Guest Post by Andrew Sheves (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
Often, the end of the risk assessment feels like the end of the process and things start to ease off. Unfortunately, this is when the real work begins because, now that you have identified and prioritized your risks, you need to do something about them.
There are several options when it comes to dealing with a risk but it’s risk treatments I want to focus on here. These often go askew when mitigation measures aren’t designed carefully. This wastes resources and the risks aren’t reduced.
One way to avoid this is to use SMART goal planning process to ensure that your risk mitigation measures are going to be effective and properly implemented.
George T. Doran coined the SMART concept in a 1981 essay in which he identified five criteria key to writing meaning objectives. These have slowly developed over the years to mean:
- S — specific
- M — measurable
- A — achievable
- R — relevant
- T — time-bound
This concept is widely used in business so will be familiar to many, but how can we apply SMART to risk mitigation?
The mitigation measure has to clearly define the effect it is going to achieve, the specific outcome desired and which part of the risk it addresses.
Measurement is essential in two ways. Firstly, there should be a metric from the initial assessment that can be applied when you come to recalculate the risk during the risk review. Secondly, there needs to be a way to measure the progress of the mitigation.
Mitigation measures have to be both realistic and something that the organization has the capacity and skills to achieve in order to be successful. Ending global warming isn’t achievable. Nor it is reasonable to have a mitigation measure that requires the whole organization to stop what it’s doing.
Instead, the mitigation measure has to be something that can be supported by the existing capacity of the organization with some additional investment if necessary.
Staying relevant is where things become unstuck most often.
Mitigation measures often tackle what people think the problem is instead of the actual problem. (Basically, they haven’t read your risk assessment.)
So, instead of using the assessment to understand a risk, executives will rely on their subjective view while developing mitigation measures meaning that the ultimate package of measures isn’t relevant or effective. You have to bring things back to the risk and its components to ensure that the mitigation is going to help manage that particular risk.
Finally, your mitigation measures must be time-bound in two ways: a date when the measures should be in place and a date when you expect to see results. Being time-bound helps the action owner plan implementation of the mitigation plan and give you a sense of when you should expect to see results.
If results aren’t observed by the expected time, then you may need to review the risk and re-plan the mitigation.
Be SMART (and KISS)
Too often, the end of the risk assessment leads to a loss of interest in what comes next. This loss of focus usually signifies that the risk assessment is more of a check-the-box exercise rather than part of an embedded, mature risk management process.
Whatever the case, when mitigation measures aren’t thought out and properly planned, these are unlikely to be effective, meaning that the risks will remain. Instead, ensure that you maintain focus and energy through the address phase and use the SMART concept when you are planning your mitigation measure to ensure these are effective. It’s not just SMART risk management, it’s KISS risk management.
Andrew Sheves Bio
Andrew Sheves is a risk, crisis, and security manager with over 25 years of experience managing risk in the commercial sector and in government. He has provided risk, security, and crisis management support worldwide to clients ranging from Fortune Five oil and gas firms, pharmaceutical majors and banks to NGOs, schools and high net worth individuals. This has allowed him to work at every stage of the risk management cycle from the field to the boardroom. During this time, Andrew has been involved in the response to a range of major incidents including offshore blowout, terrorism, civil unrest, pipeline spill, cyber attack, coup d’etat, and kidnapping.