“Knowing others is intelligence; knowing yourself is true wisdom.”– Lao Tzu
One of the best ways to get to know yourself is to understand what your weaknesses are. This is true for any business, and for any project as well.
Evaluating risks is not fun but, by doing regular risk assessments, you strengthen your business (or project), and – should the unforeseen occur – you are much better positioned to address these.
So how do you go about doing a good risk review? Here are the 7 steps:

1. Brainstorm
The first step is to identify as many risks as possible. You should consider what has gone wrong previously, what could possibly go wrong in the future, what has been in the news, or what threats your industry faces.
You could also look at different categories, for instance:
- Operational – what could threaten service delivery to clients and stakeholders?
- Technological – what mishaps, changes, or advances could put your organisation or project at risk, such as AI?
- Legal – what regulations impact or affect your sector?
- Economic – which changes will affect the economic viability of your business?
- People – what could pose a threat to your people, for instance, another pandemic?
- Environmental – what risks do environmental and structural changes pose?
- Reputational – what would happen if your reputation was negatively impacted?
This list of risks must be noted down. It could be a simple table in MS Word.
2. Impacts
Once you have a list of possible risks, you need to know how each one will impact your business. Impacts are generally financial, but sometimes they can be hard to quantify. It is important to try and quantify what the impacts are, beyond just immediate costs.
Impacts could include increased time employees and management would have to spend to rectify the situation, reputational damage, and/or potential loss of income.
Knowing the impact of a potential risk allows your organisation to determine how much time and money to put into preventing the risk from happening.
3. Causes
And how do you prevent a risk from becoming a reality? You need to determine what could cause each risk. For instance, ransomware could be caused by an employee opening a link in an email sent to their private mailbox, a companywide email campaign, or someone downloading something from the internet. A legal risk could be a new law being brought into effect, or new certification requirements by a client.
As you can see, each risk could have multiple causes.

4. Mitigations
Once you have established the potential causes for each risk, you can put mitigating actions in place. The ideal mitigation is to prevent the risk from occurring entirely. To prevent a ransomware attack may mean having firewalls, limiting internet access, putting spam filters in place, as well as ensuring employees understand the risk of clicking on links.
Not all risks can be completely prevented; most actions can just reduce the likelihood of the event occurring, or reduce its impact. This means that additional mitigations may be needed. For our ransomware example this may mean having full back-ups to restore, should a ransomware attack occur, or to have insurance in place to pay the ransom.

5. Indicators
Everything so far is a very good basic risk management process but, to level up your game, you will want to know as soon as possible when a causal event has occurred. From our examples above, you will know you have been hit by ransomware when you are shut out of your systems, but how will you know if a new law has been passed?
This may mean you have to ensure that there are tests put in place so you know immediately, or ideally, even before the causal event occurs. This may mean assigning someone in the legal or HR department to review the government gazettes, for instance.

6. Assess
After you have captured all the above information for each risk, i.e. impact on the business, potential causes, mitigations, and indicators, it is time to assess your risks. I suggest rating each cause of a risk by the following:
- Severity – impact on the business should this risk occur
- Occurrence – the likelihood that this risk will occur, even with all the mitigations in place
- Detectability – how likely it is that you will know that this has happened, i.e. how good your indicator is.
Based on the assessment, each risk can be categorised as either negligible, minor, major, or extreme. Naturally, the organisation must take further actions for those risks deemed extreme and major.
7. Next steps
As with any good action plan, the next steps to further mitigate the extreme and major risks (as identified above) must be written down. Best practice indicates that each action needs the following:
- Description – a clear description of what action needs to be taken
- Responsible person – the person who will ensure that the action is taken
- The expected completion date
Based on this, regular risk review meetings should be held. The agenda for these meetings should include reviewing and reassessing risks, and ensuring progress is made on the action items.
