Risky Business: The Top Risk Management Tools, Techniques, Softwares and Methodologies

Risky Business: The Top Risk Management Tools, Techniques, Softwares and Methodologies

Most of us have learned the hard way that lightning strikes when we least expect it.

And when it strikes, you want to be prepared. Because if you don’t get ahead of an incident or an issue, you pay the price. Scope increases, budgets swell and deadlines are extended. Sometimes, when a project cannot scramble and adapt to risks right away, it falls through the cracks entirely.

But risks present a double edged sword. While it’s clear they must be managed, it doesn’t make sense to pour energy into mitigating a disaster that may not ever occur. Why spend a lot on something that MIGHT happen? That’s a hard sell.

Plus, managing risks has become increasingly complicated. Back in the day, they could be addressed with a simple spreadsheet (and even further back, with good old fashioned pen and paper). But in the here and now, organizations have become so complicated. Risks are closely tied in with compliance, regulations, and capacity management. And there’s no way all of that can be managed with a spreadsheet.

Fortunately, there are plenty of tools to simplify these conundrums, and sophisticated softwares to keep your finger on the pulse. They ensure you waste as little resources as possible on risk management, and lose as little as possible when an incident or issue occurs.

From a SWOT analysis to the bowtie method, to a few more in between, this post is going to break down some of the best techniques to manage risks, as well as provide a list of the top risk management softwares on the market. But first, let’s consider all of the stages of a risk management plan.

The Five Stages of Risk Management

Although risk management is covered during the planning phase of a project, it isn’t a one-and-done process. Risk management is all about keeping a project within the constraints of time, scope and budget, and so it weaves its way into every phase of a project. End-to-end risk management includes five principal stages. Before exploring tools and softwares, let’s briefly discuss these stages and the key components of each.

1. Establish Context

This first stage of risk management is about getting to know all the ins and outs of a project. Planning documents such as the procurement document, the requirements document and the project scope statement outline the scope and budget for the project. A work breakdown structure identifies the high level requirements. And a network diagram is an excellent tool for determining the necessary time frame for completing these requirements, as well as hard dependencies between tasks. Discussions with all project stakeholders provides further clarity around the parameters of a project.

Together, all of this research provides the planning committee with some breadth and establishes a firm knowledge base for a project. It allows all of the serious risks to surface. And the next step is putting a risk management plan into place.

2. Identify and Analyze Risk

This second step is probably the most significant portion of risk management. At this stage each risk is analyzed to determine its probability of occurring and its impact on the project’s scope and timeline. While many of these estimates are speculative, strong business acumen and industry knowledge helps to ensure these estimates are in range.

The second step is to determine a threshold for each risk. This step looks at probable risks that pose a real threat to a project’s completion, and determines how much risk the project can handle. It disregards those risks that don’t pose a serious threat. (For example, a winter construction project would definitely consider the risk of snow. An autumn construction project, however, where snow is unlikely, may not take any precautionary measures against a snowstorm.)

The third step in the process is to determine the risk response. It asks questions such as, How much risk can the company take on? Can it afford to face certain risks? And if not, how can it avert them? Generally, organizations decide to either avoid, transfer, mitigate or accept a risk.

• Transfer is also known as risk sharing. It offloads a risk to a third party who is better positioned to handle the risk.
• Mitigating a risk means lessening its severity or impact. This could be something like installing a firewall.
• Avoiding a risk means to eliminate it altogether. While this is the safest solution, oftentimes it isn’t really realistic. Take internet security, for example. Avoiding the risk of a cyberattack would mean shutting down the internet altogether, which for most businesses is an impossibility.
• And finally, accepting the risk means fully incurring the costs associated with an incident or issue. The impact of the risk must be fully calculated before choosing this option.

3. Evaluate and Treat Risks

As we know all too well, once a project is underway, risks have a way of becoming issues. What does this mean? A risk, simply defined, is an uncertainty that matters. The event or circumstance is a possibility, but it hasn’t occurred. An issue, on the other hand, is a negative risk that has become a reality.

Issues oftentimes require quick action and thinking in order to mitigate loss. And so evaluating and treating risks leans heavily into the planning and preparation from the previous stage. One strategy for mitigating risk is to assign a risk owner. This is someone who oversees a specific risk and takes the appropriate measures, should the risk become an issue. This concentrated focus on an individual risk ensures that all risks receive due attention.

4. Monitoring and Reviewing Risk

This fourth stage supervises the project and looks out for risks. Scope management and change management both come into play at this stage, as significant changes to a project impact the project’s risks. For example, the implementation of a new software system, or changes to requirements impact the type of risks that a project is exposed to. At this stage, it’s also necessary to closely monitor deliverables to identify and eliminate instances of gold plating.

