People are terrible at managing risk, awful. Organizations are made up of people and therefore prone to poorly assess and manage risk. A process is an answer in what is often seen as an area of organization management where gut feel is important.
Context & Description
- Risks have a context, they are described with reference to something, e.g. a project, a person, a client, a service, a product, a company.
- Without a context, risks are not meaningful, and therefore mitigating actions to address them are wasteful.
- Risks should be described like this:
- There is a risk that EVENT could happen IMPACT, leading to CONSEQUENCE with the potential for DAMAGE.
- Using the correct description, define events
- Then review the impact of the events and keep these consistent when possible
- Then work through consequence
- Finally and separately damages
- It takes a strong leader to manage this process
- Never get into scoring or mitigation until risk descriptions are completed
- Score on a five by five or six by six matrix that is defined ahead of the risk identification
- Ensure scores are accompanied by a verbal description not everyone in the process will think in numbers
- Assessment of scoring is done in discrete steps, probability separate from impact
- That last step is the most important
- Triangle model demonstrates clearly where to target risk
- Actions must have an owner a due date and should target the EVENT to be most valuable – prevent the risk from happening
- In the event that actions occur after the risk has occurred, you are simply mitigating damage
- Creating a risk budget by multiplying the cost of fixing an issue by the probability of it occurring is worthless
- Review must be timely to the identified risks, or routine for generic or long-term risks
- Within the process ensure overdue mitigating items are prioritized
- Have a special review in the event that things change – respond