Building a risk management system with the help of good software
Businesses dealing with risk need to take a systematic and structured approach to risk. How does risk management software help this approach?
The ISO 31000 standard provides a good starting point for a systematic approach to risk. The standard (soon to be updated) includes a useful flowchart for breaking down the elements of a risk management system.
The purpose of this stage is to establish the setting and criteria for the risk management system. The key outputs here are:
- Internal context (and associated factors)
- External context (and associated factors)
- Risk criteria, including risk calculation methods, risk matrix and risk tolerance
Essentially this stage is about creating a standardised, systematic approach to risk. This is where risk management software shines. Software relies on standardised terminology, inputs and processes.
By using a risk management software package you give structure to your risk management system. You need to establish the external and internal context when configuring the settings for the system. For example, the software will have users with different roles and permissions. You establish part of the internal context when you identify these users and configure their permissions.
You are also prompted by the software to establish your risk criteria in order to proceed. For example, the system will have options for how risk is calculated (the default would usually be likelihood multiplied by consequence). Determining the risk matrix that will be used by the software establishes the context for the risk management system. This will, in turn, determine what information the system requires from you when entering data (e.g. the software will prompt you to enter likelihood and consequence values for risk events). Setting levels of risk tolerance is also part of this process.
The first stage of the risk assessment process is the identification of risk events. The aim is to identify potential risks, and document your understanding of them. Risk management software provides risk identification tools to assist with this process.
These tools may include guided tools for hazard identification (HAZIDs), hazards and operability studies (HAZOPs) or other kinds of job hazards analysis. The software will prompt you to enter certain information based on the risk criteria you established earlier. At this stage, you usually need to identify the risk event and potential causes of that risk event.
Some risk management software packages come with libraries of pre-populated hazard identification exercises. If you are building a risk management system, beware using these kinds of libraries for anything other than inspiration. The purpose of establishing the context and the risk criteria in the preceding stage is to ensure that the risk management system accurately reflects your organisation’s circumstances. This is wasted effort if you intend to use pre-made hazard identification worksheets.
The next stage of risk assessment is to analyse your risk events. This is a simple process of considering likelihood, consequence, and calculated risk rating (if you’re using the ISO 31000 qualitative calculation method). Most risk management software packages combine risk identification with risk analysis, and the risk is analysed within the same row on the risk spreadsheet.
More sophisticated software packages will offer risk analysis capabilities. This may include bowtie analysis, layers of protection analysis, and other methods of dissecting risk scenarios. These tools can be invaluable when you are dealing with critical risks that are not easily reduced to one line on a spreadsheet. If a critical risk has multiple causes and multiple consequences, you need proper risk analysis capability in your risk management system.
Only a handful of risk management software packages on the market offer this capability. They are well worth the modest additional investment, particularly when it comes to select risk controls later on.
This stage of risk assessment is about making sense of your findings. Having completed the preceding stages, you should have a list of risk events with associated risk ratings. Now you need to rank these according to severity and identify priorities. The most critical part of this process is to refer back to the risk tolerance and risk criteria you established earlier. Ranked risk events should be evaluated against these criteria. For example, you might have criteria for determining the criticality of risks (so that critical risks can be identified and treated as a priority).
Risk evaluation helps to establish a clear plan of action for dealing with the risks you’ve identified. Risk management software should help you to make sense of your findings. For example, you can configure your criticality criteria as filters in the software to separate out critical risks from the risk register. Many software packages also allow you to set risk tolerance levels in the system, and the software should automatically identify the risks that cannot be tolerated without treatment. Some of the better packages also include action tracking, which is an important feature once you need to be able to assign team members to follow up on criticality assessments or other matters. Capturing these actions in the software means that your risk management system has a readily accessible audit trail.
Once you’ve identified priorities for risks, you can begin the process of identifying and evaluating risk controls. This is the risk treatment process. Again, you should be referring back to the risk tolerance and risk criteria you established earlier to evaluate how much risk treatment is warranted for individual risk scenarios. Treating risk is a matter of selecting risk controls that reduce the likelihood or the consequence of the risk.
Risk management software reduces the time and effort required to evaluate different risk treatment options. Good software should automatically calculate the impact of risk controls and indicate whether the risk is now at a tolerable level.
Using software with risk analysis capability is really useful at this point in the risk management system. Bowtie analysis allows you to assess how risk controls interact with causes and consequences, and determine weak points in your risk treatment framework. This is particularly important when you’re working with critical risks that could have severe consequences.
Good risk management software will summarise your risk treatment decisions in various report formats. This makes it straightforward to develop your work into a risk management plan, a safe work method statement or a job hazards analysis. This can also be used by decision-makers to inform their decisions, and defend the reasoning behind their decisions if necessary. Some software packages come with automatic cost-benefit analysis capability to assist with making decisions about which risk controls to implement.
Monitor & review
The final stage makes the risk management process an iterative cycle. An effective risk management system should not rely on decisions without validation. Risk levels should be monitored over time to determine whether the risk controls are performing as expected. This allows appropriate modifications to be made before an incident occurs. Risk controls should also be subject to regular risk review, which provides opportunities to assess how risk controls have been performing and whether there have been any circumstantial changes that warrant changes to risk controls.
Risk management software acts like a watchdog for the risk management system. It automatically notifies you when risk reviews are due (if you have entered a risk review period). Good risk management software should include auditing and assurance modules, which links your audits to your risk register. This gives you real-time reports on the effectiveness of risk controls, and good software will also provide customisable dashboards with risk monitoring at-a-glance.
Your attention may be divided, but good risk management software remains focused on your risk exposure. It does not forget when risk reviews are due, and it will flag when something is not right (if you’ve configured it correctly).
Communicate & consult
The last element of a risk management system is present throughout the process. Communication and consultation should be part of every stage of the risk assessment process. Stakeholders should be engaged in the process, and should be pulled into discussions, communication and consultation as appropriate to their role.
Good risk management software provides a user-friendly platform for communication and consultation on risk. As previously mentioned, part of establishing your organisational context is to identify stakeholders, their roles and permissions. This also allows you to set up the software to capture your interactions with those stakeholders.
For example, good software packages should include collaborative risk identification tools. This allows all stakeholders in the process to have access to the exercise and have input. The system captures their input and creates an audit trail. Your consultation efforts are recorded and can be demonstrated if necessary.
Good software should facilitate collaborative work. For example, bowtie analysis software is usually designed to be used with a data projector to assist with engaging participants in the exercise. The software makes the risk model visually accessible to everyone involved. Depending on how you’ve configured the software, it should be able to give prompts or step-by-step guidance to ensure that participants at all skill levels can be consulted.
Good risk management software is, of course, only as good as the amount of effort you’ve put into configuring it to suit your risk management system. The software can form the backbone of your risk management system but should not dictate your risk approach. Why? Because your risk management system needs to reflect your organisational context and circumstances. Off-the-shelf software can never perfectly suit your situation. Make sure you take the time to consciously establish a risk management system that works for you.
What has been your experience with risk management software? How much does your risk management system rely on good software support?