So now you have a prioritised list of risks. And you know a bit about them and you know of things you can do to manage or minimise them.

Now, what are you actually going to do?

Every action you take to minimise likelihood or manage impact has a cost. Sometimes those costs are low. Sometimes they are excruciatingly high. How do you decide what actions to take?

“In taking Rex for a walk, there is a risk that Rex will make me trip and fall which could result in an injury affecting my ability to do anything that requires walking”.

I’ve seen countless examples of enormous spreadsheet that calculate the cost of minimising or managing risk, compare these to the benefit and tell you what to do.

I believe that this is a massive example of over-engineering.

Some risks are big enough to require a level of calculation, but if you’re spending time and effort on calculating the cost-benefit of managing a risk that is of low likelihood and low impact then you’re already breaking your business case.

Limit these calculations to risks with high impact and likelihood scores. Start with those that score 12 or more. Maybe extend some of that to those that score 9. Then stop.

You are a clever person. You have the ability to use judgement. Use it.

Once you have worked out what you are going to do, then you need to do it. Sounds simple enough, but one thing, often forgotten is the opportunity cost of these actions. Every time you or a member of your team spend energy on these activities, that means there is energy not spent on other things. It might totally be worth it, but where the effort is significant it should be tracked in a similar fashion to other effort.