When an organization adopts a risk-based thinking approach, developing a Risk Management Process is a natural progression. A formal Risk Management Process includes an explanation of how the process is aligned with overall business plans and policies, the governance of the process and the roles and responsibilities needed to oversee and run the Risk Management Process.
The Risk-Based Thinking model represents the methodology to identify and eventually control risk. As part of a formal Risk Management Process, use a standardized Summary Form to document risk findings for both threats and opportunities. Divide the form into the five components of Risk-Based Thinking: Identify, Analyze, Evaluate and Prioritize, Mitigate or Capitalize and Control.
- Identify: The Identify section of the worksheet lists the specify risk potentials to be explored. Including a Reference Number will prove helpful for tracking and communication.
- Analyze: Add both the Likelihood and Impact ratings to the Analyze section of the worksheet.
- Evaluate & Prioritize: Add the calculated Risk Index ratings to the Evaluate and Prioritize section of the worksheet. Note whether a low, moderate or high level of risk was found. Next, assess whether the conceptual mitigation approach for dealing with a potential threat appears to be practical and feasible or if a potential opportunity appears to be cost-effective.
- Mitigate or Capitalize: Summarize Action Plans to mitigate threats or capitalize on opportunities for those risks that are priority targets. Update the status of plans when status changes are made.
- Control: The Control component involves putting mechanisms (Control Plans) in place to control threats and protect new opportunities.
A Summary Worksheet documents and keeps track of the identification, analysis, evaluation and prioritization of risks.
- Some risks can be accepted as is; other require attention.
- Using the same worksheet to maintain a record of action plans (to mitigate threats or capitalize on opportunities), progress on the development and implementation of those plans and the deployment of control plans to “hold gains” creates a vital historical record (of the process or product) and serves as a useful communication vehicle.
