Can you confidently state that you belong in that 23%?
Even if you are not a CEO, as an employee, are you sure you know all the risks within your workplace?
If not, then keep reading.
In this article, you will learn about risk and how to manage it, specifically via risk mitigation. You are also provided with a thorough list of Process Street resources and templates. These are designed for you to gain a good understanding of business risk, risk management and risk mitigation.
This article is structured as below:
- A definition of risk
- What is risk management
- What is risk mitigation
- Risk mitigation application
- Risk mitigation and risk management: A broader picture
If I ask you to define risk, are you able to?
You probably have a mental picture, a word or phrase, that translates to you what risk is.
As a child, my view of risk looked very much like the above image. Watching Jaws meant I had a perpetual fear of swimming in the ocean. I was worried about the looming uncertainty that lay lurking below. Until recently, that looming uncertainty of danger was what the term risk meant for me. It is only now that I realize this understanding of risk is incorrect.
This is where I begin this article. To clarify what risk is.
Risk does not equal uncertainty.
Not all uncertainties are a risk.
Risk is a subset of uncertainties in the world – of which there are many.
The Association For Project Management defines risk as below:
From this definition, we can gather that risk is uncertainty with repercussions that matter to us.
For example, the risk of it raining in the city of Washington will not matter to someone living in the city of New York. To a person living in Washington however, rain may represent a risk of great concern.
In business, risk refers to uncertainties that could impact objectives, as defined by the ISO standard 31000.
Risk has two dimensions, uncertainty and effect. The uncertainty is measured as probability, and the effect is measured as impact.
When we think about risk and impact, there are two types of impacts that matter: bad 😈 and good 😇
Both positive and negative impacts need to be appropriately managed. Another definition by PMI includes this detail:
An uncertain event or condition that, if it occurs, has a positive or negative effect on an objective – How risky is your project – And what are you doing about it? PMI
We can conclude that risk is this double-sided concept. Turning our attention to business, and how risk is relevant for you, we need to be able to manage risk in our business operations. We need to be able to chase the positives whilst looking out for the negative uncertainties. This is where risk management, as a practice, comes in.
Risk management appropriately optimizes success with minimal threat and maximal opportunity. If you would like to know more about risk management, see our article The Ultimate Risk Management Guide: Everything You Need to Know.
My personal relationship with risk is tested regularly. As an avid rock climber, I constantly have to weigh up the risks of a particular move or climb. It is a mental battle, which admittedly sometimes makes me question my life choices.
At the bottom of each climb, I look up, imagine the moves and question to myself:
- ‘What are the risks?’
- ‘Are there any risks I can avoid?’
- ‘Are there any risks I can transfer?’
- ‘Are there any risks I can mitigate?’
- ‘How much risk am I willing to accept?’
The above question ‘Are there any risks I can mitigate?’ is specifically concerned with risk reduction. Reduction of risk is one of the four risk management principles:
- Risk acceptance
- Risk avoidance
- Risk transference
- Risk mitigation
The aforementioned article explains the above key principles in detail along with other facets of risk management.
However, risk mitigation is where we get into the nitty-gritty of this article.
We understand the concept of risk, and how risk mitigation fits into the broader discipline of risk management. It is now time to take our magnifying glass and focus on risk mitigation specifically.
Risk mitigation means to reduce the extent of risk exposure, and the adverse effects of risk. The question is, when do we apply risk mitigation as a risk management strategy?
To understand when to apply risk mitigation, we must put down our magnifying glass for one moment and consider the process of applying risk management. There is a specific risk management procedure outlined to deal with risk. These steps are as follows as detailed by BC Campus in Chapter 6 Project Management.
Risk mitigation plan: Step one, risk identification
The risk needs to be identified. Analysis and deliberation are needed to uncover, recognize and describe the risks that might affect your project or its outcomes.
