Guest Post by Greg Hutchins (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
When evaluating risk response strategies, executive management along with process owners must align risk responses with the organization’s risk appetite, business objectives, costs/benefits, and overall risk strategy/tactics. Risk response strategies and tactics may involve:
- Avoidance: Action is taken to depart from the risk situation or remove the activities giving rise to the risk i.e. exiting a product line, triaging a project, declining service to an area, using stable designs, using less complex IT methodology, standardizing processes, centralizing facilities, and moving up the capability and maturity curve.
- Reduction: Action is taken to reduce the risk likelihood or consequence, or both, which may involve any of a myriad of everyday business and process control decisions, i.e. lowering level of risk, increasing level or breath of controls, using redundant systems, using joint application design, using design-build, adding more float to project schedules, and using enterprise, process, and project risk management methodologies.
- Sharing: Action is taken to reduce risk likelihood or consequence by transferring or otherwise sharing a portion of the risk, i.e. purchasing insurance, pooling risks, hedging transactions, outsourcing an activity, using QA/QC service provider with suppliers, retaining a third party project manager, retaining prime and acceptable alternate suppliers, and purchasing errors/omission insurance.
- Acceptance. No action is taken to affect likelihood or consequence, i.e. accepting quality level of commodity, falling within risk sensitivity threshold for enterprise, using commodity products, using products from ISO 9001 suppliers, and lowering level of assurance.[i]
ISO identifies 4 risk treatments. However, each of the above risk management strategies and treatments can be subdivided further.
Once the appropriate risk response is determined, then management assigns responsibilities for deploying the risk management plan. The risk management and response plan should address how to mitigate the consequences and likelihood of critical risks. Some risks are more critical than others. Therefore, the process owners should separate the critical few risks from the trivial many risks, also called Pareto risks. A cost benefit analysis is always helpful in implementing a risk response plan.
Leave a Reply