ZOOM STRATEGY & CONCEPT OF RISK MANAGEMENT [return to "Risk Management"]
1. Risk reduction measures
After the audit, a review is made. Its objective is to select, among the risks that have been identified and the knowledge of their probability of occurrence, the measures that can be adopted to reduce these threats and/or their impact.
The analysis will focus mainly on risks that have a high probability of occurrence and a major impact on at least one of these aspects: operational, financial or image. These are the risks that have been mapped in the upper right quadrant of the vulnerability chart.
Secondly, it would also wise to analyse:

the risks that have a high probability of occurrence but with a weak impact

the risks with a high impact but a low probability of occurrence
Then, the preventive measures that can be taken have to be identified, either to reduce the probability of occurrence of the risk or its impact.
Afterwards, in the review of the risk reduction measures, it is necessary for each identified measure to:

describe the measure and explain how it will be implemented

qualify and quantify the advantages and inconveniences that the implementation of the measure might generate

make a quantitative estimate of the cost for the implementation of the measure

recalculate the vulnerability level of the risk, once the measure has been implemented
2. Acceptability level of the risk reduction measures [return to "Risk Management"]
The risk catalogue, obtained through the aforementioned review, is sorted to retain the measures that will be acceptable to implement.
Hereafter are some of the sorting criteria that can be used:

the implementation costs

the value, in terms of risk reduction amplitude, of the measure

the actual applicability of the measure

the interest of the company to primarily reduce this or that type of impact
This procedure is mainly done with the client company. The result is a catalogue of risk reduction measures, sorted by decreasing order of importance.
In the last stage, a timetable for the implementation of these different measures is determined, in accordance with their level of urgency. It is wise to apply standard time periods, such as one month, six months, or two years, to sort the measures.
Finally a timetable catalogue of the risk reduction measures is obtained, that can be coupled to the implementation costs and the resulting financial plan that is then obtained can be paired with the costs of implementation and the resulting financial plan is then compared to the completion possibilities what, in return, can influence the timetable, by moving forward certain measures, or to the contrary delay them for later.
3. Specifications for the implementation
Each risk reduction measure must be considered as a modification made to an existing system and its implementation will constitute a project (Change Management).
Depending on the scope of this modification, it often will be possible to combine the implementation of different risk reduction measures. On the other hand, a large risk reduction measure must become a complete new project that might need new funding resources during several trimesters.
In that case, it will be necessary to resort to a complete new organisation of the project in progressive phases: initialisation, analysis, suggestions, implementation and control, finalisation. Therefore it is essential to clearly define the specifications of the implementation, the expected operational and construction requirements, etc.