The bases of decisions become vague and arbitrary due to the increasing number of facts that are less and less reliable. For this reason decisions must be made more and more frequently based on estimations and probabilities. In risk management these accepted values are formally worked out by identifying, analyzing and evaluating risks as well as creating measures (see ISO 31000 http://ow.ly/EN5PU). Since this is always a matter of allegations, speculations and assumptions, you must ask yourself, how much expenditure you want to spend for the assessment of risks. A wasteful collection of input variables, an elusive calculation method and the lengthy reconciliation of opinions do not make the estimations reliable. Additionally, black swans, Wild Cards and Tipping points disrupt the assumed forecasts without preliminary warning. Therefore risks should be determined with little expenditure, in order to get faster and more economically to estimations. The following procedure is a simple approach for making risks manageable.
You can identify, arrange and derive measures in three steps.
- Identify risks
For this purpose you scan your business model and the external influence factors for technological, cultural, organizational and economic risks (more here: http://www.memecon.com/influence-factor-model-.html). Which technological risks are in the products and services? Which cultural risks have to be considered internally and externally? Which organizational risks can be derived from the internal and external governance? Which economic risks are in your internal resources and the overall economic situation?
Consolidate the list to 5plusminus2 risks that will be considered in the next steps. - Classify risks
Each risk on the list you assess concerning the probability of occurrence and the extent of potential damage. The scale goes from small, to medium, to high. This means for the probability of occurrence: small = no signs; medium = indirect signs; high = concrete evidence. The extent of damage can be arranged in such a way: small = costs are small; medium = considerable costs arise; high= costs exceed the financial capacities.
Follow your gut feeling. However, ensure that you have concrete proves for the high assessments. - Plan measures
For each risk you specify counter measures based on its assessment. High risks need activities that are planned in detail and supplied with resources. Medium risks are roughly planned with financial accrues. Small risks are assigned responsibly without a concrete plan. On this basis you can quickly react, when the risks occur.
Take care of concrete action plans that can be started at short notice as plan B of the high risks (including the project organization and the availability of sufficient resources).
Bottom line: Regardless the level of hierarchy or the size of the activity, you should always determine and assess internal and external risks as well as define counter measures. Since everything is based on assumptions and opinions that may prove to be wrong, the risks should be controlled with minimum effort.