It is important at the start of any risk management process to be clear about exactly what it is you are trying to identify the risks for. This is described in a simple document called the Risk Management SCOPE.
Like any business process, risk management does not have unlimited resources and therefore you need to be careful to use those resources wisely. You do not want to spend time trying to analyse and deal with risks which are unimportant to the success of the business or project. At the same time you do not want to accidentally omit risks from your work which could turn out to be critical.
For these reasons you need to develop a scope document for the process. In its most basic form the scope simply defines what will be included in the evaluation and what will be left out. It you have a small start-up company the process of scoping can be quite simple – you just want to include everything in the analysis which could impact the value of the start-up. However if your process will look at the risks in a department within a large organisation you will only need to include those items which are relevant to your department and which you can influence. For example you may not be able to do much about recruitment risks if your organisation has a separate department (H.R.) which exclusively manages all recruitment issues.
I normally refer to the subject of my scope as the Risk Subject. The following are some examples of risk subjects:
- A business entity (like a company, a division or a department)
- A business project (like a building, engineering or transformation project)
- A business process (like a manufacturing, sales, or administration process)
- A job change (from an executive director to the most junior employee)
In the past I found it helpful to use the ‘Value TRAI‘ (pronounced like ‘tray’) to help me identify what is inside (and outside) the scope of my risk management process. The letters T.R.A.I. are simply the initials of the words Targets, Resources, Activities and Interactions. Try to define the risk subject’s scope by determining:
- what are its business TARGETS (or objectives)?
- what RESOURCES would it need to achieve these objectives?
- what ACTIVITIES does the risk subject involve?
- what INTERACTIONS does the risk subject need to carry out it’s activities?
Working through these four questions will help you to put together a simple scope for the risk management process. The value TRAI can also be useful when you come to identifying individual risks and I will explain more about this under the ‘risk identification’ tab. When describing how to identify risks I include some examples of typical targets, resources. activities and interactions. These lists are a useful check-list to ensure you have not forgotten something from your scope document. To move onto risk identification use the link here.
All Intellectual Property Rights Owned by Chris Duggleby