Checklists have a large use value here. They can be helpful to the project manager and the project team in identifying specific risks on the checklist, while also expanding the thinking of the team. You can use Process Street to create checklists to help you with your risk management processes. Scroll down to find out more about Process Street and how you can implement our superpowered checklists in your business today.
A good framework to consider when identifying risk in your projects is the risk breakdown structure (RBS). Risk is organized into categories as per task, as shown below.
Using this risk breakdown structure, you can obtain a clearer understanding of where the risks are most concentrated. The teams can identify known risks. However, as a caution, any unknown risk cannot be identified via this approach.
Risk mitigation plan: Step two, risk evaluation
The next stage is to evaluate the risk. Referring back to the beginning of this article when we discussed how to identify risk, the risk was stated to be made up of two dimensions: probability and impact.
Measuring risks via these two dimensions details the inequality of risk. Some risks are more likely to occur than others, and some risks have a greater impact on a project or a given business operation.
By measuring risk based on these two dimensions, you can sieve out and identify critical risks that require treatment.
It is after risk evaluation where risk mitigation comes in. By evaluating each risk in terms of probability and impact, the correct risk treatment can be applied. By risk treatment I mean the application of one of the four risk management principles: avoid, accept, transfer and mitigate.
Risk mitigation plan: Step three, risk treatment
Each risk treatment strategy can be described in terms of cost and return. It is by considering the cost and return of each, in combination with risk evaluation (whether the risk is of high probability or low in addition to its impact), that the correct strategy can be applied.
- Risk acceptance: low cost, low return
- Risk avoidance: high cost, high return
- Risk transfer: medium cost, high return
- Risk mitigation: medium cost, high return
If a risk has a low likelihood and low impact, you may choose to accept the risk. The low return given from risk acceptance is not an issue, as it is a low impact risk that is unlikely to occur. The low cost of risk acceptance will mean that you are able to manage the risk without a significant reduction to your budget.
If the risk has a high impact and a high likelihood, you would want to remove this risk at all costs. The correct strategy would be risk avoidance.
The strategy to be applied is not so clear cut when we consider risks with either low impact and high likelihood, and high impact and low likelihood. The strategy to be applied will be dependent on the circumstance – it is not so black-and-white obvious which risk management strategy is the best.
Taking our specific focus on risk mitigation, we will consider when to apply this.
A risk mitigation strategy has a medium cost and a high return. This strategy can be appropriate under the following scenarios:
- High impact, high probability risk: With its high return, risk mitigation could be a good strategy here if risk avoidance is unaffordable. The risk will not be completely be removed, but its impact and/or likelihood will be reduced. However, risk avoidance is the ideal strategy to be applied in this scenario.
- High impact, low probability risk: The high return and medium-cost would make a risk mitigation strategy ideal under these circumstances. The low probability of the risk, despite its high impact, may deter great expense to avoid the risk. Risk mitigation offers a halfway house-like approach, to manage risk with potentially damaging consequences without too much expense (as the risk is unlikely). Risk transfer is another strategy to be considered.
- Low impact, high probability risk: Risk mitigation’s high return would offset the high probability of occurrence. Risk mitigation as a strategy would work depending on how low the impact of this risk is vs the cost of the risk mitigation strategy. Risk acceptance or risk transfer should also be considered as an appropriate strategy here.
- Low impact, low probability risk: The medium cost of risk mitigation may deter its application in this scenario. Risk acceptance would be the better option here, the risk is not critical.
Once you have assessed your risk and identified risk mitigation as the best strategy, the next stage would be the application of risk mitigation practices.
Risk mitigation application requires continuous cost-benefit analyses. One, to assess whether risk mitigation is the best strategy to be applied. Two, to determine the degree to which the risk is mitigated. To illustrate this point, I will use an example of risk mitigation in action for data protection.
Risk mitigation in data protection
As mentioned in our previous article How To Prevent Data Loss and Implement Data Recovery, in our modern-day society, data can be considered as our new oil. It is that prized.
Data is valuable for your business, and so data loss is a risk that must be managed.
