Risk Framework

Risk management is an integral part of the delivery of products. There are many various approaches to managing it. For example: ignore it, hope that the risk manager will do everything, take the risk framework provided by the risk team, and copy-paste example actions from it into your project risk assessment. None of those are good tho.

So, my understanding of a decent process is following:

1. The risk team worked nice and hard to produce a risk framework with a matrix to calculate risk rating based on risk likelihood and impact.
2. The risk manager works with a project team (architects, project managers, and owners) to collect a list of risks associated with a project.
3. This list or table will have a risk description, so it is clear what this risk is about risk likelihood and its most significant impact, and a description of risk consequences. It must be easy to discuss them without second-guessing what it is about!
4. The project team (and mainly the architect) suggests a list of controls to modify the risk and treatments to reduce its likelihood or impact.
5. The risk manager estimates the effectiveness of treatments and controls, potentially suggests a list of follow-up actions to take.
6. And then, the process repeats itself - until all the risks are covered or are accepted by the business (with a sign-off!).