This stage also looks out for risk triggers, which is anything that might cause a risk to become an issue. This includes things like poor communication at daily scrum meetings or low attendance at employee trainings. Both of these scenarios could result in subpar deliverables or safety hazards on the job.

5. Record and Report Risks

This final stage of risk management is to record and report risks into a risk register or log. This stage serves two functions. First of all, it’s necessary for good project closure. A post-mortem meeting allows the project manager to present stakeholders with a full explanation for any additional costs incurred during the project. Secondly, it serves as a helpful document for future projects. An orderly and coherent risk log provides an excellent reference tool. It makes it easy to identify possible risks in similar upcoming projects. This way, the risk tolerance decreases to lower and lower levels over time.

This summarizes how risk is managed within a project from beginning to end. Now let’s look into some helpful tools for managing risk.

Risk Management Tools & Strategies

Let’s go over some risk tools and strategies that assist with risk management. These tools can be used at various stages of a project, and many work well in combination with each other.

1. Causal Mapping

Causal Mapping is a tool for the execution phase of a project. It helps to treat, monitor and record risk.

It’s easy to apply a band-aid solution to an issue, only to have it occur again and again. Causal mapping is effective because it remedies root causes. It is also a powerful visual method. It’s a flow chart that identifies an issue or incident and all of the conditions that led up to it. Generally, the issue is recorded into a rectangular box, and all of the conditions leading up to are recorded in oval boxes. This simple diagram makes it easy for everyone in management to grasp the incident and all of the events leading up to it.

At its essence, causal mapping is an investigation tool. The cause of an event isn’t always readily apparent and it enables a team to dig deep into an incident and fix the true cause. For example, maybe a website launches but it has several glitches. The first reaction is to blame this on the testing process. Through asking a series of “why” questions, it may become apparent that the real cause is that the team is overworked and so didn’t have sufficient time to complete the tests. The fix, then, isn’t to improve testing procedures but rather to hire more employees.

The research necessary for filling out the causal map is usually obtained through interviews. Observing processes is also helpful in the research process, as it allows the team to understand the sequence of events.

2. Bowtie Methodology

The bowtie methodology is a practical risk management tool that dates all the way back to the 70s, and is still applied to workplace scenarios today. Also known as the butterfly or barrier method, this technique derives its name from the fact that the final diagram looks very much like a bowtie or a butterfly. The risk is written in the center, and the barriers butterfly out to the left and right, creating a triangular pattern on either side.

This method focuses on both preventing a risk from occurring (these preventative measures are listed on the left side of the bowtie) and recovering from an incident or issue (these proactive measures are listed on the right side of the bowtie). The bowtie method is helpful for safety issues as well as mitigating financial loss due to risks.

Whereas in the past, this method took a more quantitative approach to risk management, the bowtie method has evolved to become more qualitative. What does this mean? A quantitative assessment evaluates the dollar amount that stands to be lost due to various risks. However, some risks cannot be quantified. Take an incident that reduces a brand’s public image. It’s difficult to put a dollar value on this type of issue, even though it’s clear it poses a serious threat to the company. A qualitative approach embraces a broader spectrum of pertinent risks.

3. Fishbone (Cause and Effect) Analysis

The Japanese organizational expert, Ishkawa, developed this risk management technique in the 1960s. It’s a visual technique that is also used for quality control. When all of the information is mapped out, it ends up looking like a fishbone.

With this analysis, the head of the fish represents the problem to solve, or the objective to achieve. Fishbones extend off of the head to represent various categories relating to the problem or objective.

Let’s look at an example to illustrate how the fishbone analysis works in risk management. Take an injury from a forklift incident. The immediate response in this scenario is to simply attribute the incident to negligence on the part of the forklift operator and call it a day.

However, the fishbone analysis takes a broader approach that identifies secondary causes. It branches out to examine other areas such as the quality of the training offered to the forklift operators, the safety features on the forklift, the warning signs in the area (or lack thereof), and other aspects of the work environment.

This broad analysis brings a wealth of facts and information to the table. It makes it possible to pinpoint the true causes of an incident, and remedy those areas to prevent future incidents.

Oftentimes the true cause of an incident isn’t obvious at first, and so in order to use this method effectively, it’s necessary to fill in all of the fishbones and look at all related topics.

4. ALARP

ALARP is an acronym that stands for as low as reasonably practicable. This is a risk technique that’s helpful in the risk evaluation phase.

How does this method work? During the planning stage of a process, the team evaluates and breaks down a risk. Then it applies all available resources to minimize serious risks. Sometimes this means transferring a risk to somewhere else entirely.

