Some risk events are naturally occurring, such as wind, floods, lightning, wildfires, and earthquakes. Some bad things happen over time, usage, and wear and tear. Some bad things happen because of the intentional actions of individuals or groups, such as vandalism triggered by social unrest, terrorism, or just plain meanness. Some may even result from unintentional negligence.
Whatever the source or the cause, facility managers must endeavor to prevent, mitigate, or respond to adverse risks. This article provides a framework for a proactive approach to managing risk in the facilities management context.
There are five steps you can take to create your own facilities risk management plan:
1) Identify adverse risk events
2) Analyze and classify
3) Rate the probability
4) Rate the impact
5) Create an action plan
Let's break these down one by one.
Step 1: Identify Adverse Risk Events
First, open a copy of eSSETS’ free Risk Tracking Workbook and make a copy.
The first thing to do is to brainstorm a list of everything that could go wrong. As a facility manager, you probably already know what many adverse events are. In that case, you can start with your own list. Beyond that, though, it's best to schedule a session with some key team members to get some ideas onto a whiteboard or directly into your workbook.
Who to Invite
While we normally tend to invite folks with a positive attitude to meetings, this is a time to seek out the pessimists. (But seriously.) Generally, you'll want to assemble a team that includes some or all of your staff as well as some from other areas of the organization.
If available, invite your CFO, controller, or others from accounting. You may also wish to invite selected contractors with subject matter expertise to portions of the meeting related to their areas of expertise.
How to Identify Adverse Risk Events
This meeting is meant to be a brainstorming session, which means you should encourage everyone to participate and NOT throw cold water on any suggestion. At this stage, try to get every possibility anyone can think of on a list. The list can be rated, culled, and refined at a later stage.
As a facility manager, you probably should not lead the meeting. Instead, find someone in your company with experience as a meeting facilitator. If no one is available, don't worry—read up on this helpful article by Forbes called 9 Simple Tips For Leading Brilliant Brainstorms.
Step 2: Analyze and Classify
After your team has made a list of adverse risks, the next step is to analyze and classify each one. Though you might have had one word or a very short description in the initial list (such as cybersecurity attack or tornado), you now want to describe and elaborate on each risk event. This will sometimes result in breaking a single item down into multiple risk events.
There is a concept employed in project management called the Work Breakdown Structure (WBS). The Project Management Body of Knowledge (PMBOK 5) defines the WBS as a "hierarchical decomposition of the total scope of work to be carried out by the project team to accomplish the project objectives and create the required deliverables." This same concept can be applied to risk analysis with the creation of a Risk Breakdown Structure, or RBS.
Risk Breakdown Structure, Explained
If that was a little confusing, don't worry. Let’s take a look at an example. If you identified flood as an adverse risk event in your initial list, you may decide that a minor flood and a major flood have very different implications. Similarly, a category 5 tornado would probably affect your workplace in a much different, more disastrous way than a category 1, but it's important to plan for both scenarios.
This type of breakdown will likely apply to many risk events.
A Note on Note-Taking
You’ll want to have one or more designated note-takers during this analysis exercise because the drill-down discussion of each item should produce valuable information useful in the rating of probability and impact that comes later.
During the discussion of each item, it can be useful to select and assign a primary category. This can be used for filtering the long list into logical groupings for further analysis and periodic reviews. Use this default category list provided in the workbook as a starting point, then remove or add as needed:
- Resource Overload
- Security - Physical
- Security - Cyber
- Skills Availability
Step 3: Rate the Probability
This step is really just an exercise in judgment. As an extension of your initial list-making session, rate the probability of each adverse risk event's occurrence. The goal is to arrive at an area number for each adverse risk event.
What scale should you use?
We suggest using increments of 10%. You could also consider a simple low, medium, and high rating. eSSETS' Risk Tracking Template requires a percentage number, so if you prefer to rate probability by low, medium, or high, just plug in 25, 50, or 75% as needed.
Step 4: Rate the Impact
Like the probability rating, this is a judgment exercise. In this step, the RBS of each risk event becomes critically important. Think back to our simple example in which a minor flood has much less impact than a major flood. Having a clearly documented estimate of just how much a major flood will impact your workplace is the first step to laying out a plan that will allow you to react quickly and efficiently in the event it does happen.
The model provided in the workbook uses weighting values for these 5 impact levels, which you can apply to each risk event:
- Very Low
- Very High
Step 5: Create an Action Plan
Our workbook's Risk Tracking model can provide some guidance in prioritizing the development of your action plan. The model produces a “Risk Score” by multiplying the probability of occurrence by the weighted impact rating.
Sorting the list in descending order, your events' Risk Score can provide a good indication of where you need to focus your efforts.
In general, your risk action plans will involve one or more of these response categories:
- Avoidance - steps you can take to avoid the risk event
- Transference - as in transferring the risk to a third party
- Mitigation - what can you do to mitigate the impact of the risk event
- Acceptance - sometimes the cost of action outweighs the damage from the event
While this framework has been presented as five steps, in reality, risk management is an iterative process. For example, when you come to probability and impact ratings in steps 3 and 4, you will likely determine that there's a need to break down some of your risk events into smaller or more detailed items (step 2).
Risks change over time. New risks emerge. Probabilities change. Response plans evolve with technology and environmental factors.
Your Risk Tracking log needs to be reviewed and updated periodically or it will become stagnant. The appropriate frequency for review will vary by organization, but it is strongly recommended that you set up a recurring meeting for review, such as quarterly, or at least semi-annually.