How can you evaluate the outcomes of risk management strategies
When you want to evaluate the outcomes or effectiveness of the risk management strategy you need to define key performance indicators (KPI) that you can measure. KPI’s need to be defined on the company specific tailored towards the risk management and strategy.
Possible KPI’s for evaluating can be:
Percentage of risk issues outside the risk tolerance without a response option
Number of non-identified risk that occurred
Cost incurred for any unidentified risk, which occurred
Deviation of estimated impact to real impact for risks occurred
Percentage of non-implemented risk actions
Mitigation cost vs cost of impact
Another way of measuring is by introducing a maturity model for the management of risk. The higher the maturity in an organization the more successful the implementation of the risk management strategy is. There are ‘pre-defined’ models already; there is a comparison of these maturity models in the Table 2: Comparison of maturity model levels (Office of Government Commerce, 2010)(Office of Government Commerce, 2010).
Publication
Level 1
Level 2
Level 3
Level 4
Level 5
CCTA
First
Second
Third
Fourth
Chapman
Initial
Basic
Standard
Advanced
Hilson
Naïve
Novice
Normalized
Natural
Hopkinson
Naïve
Novice
Normalized
Natural
OGC P3M3
Awareness
Repeatable
Defined
Managed
Optimized
Sun Microsystems
Chaotic
Reactive
Proactive
Optimized
Self-aware
PMI
Standardize
Measure
Control
Continually improve
FAA
Performed
Managed planned and tracked
Defined
Quantitatively managed
Optimizing
INCOSE/PMI/APM
Ad hoc
Initial
Repeatable
Managed
Table 2: Comparison of maturity model levels (Office of Government Commerce, 2010)
Determine actions to respond to outcomes of risk strategies
By using a continuous improvement process that aligns the strategic risk management process with the business management process you can capture the strategic risks in the organizational business plans.
The output or lessons learned from earlier outcomes will be incorporated in the risk management strategy that will define how the current strategic planning cycle or investment decisions are handled.
In the strategic risk register you will have all the captured risks that are identified, assessed and their agreed and planned risk response.
Key lessons
As in every framework are using, you need to be aware that it helps you to become better and that people are not doing this because this is a ‘mandatory action’. The big risk with risk management is that people feel that there is nothing done with the real risks detected or that they are just filling forms. Therefor the (top)management needs to live the risk strategy in the organization, actively discuss and ‘defend’ the policies.
To see if the risks are still valid or counter measures are still the right choice regular checks need to be made on risks registered. A risk that was low at the beginning can become high during the time or a risk that was very high at the start is gone when you finish your project. The same for the countermeasures that were taken (or not) can need some change based on recent changes in the organization or regulations.
Risk management needs to be ‘companywide’ and not only a team, department, branch solution. The benefit of having this overall view is that possible risks for a single entity can maybe easily be mitigated in the whole, or when it is a companywide risk, one solution that will benefit all individual risks.
What's your best advice to evaluate your Risk Management Strategies?
Not subscribed yet? Do it NOW!
Author: Rieco de Jong (All Rights Reserved by the author).
Source: Original text, based
upon first hand knowledge and the following bibliography:
· Mintzberg, H. (1990). The Design School: Reconsidering the Basic Premises of Strategic Management. Strategic Management Journal, Vol. 11 , 171-195.
· Office of Government Commerce. (2010). Management of Risk: Guidance for Practitioners 2010.London: The Stationery Office (TSO).
Image: © Pressmaster - photodune.com
Help us to improve it: how-to, discussion.