A Risk Management Framework
There is no one formula for managing risk but we are often helped by having a step-wise framework to assist, especially where this is sequential and provides some ideas about what should be covered (on a checklist basis). Once such model, which may be useful, is the 4-step “DICE” model, shown below.
Although each of the four steps in the DICE model has sub-category actions described in the above diagram, lets look briefly at what each of these steps involves in general terms.
Every organization will have a unique vision of the future or idea about where it wants to go in terms of goals and strategy. This may be very conservative or radical (and all points in-between) and will necessarily therefore carry with it a very different series of risks that will need to be managed. This is often called determining the “risk appetite” of the enterprise or describing how much risk is acceptable for managers and employees to take in formulating plans, making changes, taking decisions etc. The continuum here would run from a culture which is very conservative and manages risk tightly at all levels (and example here would be a nuclear power plant organization) to a culture in which risk taking is encouraged in many decisions (and example here would be a very creative advertising agency).
Once we have determined the direction of the enterprise and our overall appetite for risk, we can now start to initiate the right kind of action to both identify specific risks and assess or measure it. This usually means taking a much closer look at the tactical plans we may have to achieve our goals (often by analyzing the data we have gathered in the past) and then making an assessment of what risks exist and how can we quantity these appropriately (typically in terms of likelihood or frequency and consequences or severity).
Once we have quantified the significant risks which will need to be managed, we can start to put appropriate controls in place. The best of all control is to eliminate the risk entirely if possible. However, if we can’t do that then we can look to transfer it to someone or some body better placed to handle it (taking out insurance being one example here) or mitigate it in some way (say with protective clothing or equipment). In some cases, we may simply live with the risk or tolerate its existence. This often happens when the chances of it happening are very low and the consequences are relatively minor.
Once we have put a range of controls in place, we should not only review their fitness for purpose (did they do what we intended them to do?-that is control the risk) but also keep monitoring the situations or processes that carried some risk to see if things change significantly. Often, something that is a very low risk today may become a very significant risk in the future (if left long enough) while in other cases a very high risk today may lessen or disappear completely after a period of time. We therefore should have an organized and rigorous monitoring process in place which allows us to cycle back through the four step DICE model where necessary.
At the bottom of the four step DICE model, the words “Information and Communication” are listed. This is just as important as any of the individual steps before it and of course should occur at every individual step on an ongoing basis. Good information and clear and concise communication “oil the wheels” or any risk management process, so we need to also pay close attention to ensuring that this happens well as much as possible.