Risk management is the identification, assessment, and prioritization of risks as the effect of uncertainty on objectives, whether positive or negative followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. (ISO 31000)
We apply the following risk management process which is based on the ISO 31000 Risk Management Standard:
Establishing the context
Before embarking on a risk assessment it is important to establish the internal and external context for the risk identification and assessment process. This includes defining the project goals, ownership structure, the scope and approach to Risk Management, budgets etc.
A risk can be defined "the possibility that an event will occur and adversely affect the achievement of objectives." Risk and the use of risk assessments are not a new concept in the business world, many view it a cumbersome regulatory requirements which adds very little value. The trick is to bring together the right parties to identify risks that could affect the organization’s ability to achieve its objectives, determine how often specified events may occur and the magnitude of their consequences (risk analysis), rate these risks (risk evaluation) and determine the right risk responses (risk treatment).
Treat the risks
Strategies to treat risks include avoiding the risk, transferring the risk to another party, sharing the risk with another party or controlling the risk by reducing its probability or negative impact. The purpose of risk treatment is to determine what will be done in response to the risks, in order to reduce the overall risk exposure. The Risk Assessment process is of no use, if risks are not treated with mitigation actions and controls.