How We Built a Risk Management Plan at Websum

Every employee is a risk manager. That’s what we believe at Websum.

And every employee should have a plan, a methodology to identify, treat and manage risk in the work they do.

As a CEO or a Founder, you’re obviously responsible for risks throughout the company.

So, the first question that needs to be asked is, do we as an organization have a risk identification, treatment, and management plan?

At Websum, we did not … till recently.

Now we do.

Here’s how we built one.

Risk Identification

First step is obvious. One needs to know what the risk is.

So, we pulled up an Excel sheet and created the following columns.

  • Risk ID (Department ID – Risk ID, for example: 01-0001)
  • Risk Identification Date
  • What is at risk? (Asset, Process, Personnel, Data, etc.)
  • What can cause the risk to take effect? (Vulnerability)
  • What is the impact? (Actual Threat)
  • Likelihood Score (0 = Not at all, 1 = Somewhat, 2 = Very much)
  • Consequence Score (0 = Not at all, 1 = Somewhat, 2 = Very much)
  • Risk Score (Addition of Likelihood and Consequence scores)
  • Existing Controls in Place to manage/mitigate this risk.

Each department head must fill this list. And, then they’re all combined to create a Master Risk Identification Risk.

Risk Treatment

While all risk needs to be treated, we determined that risks with a score of 3 or 4 should be given a higher precedence over other risks.

To do this, we added a few more columns to the Excel sheet

  • Risk owner (who will treat the risk)
  • Treatment due date (When should risk be treated by?)
  • Treatment completion date (Date on which treatment was applied)
  • Treatment applied (description of what was done to treat the risk)
  • Reviewed By (most likely a manager)
  • Likelihood score after treatment (To be added by person reviewing the treatment plan, most likely a manager)
  • Consequence score after treatment (To be added by person reviewing the treatment plan, most likely a manager)
  • Risk score after treatment (To be added by person reviewing the treatment plan, most likely a manager)

Risk Management

Once all identified risk is treated, it is best to monitor them and ensure scores for all risks is at 0, 1, or 2. Obviously lower the risk score, better for the organization.

Our plan is to revisit the risk management plan every 90 days at the minimum.

To ensure this, we added three last columns on the excel spreadsheet

  • Risk Assessed by (person’s name)
  • Risk Assessed Date
  • Risk Assessment Score

These three columns will be added every ninety days to ensure timely assessments are performed and to keep their record.

Additional Considerations

Depending on your preference you may or may not want to keep all this on one single spreadsheet.

In that event, you can have two spreadsheets – Risk Assessment sheet, and Risk treatment sheet

Or you can further break this down and have these two sheets for EACH of the departments within the organization.

It is our hope that this plan not only helps us manage current risks, but also help us foresee and mitigate future risks. We are confident that this will only make our execution better, and save us resources in time, money and manpower going forward.

Implementing a risk management plan is a win for Websum.

Reach out

I hope this helps! I highly encourage you build one for your company also. Reach out if you have questions. I’d love to help you build or refine an existing one.

When small business owners like us help each other, we all grow together.

Enjoyed this post? Don’t miss future posts. Fill this form

* indicates required

Leave a comment

Your email address will not be published. Required fields are marked *