpful to have someone who is expected to ensure risks are handled appropriately, and who can be held accountable if they’re not.
After all, the team members who will care the most about the risks are the ones with skin in the game, so to speak.
Creating the right risk management plan for your business
Risk management is a staggeringly extensive subject to cover, and the nuances get pretty nuanced beyond this point.
Hopefully, though, this has given you a better idea of what some of these terms are referring to, and where you can start looking for more curated information that’s specific to your industry, use case, and circumstances. If not, well, that’s a risk we’ll have to take.