A risk management strategy provides a structured and coherent approach to identifying, assessing and managing risk. There are four main mitigation strategies.
Risk avoidance (Terminate) involves opting not to undertake a current or proposed activity because it is considered a high risk. The key with avoidance is to use it for situations where:
• the activity is inherently dangerous and/or a serious injury is likely to occur
• the foreseeable risks are beyond your control;
• the activity is not necessary to fulfil the organisational goals;
• the risks are not acceptable to your organization, or
• You do not wish to devote the necessary resources to manage it properly.
One way of avoiding risks is to exit the business, terminate the project, close the factory etc. Another way is to establish policies and procedures that assist the organisation to predict and avoid high risk events. Testing and screening of products may also be used to avoid defective products. Implementing engineering design reviews in product lifecycles may help identify high risk areas to avoid.
Risk Control, Risk reduction (Treat)
Is the process of actually managing the risk – taking proactive steps to reduce the identified risks where possible and putting steps, rules or procedures in place to minimize the residual risk to reduce the chance of a loss or the severity of such a loss. FMEA, hazard analysis, and other tools are used to identify and prioritise risks. Classic examples of risk control are things like using protective gear for sports activities, setting rules, and of course, supervising to ensure rules are enforced.
Implementing controls is appropriate if it is not possible to reduce occurrence or severity of risks. There are several approaches to reduce or control risks. Controls may focus on management or decision making process. Another approach is to diversify through a mix of products, technologies, markets, operations and supply chains to limit risks to acceptable or manageable levels. In effect, Risk Control enables calculated, informed risk taking to occur where the benefits of proceeding with an activity outweigh the much-reduced risks that are present.
Risk tolerance (or acceptance) is where no action is taken to mitigate or reduce a risk due to the cost of instituting risk mitigation activity is not cost effective or the impacts of the risks are so low. The risk may simply be acknowledged and registered or it may be flagged for monitoring and periodic re-evaluation, in case the likelihood or impact of the risk escalates to the defined threshold for acceptable exposure. In either case, the rationale for risk acceptance should be clearly documented. Tolerance may be an adequate response for low-level risk, given competing demands for resources.
Risk transfer (or spread) involves transferring liability for the consequences of an event to another party. This may be done in two ways:
• Cost, delivery or legal liability may be transferred to an alternative provider under contractual/partnership arrangements for service delivery, however, some responsibility may be retained for ensuring that the risk is managed e.g. Health & Safety
• The costs associated with a damaging event may be reduced transferring some or all of the financial risk to external insurance companies
For example, taking out insurance cover, or not putting all supply eggs in one basket (in other words, avoiding dual or multi-sourcing) or using contract terms to ensure that the costs of risk events will be borne (or shared with) supply chain partners (e.g. clarifying liability for risks at all stages of the contract, using liquidated damages clauses, insisting on supplier insurances, or sharing responsibility for risk monitoring as part of the contract’ management process).
Risk transfer reduces the organization’s exposure but at the cost of insurances, possible loss of economies of scale (from dis-aggregation), and possible damage to supply chain relationships.