It is possible to mitigate risk by implementing backups and using data recovery services, as explained below:
Strategy: As a strategy, risk mitigation can be applied through the type of data backup system used. Through the implementation of the different risk management strategies, we introduce a sliding scale in terms of the degree of protection applied. For example:
- Continuous backup: This is expensive, with zero downtime, and often exceeds the mitigation strategy for critical data. This is not a suitable option due to cost. Continuous backup is reflective of a risk-avoidance strategy.
- Daily: Moderate, up to 8 hours of potentially lost data, with 3-hour recovery time. This is often the best choice considering cost and time factors. Moderate data-backup is a risk mitigation strategy, ideal in this instance.
- Weekly: Moderate, with up to 5 days of lost data, 12 hours to restore. The cost is acceptable, however, the recovery time for this option is often too high. Therefore, this option is not as suitable as option 2. This is a risk mitigation option, with lower costs but a lower return compared to option 2.
- Monthly: Very low cost, but not suitable as data backup is not adequate. This strategy could be considered as risk acceptance. The level of backup applied is not adequate to remove the risk of data loss.
You can see that in the example of data protection, risk mitigation as a strategy can be applied at various levels. Through assessment, risk mitigation is proven as the best strategy for data protection. The next step was to determine the degree to which the risk should be mitigated. A risk mitigation strategy with a higher cost but higher return (option 2) is the best choice.
Sometimes this assessment between risk management strategies is not thorough enough, leading to the application of an incorrect strategy. This can be costly, as the risks to be managed expose themselves halting your business operations. I have used the palm oil industry, and the disastrous 2015 Indonesia fires to illustrate this below.
Risk mitigation in the palm oil industry
Palm oil is a major driver of deforestation and biodiversity loss. It takes as little as one hour to remove 300 football pitches of natural forest, scouring the land to make way for palm oil monocultures. Such a rapid rate of deforestation is known to not be sustainable.
The risks of such a scaled-up, fast-paced industry include major soil degradation, an increase in forest fires, and worker exploitation. All of which act as a ticking time bomb, ready to disrupt the economically prosperous trade.
Risk: Forest fires, worker exploitation, and major soil degradation
Strategy: In this instance, risk acceptance seems to have been the strategy applied across much of the industry. However, this is not a viable long-term strategy. 2015 saw the brutal realization of this fact as 5,000km of profit-driven production went up in smoke. The World Bank estimates that these fires cost the Indonesia economy at least $16.1 billion.
Improved strategy: Risk mitigation would have been an alternative, better strategy. The Roundabout on Sustainable Palm Oil group detailed 8 principles to create a more sustainable industry. Although there is debate over how sustainable, sustainable palm oil is, it does offer a viable alternative to mitigate risk, until a feasible risk avoidance strategy has been found.
The high costs associated with risk avoidance, mean that, for now, this may be not a viable strategy. Palm oil alternatives are a gateway for potential risk avoidance, however, high initial investment costs are required for widescale implementation and further research.
So far we have identified what risk is and how risk can be managed within your business via risk management processes. We have determined how risk mitigation relates to risk management as a strategy to reduce risk exposure. We have gone through the process leading up to the application of risk mitigation and discussed what can happen when the incorrect risk management strategies are applied.
In this next section, I want to step back, taking a broader look at risk mitigation and risk management. During my research to write this article, I was halted by my own confusion regarding the two terms. That is, risk mitigation is often used as a replacement term for risk management. Yet risk mitigation is a strategy within the broader discipline of risk management.
Referring to one of Process Street’s previous articles: The Ultimate Risk Management Guide: Everything You Need to Know, I have come to the same conclusion as Oliver Peterson. That is, risk management is in a way, the same thing as risk mitigation. Risk management, and its underlying strategies, all act to reduce risk to a point of removing it. So risk management, like risk mitigation, works to reduce risk.
I have kept this in mind for the next section, of how you can use Process Street to implement risk management strategies in your business. As risk mitigation and risk management, both work with the same agenda, our resources designed for your risk management processes can jointly be applied for your risk mitigation strategy.
