• Make a daunting task fun.
1. Create a team.
The team should consist of stakeholders who are truly interested in risk management and want to be a part of the process to create a plan (Operations, IT, Human Resources, teachers, students, police, parents, grandparents). If you are creating this for a community/neighborhood be sure that no one uses your meetings as a reason to pontificate on their soapbox no one has time for or wants to deal with that person. Choose your group wisely. All the responsibilities of the team as well as roles and duties of its members should be to be identified and agreed to.
2. Define what risk looks like for you.
The team should spend some time creating a definition of risk. Risk looks different in different places and in different departments- risk can include fire, emergency evacuations, lost data, floods, disgruntled employees, fights, etc? Be sure you reflect your organization’s attitude and tolerance for risk. This is important because the definition should not be text book or cookie cutter. The definition must mean something to your organization specifically.
3. Identify the specific risks.
Start brainstorming all of the specific risks. Give your team half sheets of colored paper and have them write the specific risks in 3-5 words with the markers on as many sheets as they need. Nothing is off limits, keep an open mind and write everything down. Come up with as many risks as you possibly can, encourage your team to not hold back.
4. Organize the risk.
You probably have an overwhelming amount of colored half sheets and you may be wondering what the heck you got your self into- don’t give up yet. It is important that you make sense out of your brainstorming. Group like half sheets and place them in vertical rows, keep going until all the half sheets have a home. Review the rows and with agreement from the team combine and discard as necessary. Create a unifying header, for example you may have categories called Physical Security, Data Protection, Safety Hazards, Financial Risk, Project Management, etc. Put the header on top of the corresponding column and viola—-you’re not done yet….
5. Rank the risk.
Continue the creativity. You can color code the risk by red, yellow, green or use names, most severe, moderately severe, minimal concern, low, medium or high, or my favorite walk, jog, run. The key is to stick with the same ranking system so don’t over complicate it, just be sure you can clearly define the levels and/or seriousness. Make sure that when you are ranking risk you rank them based on the impact they will have on your organization. Some impacts can be ceasing of operations, financial impact, etc…
6. Create a strategy for reducing and mitigation risk.
This is where the people feel intimidated; creating an actual strategy to reduce/mitigate risk. Don’t get scared just keep pushing along and use your flip chart. Start with the risk that has the greatest impact and create a plan around all the ways you can prevent the risk and how to respond should the risk not be totally preventable. Assign who will be responsible for handling and implementing the strategies and above all be realistic about the resources you will need to be successful.
7. Put your plan on paper.
Have a team member act as the scribe and write down everything on your risk management wall or take a picture with your iPad or tablet, just make sure you capture all of your data and hard work. Create a document from all of your notes and make sure everyone understands that your risk management strategy is a living document.
8. Test the plan.
Even the best laid plans can fizzle. Try the plan out by creating exercises or scenarios. Depending on your resources this can be a full scale exercise involving emergency management personnel or table top exercises and employee drills. Make sure you debrief with all involved after testing your plan to figure out what worked, what didn’t and what you can improve- tweak your plan as necessary.
9. Continuous monitoring.
You didn’t go through the hard work of creating a risk management plan to never look at it again, it is a very important part in how your organization operates. Monitoring your risk is ongoing. You are never finished. The risk team should meet monthly to review the plan and work toward continuous improvement on a scheduled basis.