Risks need to be identified, assessed, treated and managed to a point where the organization is comfortable with their risk exposure. This process needs to be robust to ensure all risks are systematically evaluated, assessed and managed effectively.
The Risk Identification process (HAZID) highlights the risks that need to be addressed. Risks are normally logically grouped and those groups are known and managed as Registers.
The inherent risk (the raw risk with no controls or barriers in place) is assessed and quantified (rated based on pre-defined criteria) before being reviewed against a risk matrix.
The placement of the quantified risk on the matrix will determine if the risk is acceptable, needs treated or is unacceptable. If risks are deemed unacceptable, senior executives need to be informed and a value judgment must be made as to whether operations can continue.
Quantification can be from a single perspective or multi-perspective (looking at the risk from a number of viewpoints – environment, people, reputation, profit, etc.)
Risks in need of treatment generate actions to identify and put in place adequate controls and barriers. Those actions are distributed and managed until conclusion.
Once controls or barriers have been put in place the risk is once again quantified to determine if further work is required.
The effectiveness of each control or barrier can be assessed, highlighting the need for additional controls where their effectiveness in isolation is deemed partial or ineffective.
A risk can be considered acceptable but the organization may choose to take additional actions to lower the risk further. This is managed as a target quantification.
The Risk Lifecycle is managed in a way that is simply not possible with spreadsheets.
Managing risk with spreadsheets lets you manage what you have in place.
However, managing risk provides the same benefits, but also lets you manage what you don’t have in place. And it’s what you don’t have in place that often hurts an organization.
The visual representation of risks quickly highlights where there is exposure, where there are missing controls and where situations are not being managed effectively.
A risk management solution provides insight into gaps in the risk management system, and aims to alert the appropriate people to accept the situation or do something about it. The solution also provides alerts of risks, controls and actions not being owned or managed to enable appropriate action to address and rectify.
Spreadsheets provide no insight as to what is not in place and fail to make intelligent use of the data they contain.