9 lessons learned for effective risk management

Jurriaan van Reijsen

Jurriaan van Reijsen

Jurriaan is a Security, Privacy & Prevention Officer at Avisi. In all three areas, he applies risk management as a key discipline to aid the organization and its teams to identify and treat risks related to information security, personal data privacy, and safe and healthy working conditions. Jurriaan was trained in risk management at QSN where he learned theory and practice while working in a team of highly skilled risk management consultants.

Published: 17 June, 2019

Risk Management is arguably one of the most important disciplines ever to master. The ability to accurately assess risk and effectively implement risk treatment measures is what makes or breaks any project or initiative. It is applicable to anything, whether you are building a house, treating a patient or developing software. In this blog, I will discuss our top lessons learned which you can apply directly in your own risk management efforts.

security

Our approach

At Avisi, we apply risk management to everything we do. Focusing on our software development projects, our aim is to develop robust software. We do this by identifying typical software risks - such as security, privacy and scalability risks - early on in the software development process. This allows us to mitigate such risks at an early stage, preferably in the software design stage. This has many benefits over uncovering and having to mitigate risks later on in a project, when revisiting earlier decisions can be much more complex and costly.

In our approach to risk management, we have devised our own risk management method, adopted from and building upon the well-known Kinney & Wiruth method. Based on best practices and our personal experiences, we shaped our risk management method with features such as a visual risk heat map and a direct tangible relation between risks and measures.

Practice at our organization has provided ample opportunity to proof and hone our method, given that Avisi is a typical umbrella organization with many distinct and different teams. In the first six months of this year, we have already applied our method 16 times. You will find our top lessons learned outlined below.

1. Formulate a risk management process

Understanding risks and measures are one thing, but conducting a risk assessment and building a risk treatment plan are in a different league. Knowing which steps to take and in which order is key in making the process understandable and repeatable. This results in consistent reports and a capable organization. Write up a risk assessment and treatment process that properly explains how to conduct each step along the line.

2. Use a template

This one is obvious, but it's still worth mentioning. Processes and templates go hand in hand, as each process step covers a specific part of the template. Furthermore, using a template makes it easier for your teams to understand what needs to be done when assessing risks and devising measures. The biggest advantage, however, is consistency. Using templates will not only make risk management reports look consistent between teams, which will make them more readable. The reports will also be consistent over time, which allows for easier comparison between this year's and last year's risks and measures.

3. Apply a process-oriented approach

Where should you start when writing down risks? In our early days, we would generate a list of all information systems involved in a given project and write down any risk that we could imagine, given the content of that list. This blinded us from risks that were not directly related to an information system. This led us to change over to a process-oriented approach. At the start of every risk analysis, we summarize all key processes in-scope (e.g. writing code, testing software and releasing software) and then add the information systems involved. From there on, we start thinking about possible risks that can occur anywhere in each process. We have found that this exercise helps teams to adopt a holistic view of their work, yielding increasingly more specific risks and measures.

4. Don't freak out over risk weights

Weighing risks can be a time-consuming aspect of the risk analysis, but it doesn't have to be. A pitfall in any risk analysis is to be overly deterministic about the exact weight of the likelihood, exposure, and effect of a risk. This consumes a lot of time and can lead to disagreement among team members, while the benefits are negligible. Instead, you should estimate weights by approximation. The goal should be to distinguish between low, medium and high risks. Estimation works best to do just that.

5. Visualize your risks

Risk assessment reports tend to become cluttered as more risks are documented. Each risk comes with a description, risk category, weight, and measures. This makes risk overviews quite information-dense where information can be hard to find. We overcome this by color coding risks by their severity level (low risk is green etc.). Furthermore, we plot our risks on a heat map, which visually indicates both absolute risk severity and relative risk severity compared to other identified risks. Visualizing risks helps us to quickly shift focus to the risks that require the most attention.

Risk Heat MapAn example of a risk heat map

6. Formulate SMART measures

The key to any effective risk assessment is to directly link an identified risk to a measure that can mitigate that risk. However, that measure is of little value if it is not formulated SMART. 
Make the measure...

  • Specific so that the risk owner knows exactly what to do.
  • Measurable so that you know if and when the measure has been implemented.
  • Attainable so that the measure is more than an idealistic never-achievable would-be solution and can actually be implemented.
  • Relevant so that the measure is an effective solution to mitigate its linked risk.
  • Time-based so that it is clear when the measure should be implemented within a realistic time frame.

7. Obtain commitment

A risk in itself is that measures - once formulated - tend to become passive and disappear on a team's backlog. They are only recovered when next year's risk analysis is due, only to find those measures in the exact same state as when they were formulated: unresolved. Formulating SMART measures is already a huge step in activating these measures as this provides every measure with an owner and a deadline. Make your measures even more actionable by securing commitment through appointing a "risk champion" from the team where the risk analysis was conducted. Frequently discuss the state of the measures with that risk champion in order to keep the measures activated and to stay updated as a risk manager about the progress of your teams.

8. Organize your measures

Just like in project management, effective organization is indispensable for risk management. The right tooling can make all the difference in the organization of your risks and measures, allowing you to e.g. dashboard the status of measures and collaborate on measure implementation. At Avisi, we practice what we preach by using Confluence for documenting our risk assessment process, template and reports and by using Jira to manage and collaborate on measure implementation.

9. Support your teams

Last but not least, it is imperative to train and guide your teams in their risk management efforts. While you are best at the risk management method, they are best at the risk management content. By enabling your teams to conduct a proper risk assessment, you allow them to combine knowledge on method and knowledge on content, resulting in the best possible outcome.

Related blogs

Did you enjoy reading?

Share this blog with your audience!