Inspired by the processes of NASA, the Alliance Governance Team explore the ins and outs of risk management that will help your organisation expect the best and be prepared for the worst.
Risk Management the NASA way
Unsurprisingly, putting a rocket into space is an incredibly risky endeavour and as such NASA takes its risk management process incredibly seriously.
Its risk management handbook is over 220 pages long, incredibly detailed and in places completely irrelevant to organisations on earth (it’s not often that we have to deal with space debris colliding with our customers, staff or shareholders).
However, the core principles are invaluable and applied to our organisations to improve the way we deal with risk.
What is Risk?
At a basic level, risk is the possibility of an outcome not being as expected.
We weigh up risk everyday of our waking lives, mostly on an unconscious level.
Should I take an umbrella on my walk today?
Is this the best time to cross the road?
Should I have that extra slice of cake?
(the answer to the latter question is almost always ‘yes’ and ‘I’m happy to take the risk’)
On an organisational level, risk comes from both internal and external sources. The external risks are those that are not in direct control of the management. These include political issues, exchange rates, interest rates, pandemics and so on. Internal risks, on the other hand, include non-compliance, information breaches, staff absence etc
How do we manage risk?
In order to manage the impact of risks in an organisation we need a systematic approach to alleviate any negative consequences of a specific phenomenon. This is known as risk management and is a process by which firms:
“IDENTIFY MEASURE, PRIORITIZE AND MITIGATE THE ADVERSE EFFECT OF UNCERTAINTIES”
— Chapman and Ward
Risk management is incredibly important and should be at the heart of an organisation’s strategy and coupled with its future objectives. If a company defines objectives without taking the risks into consideration, the organisation will lose direction if any risks come to fruition.
The process that NASA uses to manage risk is called the Continuous Risk Management (CRM). This cyclical method consists of 5 steps with an overarching layer of constant communication.
Continuous efforts to capture, acknowledge, and document risks as they are found. In organisations this can be done with workshops, interviews or data analysis.
An evaluation of all identified risks to estimate the probability of occurrence, severity of impact, timeframe of expected occurrence and when mitigation actions are needed. The use of risk matrices are a great tool to lead your thinking during this process.
Establishes actions, plans, and approaches for addressing risks and assigns responsibilities and schedules for completion. Thinking of potential scenarios where things don’t go to plan will help clarify your thinking when risk planning.
Capturing, compiling, and reporting risk attributes/metrics to determine whether risks are being mitigated effectively and risk mitigation plans are being performed correctly. For example, to avoid loss of office equipment, a sign out register would be completed by staff when an item is required. A monthly inventory check can be taken to see how effective that register is.
An activity that utilises the status and tracking information to make a decision about a risk or risk mitigation effort. In your organisation this process could involve action planning, controls and training procedures to help increase control over the risk
Risk Communicating and Documenting
Well-defined, documented communication tools, formats, and protocols assure that there is an overt action to communicate and document the risk at all steps of the CRM process.
Communication and documentation can be in the form of an action item log, risk information sheet, risk database, mitigation plan, status report, tracking log, and/or meeting decision.
Here is an example of NASA’s Zeus project risk management and data flow with communication prompts at every step:
Now is as good a time as any to review your risk management processes.
Whilst NASA’s processes seem arduous, even if you don’t quite achieve space grade risk processes, adopting certain elements will improve the way you identify, navigate and mitigate any potential issues to your organisation.
To quote Norman Vincent Peale:
“SHOOT FOR THE MOON. EVEN IF YOU MISS, YOU’LL LAND AMONG THE STARS.”