People are terrible at managing risk, awful. Organizations are made up of people and therefore prone to poorly assess and manage risk. A process is an answer in what is often seen as an area of organization management where gut feel is important.

Context & Description

  • Risks have a context, they are described with reference to something, e.g. a project, a person, a client, a service, a product, a company.
  • Without a context, risks are not meaningful, and therefore mitigating actions to address them are wasteful.
  • Risks should be described like this:
    • There is a risk that EVENT could happen IMPACT, leading to CONSEQUENCE with the potential for DAMAGE.


  • Using the correct description, define events
  • Then review the impact of the events and keep these consistent when possible
  • Then work through consequence
  • Finally and separately damages
  • It takes a strong leader to manage this process
  • Never get into scoring or mitigation until risk descriptions are completed


  • Score on a five by five or six by six matrix that is defined ahead of the risk identification
  • Ensure scores are accompanied by a verbal description not everyone in the process will think in numbers
  • Assessment of scoring is done in discrete steps, probability separate from impact
  • That last step is the most important


  • Triangle model demonstrates clearly where to target risk
  • Actions must have an owner a due date and should target the EVENT to be most valuable – prevent the risk from happening
  • In the event that actions occur after the risk has occurred, you are simply mitigating damage
  • Creating a risk budget by multiplying the cost of fixing an issue by the probability of it occurring is worthless


  • Review must be timely to the identified risks, or routine for generic or long-term risks
  • Within the process ensure overdue mitigating items are prioritized
  • Have a special review in the event that things change – respond