Risky business – How we manage risks


Working with different clients you see lots of different methods of managing risk, and we always get asked our opinions. So I thought we should share how we manage risk on our internal projects.

Here at Siso we use both the ROAM and RIDA methods combined.

What is ROAM?

ROAM is a method for managing risks that categorises them based on their status. The traditional acronym stands for:

  • R – Resolved – The risk has been eliminated or is no longer a problem
  • O – Owned – The risk has been assigned to someone and has not been resolved
  • A – Accepted – The risk can not be resolved and it has been agreed that no action needs to occur
  • M – Mitigated – An alternative has been found to stop the risk from occurring

We however don’t use Owned. We instead use Open.

Here is our ROAM board
Here is our ROAM board

The reason for us using Open is that we believe all issues should have an owner. Otherwise, what happens if a mitigated risk doesn’t fully help, or a resolved risk reappears. Who looks after it? What is the escalation route? Making sure all risks have owners we know the answer to these questions and are less affected by a risk reoccurring.

The second part to the puzzle is RIDA. RIDA stands for:

  • Risks
  • Issues
  • Dependencies
  • Assumptions

We use RIDA to determine how each item should be categorised. Some organisations only allow a single item to be allocated to one category. We allow multiple categories to be chosen. Whenever this occurs we make sure the item is discussed to see if it needs to be broken down into separate items.

An example RIDA card
An example RIDA card

When recording the risk and issues we use a RIDA card. We have designed our own RIDA card that helps capture the most important data.

On the cards you will see there is a “Date Moved” field. This is used to set the date the card is moved to resolved or closed. When we review the cards during our risk check in (which we do twice weekly) we see if any cards can be removed from the board. We only remove cards that moved over a month ago and the impact is no longer applicable.

I hope that gives you a good insight into how we manage risk.