Risk Management is a process that identifies and manages risk. Risk is can be defined as the combination of the probability of an event and its consequences. Risk must include both the positive and negative consequences, including the risk of not being properly positioned to take advantage of favorable consequences. Adequate management of risk does not eliminate risk.
- Risk Identification
- Risk Ranking – assess probability/ likelihood, the impact (individual, financial and reputational), velocity (speed of onset) and weight.
- Risk Treatment – plans to reduce, lessen, or avoid the impact of the risk. Risk Treatment plans are within the risk tolerance of CSU. Cost of implementation of risk treatment plans (if applicable), responsible party, and implementation schedule may be included here. Identify metric to measure success.
- Risk Treatment Measurement – review of risk treatment plans in order to determine success. Adjustment to risk treatment plan may occur here.
- Review and Reassess – may return to risk identification as a first step. Steps 1 through 5 are cyclical to ensure that risks are identified and managed.