Risk governance

What is risk governance

Risk governance is not so much a tool as it is a way of handling risk in general. It is a systematic process to identify, rate, control and economically assess risk in an organisation. By making a risk profile for the organisation it is possible to achieve effective risk governance. Risk profiling is the act of establishing what acceptable risk is to the organisation, whether risk is evaluated in terms of money, reputation or damage. A risk profiling should be made in advance of risk governance. It, as all other risk tools, serve as a cost saving mechanism if done correctly, as well as a time saving mechanism.  

It involves five phases/elements: Risk identification, risk description, risk evaluation/assessment, risk strategy & risk reporting.

Risk identification

- What we know from previous encounters. This is where the organisation will look at what has happened to them before or try to identify risks that they have not encountered yet. It is usually performed either by being proactive or reactive. 

  1. The proactive method is where you try to imagine risk you are vulnerable to. By analysing risk factors and performing a likelihood evaluation.
  2. The reactive method is where you analyse previously encountered risk scenarios and register them according to organisations specific variables. By looking at previous events and evaluating them, you in time learn how to manage these risks so they are not as likely. 

Using both these methods will probably yield the best result. But it can be hard to successfully imagine risk, so we recommend at least being reactive, and then when there are enough registered events (hopefully not) then try to imagine what else can happen. It is also a good idea to perform brainstorm sessions at regular intervals with engineers, risk managers and financial managers to at least try and see if there are any future risk scenarios you should be aware of. This process can be done with the previously described risk tools: Brainstorming and Scenario risk analysis 

Risk description

- This is the phase where you establish a common view of risks. 

  1. Here you should establish what you, as an organisation, see as risks. To create common ground for how a risk is perceived and experienced.
  2. This is important to do, because if the organisation doesn’t have a common risk perception then it’s hard to learn from a previous event. There will always be someone who see a risk that someone else doesn’t see. 

Risk evaluation/assessment

- This is the phase where the risk is evaluated/assessed.

  1. Risk is evaluated and rated according to the organisations risk profile to determine which risk are acceptable and which are not.
  2. This is also the phase where the organisation would re-evaluate their risk profile if necessary. In the risk evaluation/assessment phase you evaluate risk according to: Likelihood & Consequence.
  3. This should result in a vulnerability analysis which is a ranking of one’s vulnerabilities.

Risk strategy

- How should the organisation handle risks? 

  1. In this phase a strategy for risk management is chosen based on the previous evaluation of the organisation’s vulnerabilities. This can be done with a Risk Matrix where you place risk in their respective “fields” in the matrix (green, yellow, red) according to their likelihood and consequence. Then you make a plan for handling those risk starting with the red ones or the ones that are most likely and has the highest consequence. 
  2. This is where some risks are either accepted or deemed unacceptable. Is deemed unacceptable, then a plan should be implemented to remove that risk or at least lower its likelihood and/or consequence. 
  3. Ideally every risk is removed, but that is not realistic. The goal here should be to lower every risk as much as possible while still being able to run your company. That is why evaluation is important. In some areas of operation some risks are acceptable even though they are rated as catastrophic e.g. In nuclear energy power plants. The risk of a meltdown is accepted but the risk is managed by safety procedures, and other mitigative barriers. 

Risk reporting

- documentation/evaluation. 

  1. The last phase in this risk governance “tool”. This is where you report your findings to the corporation, and an evaluation is made on the whole thing. 

Why is it a good idea to do risk governance? 

First of all, it is nice to know how likely your organisation is of being “hit” by a specific risk. Because then you can manage it! Secondly it saves the organisation a lot of money both in terms of equipment but also in terms of reputation. You gain branding opportunities by being able to say what a safe company you are. You lessen the fear of accident among workers and therefore maintain a human gain, instead of having workers who are scared of coming to work.


Sources

  1. IRGC is a good place to start. Their explanation can be found here.
  2. Another IRGC article about the framework for risk governance can be found here.
  3. CIO Wiki, is also a good place to get an overview. See it here.
  4. ScienceDirect is another great place to look. This is aimed at the IT sector. https://www.sciencedirect.com/topics/computer-science/risk-governance.

About the Author

Mikkel K. Nyegaard

mn@rocconsult.eu

Aspiring risk manager studying Disaster & Risk management at University College Copenhagen. Currently at an intern position at RoC Consult ApS.

Other articles:

'}}
Residual Risk
Can we eliminate every risk in a work process and still finish the process? Maybe if your name is Clark Kent. But for us mere mortals, accepting some risk may be the only way to move the society forward.  This means that accepting and acknowledging a certain level of risk is an integral part of …
'}}
The 5 Why Method 
Introduction: This investigative method aims to uncover the complex relationship between cause and effect, revealing underlying issues. By asking 'why' repeatedly, it peels away layers of complexity until the root cause is exposed. Typically, five rounds of questioning are enough to lessen human errors like bias and assumptions, recognizing that problems don't always follow a …
'}}
ALARP
Eliminating every single risk in a complex operation is impossible, in fact even in simple projects you can never predict or eliminate all risks. This means that you must accept a certain level of risk.  Determining whether a risk is acceptable or not can be difficult though. A lot of factors can affect perception of …

JOIN OUR NEWSLETTER

GET IN TOUCH

Feel free to contact us

for more information

+45 28 60 49 50

contact@rocconsult.eu

Our core business is rehearsing

excellence in your project


RoC Drill is used by:

RoC Consult ApS - All rights reserved.

We use cookies to allow us to better understand how the site is used. By continuing to use this site, you consent to this policy. Click to learn more