Identify, assess, plan a response, control and monitor responses. And the traditional four response plans: accept, transfer, mitigate, and avoid.
I call this "risk register risk management". The main purpose of the process is to get ahead of the future.
But, what if I actually want to take a risk? Now, instead of the four steps of traditional risk management, I need a decision policy and a process to implement it. Do I make or buy? Do I bet on this technology or another? Do I take on this project partner or another? I still the assessment practices, and I still need the monitor and control practices, but my orientation is not towards a risk register.
Different still, what if I want to forecast performance? Shouldn't I look at the undercertainties that are attendant to the estimates I've been given? Isn't history--that is, efficiency--a factor? Sounds like earned value. Could it be that EVM is risk management in disquise? Again, though I really don't need a risk register, I can borrow some of the assessment practices. But controlling and monitoring the performance measurement baseline is a bit different than keeping a watch on the future
Actually all of this is risk management:
Estimate threats, including threats off baseline
Purposefully take a risk
Forecast outcomes from estimates leavened by uncertainties
When managers tell me that they can't get buy-in to the formality of the stepped process to build a risk register and so they can't do risk management, I say "baloney",or words to that effect.
Just driving to work is risk management on a risk you choose to take. And, through insurance, some driving risk you've already transferred. Making a decision is taking a risk on uncertain outcomes; thus risk management. Forecasting next week is risk management. It's only a matter of applying a little common sense, analytical thinking, and some rationalization to be in the game of risk management.