While there is no such thing as zero risk, ALARP seeks to achieve as low a level of risk as possible. The level of risk that a project takes on varies from industry to industry. An unacceptable level of risk would be any risk that, should it occur, would make it impossible for an organization to function normally. These risks need to be nipped in the bud. While a more moderate risk (one that didn’t pose such a serious threat) might simply require risk reduction.

Risk management is a process and as managers become mature and skilled, the overall level of acceptable risk declines. One key to reducing risk levels is to diligently record and report risk in a register.

5. Business Impact Analysis

A business impact analysis, as the name suggests, measures how a risk impacts a business, both qualitatively and quantitatively. This tool is necessary for measuring the severity of certain incidents, issues and interruptions to a project.

This analysis looks closely at work processes and considers how they work together and depend on one another. It considers how a disaster or incident would impact these processes, and establishes a process for bringing an organization back on course after a disaster or incident occurs. Good risk analysis is never performed in isolation to other disciplines. The business impact analysis works together with quality control.

This information necessary to perform a business impact analysis is obtained through questionnaires, interviews and workshops. This research determines the potential consequences to a disruption in the business. This analysis considers both preventive and mitigation measures, and establishes an acceptable recovery time frame for incidents and issues.

6. SWOT Analysis

A SWOT analysis is helpful to complete with key stakeholders during the first and second stages of the risk management process, during the time when the project’s context is established and the risks are identified.

The SWOT analysis evaluates the strengths, weaknesses, opportunities and threats of a project. Breaking a project down into these four categories makes it possible to not only identify the risks, but also to understand them in the context of the overall vision for the project. This way, it’s simpler to determine those risks that post a serious threat to the final deliverable, and those that aren’t so serious.

7. Checklists

This “technique” may sound like no-brainer, or too simple to really even be included here, but the truth is that a checklist is a powerful tool for mitigating risk.

As previously mentioned, projects, systems and processes have increased in complexity over the years. And it’s gotten to the point that we can hardly recall all the components of even a simple process in our head. A checklist captures everything, including minute details, and mitigates the risk of leaving out “small” or “insignificant” details.

For example, a planning committee might make a checklist of all of the features to include in the final deliverable, including functional and nonfunctional requirements. Or it might brainstorm a list of the resources required to complete the deliverable, including all the equipment, labor, materials, and office space needed.

A checklist helps to reduce brain clutter and cognitive overwhelm. Additionally, it’s visual, and with everything laid out, say on a white board at a meeting, it’s easier for everyone to contribute so that all details are captured.

8. Risk Control Hierarchy

A risk control hierarchy provides five solutions for reducing risk, ranking each solution from the most to the least effective. This ranking makes it easy to identify and apply the best solutions into your risk management plan. The five solutions in a risk control hierarchy are:

• Eliminate the Hazard
  Ideally, this is the safest solution. But more often than not, it isn’t practical. A forklift poses serious risk, for example, but oftentimes it’s impossible to simply remove it from the workplace. In many environments, it’s the only tool capable of performing necessary tasks.
• Substitute the Hazard
  This is an effective way to treat a risk, and one that’s generally more practical than the first solution. Perhaps a work environment uses a cleaning supply with chemicals that are harmful to an employee’s health. Generally, this can be swapped out for a more benign cleaning supply.
• Engineering Controls
  This solution prevents a risk from occurring by putting locks and prohibitive measures in place. It is similar to the way many automobiles have safety locks to prevent children from opening doors. However, this solution isn’t as strong as the previous two measures. For example, when too many people know the code for bypassing the controls, it’s no longer effective.
• Establishing Safe Work Systems
  This step includes things like training employees and posting safety or warning signs in threatening areas. Even though this step is necessary and critical, it usually needs other controls to properly mitigate risk. Signs, after a time, are simply ignored, and the practices developed at training sessions oftentimes are quickly forgotten.
• Personal Protective Equipment
  As the name suggests, this includes providing employees with things like goggles, hats and other protective workplace gear. Although it’s helpful, if you have to resort exclusively to this final solution, you may be looking at a serious hazard. For example, passing out hardhats into an environment where equipment is going to fall at any moment isn’t going to do a whole lot. Generally, this final stage needs to be applied in conjunction with one of the previous stages.

These five steps are useful in a mitigation strategy. As mentioned, generally more than one of the solutions is applied to a given risk.

9. Delphi Technique

The Delphi Technique makes it possible to navigate the complexity of modern organizations and successfully mitigate risk.

The Delphi Technique dates back to the Cold War. It derives its name from the ancient Greek Delphi Oracle, who would grant fortunes and prophecies to those who visited her shrine. But that doesn’t suggest that this method is unreliable. Rather, it’s a tried and true process that distills solutions by gathering input from a variety of experts.

