The first step to risk management is risk identification.

A risk is anything that exposes your customer or company to a chance of injury or loss. It is anything that creates or suggests a hazard. As an SME you must be able to identify risks. What could go wrong? You must be able answer that question accurately and consistency for all attributes of your domain.

The technology of radar was invented in the late 19th century. It was eventually commercialized by a German entrepreneur, Christian Hülsmeyer, who used the technology to construct a simple ship detection device that would help ship navigators avoid collisions.

Like radar, sensing the mass, distance, speed and direction of a risk is part of the identification process. SMEs have proven throughout history that they are able to identify risks better than their lay counterparts. You should be able to do so because experts typically have more experience, broader education, more sensitivity to key information, greater capacity to ignore distractions, and deeper memories of what does and what does not truly matter.

The first element of risk management is to consistently and accurately identify risks.

The second element of Risk Management is assessment. Once a risk is identified, it is essential to apply a consistent assessment. Risk assessments consist of two measurements: First, what is the likelihood or probability that a risk will occur? And second, what is the impact if it does?

There are many ways to measure the likelihood of a risk. You might measure it on a subjective scale such as: Certain, Likely, Possible, Unlikely, and Remote. Or, you might use a quantified model with 0-100% precise probabilities. In either case, the likelihood should be repeatable and verifiable. It should also include fair and candid assessment of what your actions will do to increase or decrease those probabilities.

The impact of a risk can also be measured subjectively or objectively. One possible range might be “catastrophic” as the worst impact to "minor," which is the least impact.

Mapping the likelihood of a risk and the impact of a risk, produces a matrix where risks can be easily prioritized. Risks that are highly likely and carry high impact are more important than those with low likelihood and low impact. Prioritization of the rest of the concepts in this lesson are based upon this mapping of likelihood and impact.

Often organizations are concerned about the financial implications of a risk, but SMEs know that risk assessment reaches far beyond economics. Impact might include strategic, operational, reputational, environmental, emotional, and others.

Again, measuring the impact of a risk should be repeatable and verifiable. The second element of risk management is assessment.

For each risk there should be an appropriate response. When a risk does occur, who should react and how will they know they should? In the case of a failed parachute, a reserve parachute is the appropriate response. In the case of a failing heart, a defibrillator may be in order. The SME should know in advance what response is appropriate for each risk and how that response is executed.

Risk response can be a highly contested subject. What is the appropriate response of a police officer when an assailant is carrying a firearm? What is the appropriate response when a business unit fails to file taxes on time? Etc.

Risk mitigation means you eliminate risk before it happens. Many of the risk that experts face can and should be mitigated.

Army paratroopers, for example, reduce their risk of death or injury from parachute accidents if they never jump from an airplane in the first place. Similarly, credit card data cannot be stolen from your company if it is never collected.

Unfortunately, mitigating risk can often introduce new risk. Paratroopers who do not jump will need to be inserted into their objective through other means. Alternatives to credit card payments carry alternative risks.

In short, what early steps can be taken to reduce the probability of an adverse risk occurring? Are those steps toward mitigation worth the time and effort required?

Not all risks can be eliminated through mitigation. Jumping out of a plane will always entail risk. Using a credit card online will also always entail risk. Consequently, the contingency describes what is to be done if the risk is realized. What is your plan B and plan C?

Your contingency plan is the equivalent of your [spare] spare tire, car jack and lug wrench stored in your vehicle. It includes all the things you need to fix the problem if it occurs.

Of course, your risk assessment, response, mitigation, and contingency are of no value if you do not know that a risk has occurred. There must be a way to monitor risks and know if important events occurred. Risk monitoring implies measurement and detection. It is easy to detect if a parachute fails to open properly, but more difficult to know if you credit card database has been compromised.

If you have identified a risk, you must also identify a way of monitoring that risk.

The final element of a risk mitigation plan includes notifications. Who is notified when the risk occurs? Who are the stake holders? How and when are they notified? What questions will they ask?

Typically risk reporting occurs in stages. Some people are notified as soon as a risk materializes. These are the first responders who perform immediate analysis and remediation. Once a risk is contained, a broader audience is typically informed. And eventually, when root cause analysis is complete the group may be notified again about corrective actions, process modification, or system changes, etc.

Risk reporting will vary widely depending upon the risk’s impact. Some risks warrant immediate response and broad disclosure. Others are less urgent. Your reporting plan should be commensurate with the impact and urgency of the risks involved.

To help SMEs manage risks, we have prepared a Risk Management Checklist and Risk Tracking Sheet. See the resources attached to this lesson.