Describing risk as a scenario helps to communicate the conditions of the risk and to analyze the probability and impact of the risk. The organization first decides whether to accept or reject a risk based on an assessment of whether the risk is desirable or not. With a prioritized list of risks, the next step is to evaluate the options available to address those risks and apply various methods and controls to achieve an acceptable level of risk. Then, the risk manager must inform the various stakeholders of the project, who will transmit that a risk has become a problem and transfer it to the problem registry.
The risk management process is a clearly defined method for understanding what risks and opportunities exist, how they could affect a project or organization and how to respond to them. Reflecting these results in a risk map helps to visualize the relative importance of each risk and can also be useful for sharing risk observations with other interested parties, in particular with those who may be providing (or authorizing) resources to respond to those risks. The ISO 31000 standard, Risk Management: Guidelines, includes extensive information on how to communicate, manage and monitor various risks. It helps companies integrate risk and risk management with strategy establishment and performance management.
In particular, it may be useful to review the headlines about the risks that similar companies have faced, the conditions that have allowed them, and how the risks affected organizations. Risk categories also help integrate information as managers communicate about, track and adjust the risk response. This step is carried out by the risk owner, the risk manager (with the support of those responsible for the estimates and figures) or the management controller, depending on the organizational configuration of the company. These responses can be applied to groups of related risks that consist of natural families of risks that share fundamental characteristics (such as common factors, positive or negative correlations, etc.) Depending on the priority risks identified, their factors or root causes and their susceptibility to measurement, the next step is for management to choose the appropriate risk response.
Regardless of the purpose, the good news is that a great deal of knowledge about the risk management process is easily available so that companies can adopt the vision of the process that best suits their circumstances. To manage them effectively, the risks and opportunities (R&O) identified must be as precise and specific as possible.