Use Process Street to implement risk management practices today
As a top business process management tool, you can use Process Street to promote and support your risk management processes. Whether this is mitigating against risk or transferring risk, using Process Street will ultimately reduce your business risk. We have prepared the video below to give you a comprehensive introduction of how to use Process Street for risk management.
Ready to get started?
We have an array of template resources to help you with your risk management strategy, as detailed in our The Ultimate Risk Management Guide: Everything You Need to Know post. For example, check out our Risk Management Process, a checklist we have designed so that you can complete your own risk management processes based on the principles of continuous improvement.
As you can see from the above, our templates offer a step-by-step guide for any given business operation. In this instance, we are talking about risk management, and so I have pulled out a comprehensive list of our template resources to help you with your risk management processes.
- Risk Management Process
- SWOT Analysis Template
- FMEA Template: Failure Moden and Effects Analysis
- Standard Operating Procedure (SOP) Template Structure
- ISO 14001 EMS Structure Template
- ISO 14001 EMS Mini-Manual Procedures
- ISO 14001 Environmental Management Self Audit Checklist
- ISO 19011:2018 Checklist for Auditing Management Systems
- ISO 9001:2015 Audit Checklist for Quality Management Systems
- ISO 9000 Structure Template
- ISO 9000 Marketing Procedures
- ISO 14001:2004 to ISO 14001:2015 EMS transition checklist
- ISO 9001 and ISO 14001 integrated management system (IMS) checklist
- ISO 26000:2010 social responsibility performance assessment checklist
- ISO 45001:2018 occupational health and safety (OHS) audit checklist
- ISO 27001:2013 information security management system (ISO 27K ISMS) audit checklist
- ISO 9004:2018 for sustainable success in QMS self audit checklist
- Electrical Inspection Checklist
- Electrical inspection checklist for motors and vehicles
- Electrical inspection checklist for marinas, docks, and boatyards
- Electrical inspection checklist for electric vehicle charging equipment
- Electrical inspection checklist for agricultural buildings
- Electrical inspection checklist for hospitals and health care
- Electrical inspection checklist for residential rough inspection (general)
- Electrical inspection checklist for air-conditioning and refrigerating
- Hotel Sustainability Audit
- Monthly housekeeping inspection checklist
- Hotel safety inspection checklist
- Rental inspection checklist
- Pretrip inspection checklist
- FHA inspection checklist
- Fire inspection checklist
- Restaurant health inspection checklist
- Roof inspection report template
- Site inspection checklist
- Forklift inspection checklist
- Facility inspection checklist
- Home inspection checklist
- Vehicle inspection checklist
- Privileged password management
In each one of these templates, you will find the following features.
- Stop tasks to ensure task order
- Dynamic due dates, so no deadline is missed
- Conditional logic, creating a dynamic template that caters to your needs
- Role assignments, to ease task delegation within your team
These features work to produce superpowered checklists that enhance efficiency, productivity and prevent mistakes and failures. By using our templates, your risk management strategy will be optimized.
What are you waiting for?
You can jump right in and use any of our template resources for free.
Obtain a further understanding of risk management using Process Street resources
As mentioned before, risk management is a broad discipline. In this article, we have looked at risk management with a specific focus on risk mitigation. However, there are many facets, beyond the scope of this article, that are important for understanding risk management.
If you have found this article useful, and want to know more about risk management, check out the below resources:
- The Ultimate Risk Management Guide: Everything You Need to Know
- Basics of Enterprise Risk Management (ERM): How to Get Started
- What Is ISO 31000? Getting Started with Risk Management
- What is Quality Management? The Definitive QMS Guide (Free ISO 9001 Template)
- The Complete Guide to Business Process Management
How do you try to mitigate risk? Do you use any specific frameworks or tools? Let us know in the comments below – who knows, you may even get mentioned in one of our upcoming articles!