7 Steps To Developing A Risk Management Plan
Risk is real for any company or organization. Don’t kid yourself. Things happen when you least expect them to happen. Are YOU ready for the unimaginable, the unexpected, the unwanted? As an executive, have you put your head in the sand around risk? Do you pretend that all is well, and nothing will change? If so, it’s time to face reality: data gets lost, buildings burn, people resign. When any of these occur, your organization is at risk for malfunction, inefficiency, chronic struggle, revenue loss, and even total failure. Is this the path you want to go down?
Beginning now, you can initiate the process of developing your organization’s risk management plan. Take charge. Form a committee representing Board members and staff, and ask them to partner with you to create this critical document. Make sure everyone understands the importance of the work, and explain to them how they can benefit from contributing to the finished product. Risk managements plans are not optional; they are essential for every company, large or small. There are no valid exceptions.
Implement the following seven steps, and give yourself and others a huge slice of peace of mind:
1. Define what risk looks like for your organization.
What constitutes risk in your shop? Threats to normal operations? Threats or compromises to people’s safety? Loss of physical and electronic property? Loss of revenue? Decreased public/community support? Unethical behaviors? Create a comprehensive definition of risk that means something to YOU and YOUR organization.
2. Identify specific risks.
Ask the committee to brainstorm as many different risks as they can possibly imagine. Record them on a white board or flip chart. Examples of various risks include: firing of the chief executive, dwindling interest in one of your major products, departmental silos, Board infighting, inability to fundraise, economic downturn, layoffs, building fire, computer crashes, philosophical differences between key employees, extended leaves for managers, interruption in receiving necessary supplies. All of these are potential risks, and there are many others. Continue brainstorming until the group believes they have come up with an exhaustive list.
3. Categorize each risk.
Determine category names for the identified risks. Examples may be: Chief Executive, Board of Directors, Physical Property, Technology, Data, Employees, Products or Services, Customers/Clients, Stakeholders,. Place each risk under one of the selected categories. Create as many category names as you need.
4. Rank each risk according to severity or significance.
Choose headings such as “most severe”, “moderately severe”, “of minimal concern”. You don’t have to use these same words for your headings, but be sure that your phrases adequately differentiate between the degrees of seriousness. Perhaps you would like to color code each risk according to its significance heading: red for “most severe”; black for “moderately severe”, and green for “of minimal concern”. Set it up the way it best works for you and your organization.
5. Develop strategies for reducing or eliminating each risk.
Begin with the risks under your “most severe” heading. It’s critical that you don’t delay in thinking through possible solutions for those major issues. Ideally, determine multiple strategies for each risk. Be sure to consider who within the organization is going to be responsible for implementing the various strategies, and the resources needed to implement them. Omitting this information from the plan only causes big problems later.
6. Write your plan.
Using all of the above input, shape a readable document. Practicality is paramount here. The plan is worthless if nobody can follow it, interpret it, or actually rely on it as a guide during crisis. After it is compiled, seek feedback from the committee as well as other employees and Board members. Incorporate changes where indicated. Check for evidence of common sense throughout the document. Hold yourself accountable to a high standard around common sense. A pie-in-the-sky risk management plan doesn’t serve anyone.
7. Test some of those strategies in your plan for viability.
Do they work? Can they work? Why or why not? Where are the pitfalls? What steps are missing? Would you benefit from having certain outside experts review your strategies? If so, which types of experts?
Revisions to the plan may occur annually, as situations arise and your organization lives one or two of the strategies firsthand. Hindsight is often wiser. Don’t be afraid to toss some plan content when you know for a fact that this is what you must do. Remember: the plan needs to be current. On a day you least expect it, someone has to grab that document, refer to a particular section in it, and act upon it–fast.