Risk management, where to start?

Risk management is an increasingly important part of business operations. Not only to manage risks but also to see and capitalize on opportunities. There are many, more or less complex theoretical models and principles that we try to bring back to the core to keep it simple and practical to implement. In this blog we explain how to get started with risk management.

The purpose of risk management

The purpose of risk management is to identify, assess and respond to risks. The process that an organization ideally uses for risk management is a clearly defined method for understanding what risks and opportunities are present, how they might affect the organization and how to respond to them. The 4 essential steps of the process around risk management are: 1. Identify the risk. 2. Assess the risk. 3. Handle the risk(blog). 4. Monitor and report on the risk. Below we discuss step 1, identifying risks and step 2, assessing risks in more detail.

Step 1: Risk identification

The first step in the risk management process is to identify all events that may have a negative (risk) or positive (opportunity) impact on the organization's objectives. These events can be recorded in a risk register. You can of course write out these risks yourself but that is quite a lot of work. Perium therefore offers you the solution. Within Perium the most common and relevant Security and Privacy risks are already recorded and available for your organization. You only have to assess them (see step 2). With Perium you can easily keep track of all possible risks and if you want to add specific risks, you can do so in a few clicks. It is important that risks have owners. These are the employees who are responsible for the risk and have the knowledge and mandate to manage the risk. In the Perium platform, you add owners and targeted actions to resolve the risks.

Step 2: Assess the risk

There are many ways to conduct a risk assessment, also known as risk assessment. From a pragmatic workshop with a number of employees to detailed methodologies. It is important that the approach fits well with the needs of the organization and that the right people are involved in this step. We do recommend documenting the approach so that the process is repeatable and (increasingly) reliable. Assessing risks and especially recording the result of that assessment can be done in Perium. You efficiently record the results of the process, independent of the process you followed as an organization.

How do I conduct a risk assessment?

Basically, there are two main elements that need to be determined: 1. The risk score (probability x impact) 2. The risk strategy These elements affect your risk management. This is because when you determine the risk score, you get an overview of the likelihood of risks occurring and the impact these risks can have on the business. You then use the risk strategy to manage the risks to an acceptable level.

The risk score

With a risk assessment, you determine how likely the risk is to materialize and what impact that would have on the organization. The results are recorded in the risk table with a score of gross risk (also called inherent risk before you start taking control measures) and net risk (also called residual risk after you have taken control measures). The probability and impact are usually scored on a scale from 1 (low probability, low impact) to 5 (high probability, high impact). The probability times the impact is the risk score, so a gross risk is a risk without control measures and a net risk is a risk including (active) control measures. Ideally, the probability and impact of a gross risk are first estimated and then it is determined whether there are already control measures that reduce the probability or impact of the risk. If the existing control measure is functional cq effective, the probability or consequence of the net risk is lower. For your organization, it is obviously important to know how this risk score relates to the risk tolerance threshold. The risk tolerance threshold refers to the risk the organization can and is willing to bear. Prior approval is given on the threshold levels of risk exposure. If exceeded, for example, it should be escalated to management. The level of risk is determined by the net risk score (= probability x impact) and is compared to the risk tolerance limit. The result of this step provides insight into which risks are acceptable or not acceptable. These elements (risk score, probability and impact, gross and net risk, risk tolerance limit) are also available in Perium. Perium also makes available the link between the risks and possible control measures. In this way you manage the risks conveniently in one place.

Risk strategy

The next step is to determine how to control the risks, which you as an organization do not consider acceptable, and bring them back to an acceptable level. There are several ways to control or mitigate a risk:

• Avoidance. For example, when policy choices or a business process within your organization involves too much risk, you may choose to change the policy or end the process.
• Reduce. Addressing the cause of the threat is also part of reducing the risk. Management measures are used to try to reduce the probability and impact. These measures are, as it is called, repressive, damage control.
• Outsource. If the organization is risk-averse, it may choose to outsource an entire process, for example. The party taking over the process then also takes on the risks. This is also called transferring or outsourcing.
• Accept. Is the risk too small, or does the necessary investment outweigh the positive outcomes after taking control measures? The possible consequence of the occurrence of the risk is then accepted.

So you determine the risk strategy based on the risk scores and the type of risk you are running and ultimately willing to run. In Perium, the platform for risk management, you can easily make this consideration, because you have assigned all risks to the responsible persons, have insight into the risk scores and also know to what extent you are willing to take risks. Based on the above steps, you as an organization can determine how to deal with the risks in a risk treatment plan. In the next blog we will discuss this in more detail and also pay attention to risk monitoring and reporting.

Risk management with Perium

For any organization, risk management is an important step. With Perium, you carry this out effectively and efficiently. Perium is the platform for risk management. Within half an hour you are already up and running. In addition, you can easily add specific management wishes to the platform.