4 Mitigation through action
If the current level of a risk is higher than your risk appetite then an action plan should be developed to reduce the level of the risk. Good action plans possess certain characteristics; these characteristics can best be described by the acronym SMART.
The definition provided uses ‘assignable’ for the A of SMART; this is relevant in the context of risk treatment because risk treatments generally need to be owned to be operating and effective. However, other examples have the ‘A’ representing ‘agreed’, meaning everyone agrees to the action being undertaken. In the sense of risk management this is misleading because there may be actions that an organisation wishes to take that people don’t agree with but none the less will be undertaken.
Here is anotherin more detail. (Note that this example uses ‘achievable’ rather than ‘assignable’.)
Actions can either reduce the probability or the impact (or both) of a risk. Because many risks have more than one root cause it is important to understand which root causes and which consequences are being treated by the action plan and which are not. It is also important to consider the length of time it takes to complete the actions.
Activity 1 Managing risk through actions
In this activity imagine you are in the role of an organisation that makes their own product and has a factory within their operations that produces these products. The factory contains a single special process line that is essential to the production of the finished product. The original introduction of the special process was a significant capital expenditure for the organisation. The organisation has already identified that the loss of the special process line is a significant business continuity risk and has identified some actions that could be undertaken to mitigate the risk. The organisation now needs to consider each of these actions in terms of risk reduction (probability and impact), the cost of implementation and the time it will take to implement.
Consider the actions associated to managing this risk. First, place the actions on a grid evaluating time (to implement) and cost to deliver the action.
Much of what has been covered in the previous activity can be summarised in something often referred to as a risk burn down or waterfall chart, named after the waterfall shape the chart normally depicts. This chart, in its most often used form, has time on its x-axis and either financial risk measures or organisation risk scores on its y-axis. The chart then shows the current risk and all actions represented as steps down the waterfall as each action reduces the risk until the residual level of risk is reached. The chart can also show the target level of risk (as a gap to the residual) and potentially be adapted to show previously implemented controls, (something covered later in this session) to demonstrate the gross risk.
It also needs to be considered what confidence you have that the actions will be done and will achieve their desired result, and you should adjust your plans accordingly.
Building risk treatment actions into other work plans and budgets is a powerful way to make sure that they don’t get overlooked. In many organisations risk treatment actions that are not planned and funded don’t happen. If treatment actions are not funded or resourced it is unlikely that they will happen.
Your residual risk level potentially tells you nothing about when this level of risk will be achieved or how confident you are about achieving it – without these two key pieces of information it should be treated with caution. In particular it should not be used in isolation for risk reporting, which is considered in Session 7, or for financial planning.
Managing actions is an integral part of any risk review process and should be aligned with the SMART objectives outlined above.