Guest Post by Peter Holtmann (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
This article is the twelfth of fourteen parts to our risk management series. The series will be taking a look at the risk management guidelines under the ISO 31000 Standard to help you better understand them and how they relate to your own risk management activities. In doing so, we’ll be walking through the core aspects of the Standard and giving you practical guidance on how to implement it.
In previous articles we’ve looked at the core elements of the risk management framework and the role of leadership and commitment, integration, design, implementation, evaluation and improvement more specifically. We’ve also briefly looked at the risk management process in a general sense, the importance of communication and consultation, how to set your scope, context and criteria, as well as the identification, analysis and evaluation of risks. In this article, we’ll be looking at treating risk.
Introduction
At this point in your risk management journey, you’ve identified a risk in your organisation, you’ve analysed it, and you’ve evaluated it. Now, you need to treat it. Treatment in this sense refers to the selection and implementation of options to reduce, remove or transfer that risk. Failure to take proactive measures to treat risk can lead to unforeseen outcomes which could be, and more than likely are, counterintuitive to your entire risk management process up to this point. We’ll look at risk treatment in a general sense below.
The risk treatment process
The purpose of risk treatment is to select and implement options for addressing risk. It’s natural to assume that once you’ve selected a treatment option that you’re stuck with it, but in reality, it’s quite the opposite. The risk treatment process is actually a highly iterative process, and this process plays a critical role in allowing your organisation to truly get their risk treatment option right. With this in mind, you’ll generally start your risk treatment option selection through formulating and selecting risk treatment options. More often than not those initial options will center around one of two risk approaches, being either risk avoidance or risk minimisation. Once you’ve determined which of these approaches is the most appropriate to the risk that you’re addressing, you’ll then need to plan for and implement that solution. Small changes may only warrant a workplace policy change, whereas other risks may require staff to be retrained in the use of high-risk machinery, or the replacement of that machinery altogether, as an example. Following the implementation of your chosen risk treatment option, you will need to assess whether or not that treatment option has been effective in actually treating that risk. You may like to complete such an assessment on the basis of some pre-existing ‘hard’ metrics in your organisation, such as the number of workplace incident reports relating to that risk, as well as some ‘soft’ metrics such as the opinion of managers working with that specific risk. Depending on the outcome of your assessment of the risk’s treatment, you will need to determine whether the residual risk you face is acceptable to your organisation or not. If it is, then you know that your treatment option has been appropriate. If it isn’t, then you will need to take further action by altering the current risk treatment option, or introducing a completely new option. In any event, the highly iterative nature of the risk treatment process will allow you to alter your treatment option and continue to work toward avoiding or minimising the risk altogether.
Selecting a risk treatment option
Now that you have an overview of the risk treatment process, we’re now going to look at how to select a risk treatment option to kickstart that process. In the most general sense, you need to balance the perceived benefits of the option to achieving your risk objectives against the costs, efforts, or disadvantages which the implementation of that option may pose. This balancing act may require you to not just select one treatment option, but a combination of treatment options. For example, rather than just retaining a risk by way of an informed decision, you may choose to share and spread that risk through formal mechanisms such as insurance. Another example of blended risk treatment would be to avoid the risk altogether through removing the source of the risk. While there are single and blended options available for treating risk, you may also come across circumstances where there is no treatment option available for treating the risk at all. When this occurs, you should simply record that risk it and keep it under ongoing review. Factors which may influence your determination of a risk treatment option may include economic concerns. However, it should be noted that you should go beyond these concerns by considering the organisation’s broader objectives, its risk criteria (that we touched on in a previous article to this series), and the resources at hand to actually and effectively treat that risk. You may also turn your mind to the values, perceptions and potential involvement of stakeholders in treating that risk, as well as how the selection of that treatment option is justified and communicated to those same stakeholders. Bearing in mind that these are all valid considerations, it should be noted that the considerations you choose to give more weight to in the first instance, the second instance, or even the third instance of risk treatment, may not be effective to treat the risk. You may even find that there is residual risk following the treatment of and iteration to that treatment. When this occurs, you should inform relevant stakeholders of the nature and extent of that residual risk in order to satisfy the communication aspect of the risk management process and framework. This gives weight to the argument and need for consistent, ongoing monitoring and review of your treatment option which will ultimately allow you to iterate your option of choice to truly address and treat the risk at hand.
Preparing and implementing risk treatment plans
Let’s assume at this point that you’ve selected the risk you’re treating and you’ve selected your risk treatment option. What you need to do now is prepare a risk treatment plan. If you’re not familiar with the concept of a risk treatment plan, a basic explanation is that it is a document specifying how your chosen risk treatment option will be implemented. The purpose of this is to ensure that risk treatment arrangements are understood by any and all stakeholders involved in the treatment process, as well as to monitor the progression of the risk’s treatment against the plan. As a rule of thumb, information needed to be included within your risk treatment plan includes the rationale for and benefits of your selection of the treatment option, the person or team responsible for approving and implementing the treatment plan, the actions to be completed, the resources required and contingencies to completing those actions, how performance of the plan is to be measured, any constraints faced in respect of the plan, ant reporting and monitoring requirements, as well as the identification of when actions are expected to be undertaken and completed to satisfy the plan. It should also be noted that risk treatment plans are not plans which should stand in isolation. Rather, they need to be incorporated into other key management plans and processes within your organisation.
Conclusion
As we can see from the above, risk treatment is a critical component to the risk management process. Without it, risks remain stagnant and untreated, which can lead to significant consequences for its respective organisation and stakeholders. It is only through the selection of a treatment option and the implementation of that option through a risk treatment plan that we can proactively and effectively iterate and manage that risk, all of which will help allow us to avoid adverse consequences to our organisation.
If you have any stories – good or bad – about how you’ve approached risk treatment in your organisation, I would love to hear them.
If you’re looking to improve your risk management process and would like some guidance or a conversation to help you on your journey, please contact me. I’m more than happy to guide you.
About the author
Peter is the Founder and Director of Holtmann Professional Services, a global provider of executive coaching, business excellence consulting and career path development. Peter has 20 years of experience in executive roles and has been the President and CEO of a global non-profit. Peter has written for many journals and blogs, is a keynote speaker and is a champion of prosperity through excellence of leadership.
If you are interested in working with Peter, please reach out to enquiries@holtmann.com.au.
Leave a Reply