Risk management requires knowledge from many disciplines. The Delphi Technique systematically questions a panel of experts around a certain risk. Then it synthesizes these answers to derive a second round of more focused questions. It continues in this fashion until it has pinpointed both preventative and proactive measures to handle the risk.

10. Price Risk Insurance Tools

Price and risk are close cousins, and getting the price right can either make or break a business. In many industries, including livestock and farming, businesses need to lock in a price with buyers for a period of time. And while no one has a crystal ball that foretells future market conditions, it is possible to get an idea of where things are headed in order to establish a lucrative and sustainable price for a business.

Tools like a put option and futures contract hedge against the risk of a sharp decline in prices. The European put option is a popular tool as well, as it locks in a price for a given period of time.

When evaluating an approach to price strategy, it’s necessary to look at both the national and the local market, and then consider the relationship between the two. Oftentimes a national decline in prices doesn’t impact the local market, and local conditions don’t impact the national conditions. Knowledge is power with price risk, and this understanding of markets allows you to use price tools effectively.

And this summarizes ten helpful tools for risk management. But it’s by no means comprehensive. Risk management is a broad tool, and things like brainstorms, focus groups, surveys, questionnaires, 1:1 meetings and interviews can all play a part in evaluating and managing risk.

The 5 Best Risk Management Softwares Out There

Risk management softwares simplify the very complex task of risk management. They use the tools and techniques listed above, and make it easy to apply them to a variety of industries, and within remote and in-person work environments. Let’s look at five of the most powerful risk management tools on the market.

1. Resolver

Resolver is a software that ensures your risk management plan is consolidated and comprehensive. It brings multiple departments together into one unified platform and enables a cohesive approach that reduces redundancies.

Some of its services include incident management, investigations, and compliance requirements. It also conducts internal audits so that you can catch things before the regulators do!

Resolver makes it easy to unearth root causes of risk and reduce overall risk tolerance. It’s a software that’s useful to use in conjunction with either the causal analysis or the fishbone analysis.

Over 1,000 organizations use Resolver in a variety of industries, including healthcare, education, retail and financial services. It supports dozens of applications, and caters to many risk profiles.

2. Risk Optics (Formerly Reciprocity)

Risk Optics is the go-to software for cyber risk management. Its “ROAR” service stands for Risk, Observation, Assessment and Remediation. In essence, Risk Optics allows its users to identify issues, then enact preventative and proactive measures to manage risks and issues simultaneously.

This complex software is really a step up from a simple spreadsheet. It allows departments and stakeholders to communicate and share concerns over risk. Its calculation features allow users to perform quantitative risk analyses and determine the weight and cost of various threats.

Every industry has a different tolerance for risk, and the software also provides industry standards and benchmarks to reference in determining your own risk tolerance.

3. Qualys

Qualys brings everything together into one platform, making it easy for teams to congregate and take action around incidents and issues. With Qualys, there’s no need to switch between interfaces to manage risk.

This software automatically highlights threats and pinpoints risks before they become issues. Its services include compliance, web app security, cloud native security, IT security and asset management.

It’s easy to scale and add new features with Qualys. It boasts of 10,000 customers worldwide, and offers a free introductory period to new users.

4. Audit.io from Hooper Labs

Audit.io from Hooper labs is a risk management software that offers project management capabilities to boot! Not only is it possible to automate your risk management systems, but with this powerful software you can build workflows and assign tasks as well. It’s the perfect tool for remote teams, as it brings everything together into one place for simplicity and efficiency.

This intuitive, easy-to-use software includes drag and drop tools for building checklists and workflows. It digitally records all audits for quick historical reference. It also offers tools for inspections, compliance, and comprehensive standardization of procedures and processes.

No one is left in the dark with this software, either. Its communication tools allow for fluid daily interaction between teams.

5. Safran Risk Manager

Safran Risk Manager is a step up from old fashioned methods of managing risks and issues.

This software incorporates many popular risk management tools and techniques, including the bowtie technique and impact analysis. This makes it easy to evaluate the preventative and the proactive costs of risks.

There’s very little duplication of work with Safran Risk Manager. Its risk tabs pre-fill so that you never have to enter the same information twice. With Safran Risk Manager, you can link risks up to specific projects or deliverables and assign them to a risk owner. Its filtering technique makes it easy to identify risks related to specific projects. It also files risks away into a comprehensive risk log that makes it easy to learn lessons and reduce overall risk over time.

And this summarizes five powerful risk management tools. With these tools at your service, there’s no need to sweat about project risks again.