Guest Post by Andrew Sheves (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
Since 2002, I’ve been involved in well over 100 risk assessments as either an in-house risk manager or as a consultant. Actually, let me rephrase that.
Since 2002, I’ve been involved in the beginning of well over 100 risk assessments. However, I’ve seen many fewer risk assessments completed. Of those completed assessments, fewer still actually get turned into any kind of meaningful action.
Take a minute and think about your organization. How many risk assessments were started but then fizzled out? Even when a risk assessment was completed, were the recommendations put into action? Did anyone really know what to do next? How many of these assessments are in a forgotten folder or gathering dust on a shelf somewhere?
This has always been deeply frustrating to me: an incomplete risk assessment or one that doesn’t prompt corrective action is unsatisfying and a waste of time and money. Worst of all, it erodes the organization’s faith in the whole risk management process. This makes people question the importance or usefulness of a risk management system at all.
If you’ve found yourself thrown into the middle of a risk assessment project, your inclination will be to get straight into the details and to start planning the assessment itself. Getting these details right is very important but these aren’t the things that prevent your assessment from being successful. Instead, it’s usually the bigger issues that prevent you from getting finished or, in some cases, even starting in the first place.
Looking back at the assessments that I’ve been involved in and comparing those that weren’t finished to those that were completed successfully, the same five challenges cropped up time and time again. So before you get into the weeds, take a moment to think about these issues which, at a minimum, will make your assessment more difficult. At worst, they can kill your assessment altogether.
No Mandate or Buy-in
Management support and buy-in is critical for any major initiative to succeed. You will definitely need this for something that requires you to poke around in an organization’s deepest, darkest corners and then tell people to change their work habits. So make sure that you have genuine buy-in from senior management before you start. This mandate also needs to be made public. This will ensure that everyone involved knows that you are working with the support of the senior management.
Even then, that might not be enough to guarantee plain sailing.
Years ago, I was on a three-month project with an oil and gas firm in West Africa. They had contracted me to conduct a risk assessment and develop a series of corrective steps to help comply with some maritime regulations. This had all been agreed upon and sanctioned by their corporate security team who had issued the contract. However, the local Operations Manager didn’t think this was necessary. Every week, we would meet to review the project. And every week, he would spend the first half of the meeting telling me why it was a waste of time.
This made the project more challenging but at least I had the mandate from Corporate Security to fall back on. Without that, the Operations Manager would have simply stonewalled me and the risk assessment would have fizzled out.
I think that the lack of a mandate from senior leadership is the single biggest risk assessment problem you can face and the one that will have the greatest impact on the success or failure of your assessment.
A mandate without resources is almost as bad, so make sure that you have the support you need to actually see the project through.
Do you need additional staff?
What about a travel budget to get you to the various sites?
Do you need external consultants or to buy software?
And what about the time available? Do managers across the organization know that the senior leadership team wants them to allocate time to this? And has your own time been freed up to complete the task or is this yet another ‘to-do’ on your list?
You can complete a risk assessment from your desk. However, without the time and resources required, it will be a thin piece of work which will make definitive action difficult. Make sure that your mandate also includes approval for the resources you need.
In case you think that I was being too hard on the Ops Manager I mentioned earlier, he did do one thing right.
He’d always ask “Tell me again, why are we doing this?”
Although it was frustrating to rehash the conversation each week, he wasn’t wrong to keep asking that question. If you don’t have a purpose for your risk assessment – and stick to it – you will lose your way and are unlikely to fulfill the mandate.
For example, an annual risk assessment to meet a compliance requirement will look different from the assessment of a potential partner before a merger. Without keeping the end result in mind, you and the assessment could easily get off track.
So keep asking questions. What’s the purpose? Who is going to implement the mitigation? Is there even a need for an action plan or is this more of an ‘academic’ survey?
Remember, that the risk assessment is part of a bigger risk management process. People in your organization will be planning to do something with the results so have a clear purpose and a defined path in mind. That will ensure that they can use the report to support whatever decision making or planning process they are engaged in.
Sometimes, teams can get quite far on in the risk assessment process before they start to think about how they will actually assess the risks. A lack of clarity about the methodology, language and metrics that you are planning to use before you actually start to analyze the risks is disastrous.
The worst example of this was a major assessment that I was involved in where two different groups were using two different methodologies. Safe to say, bringing the whole assessment together was an emotional time.
Luckily, we had the time and resources needed to fix the problem. However, without that buffer, months of work would have been wasted.
It’s worth noting that everyone involved was a risk management professional and we should definitely have known better. Our mistake was to assume that we were all using the same process without explicitly checking before we started. If we had been a less experienced team, we probably wouldn’t have made this mistake as we would have spent time discussing and confirming the assessment process.
Make sure that everyone involved understands the process and methodology that you are using from the get-go. At a minimum, this will save you a lot of work later. Otherwise, the results could be so garbled that they’re unusable and you will have failed to achieve your aim.
Too Specialized or Esoteric
Finally, keep things simple. There are a lot of different risk assessment methodologies and I’ve also been guilty of trying to reinvent the wheel at times. As someone who has dabbled in security risk management, I would say that security teams are repeat offenders here with no sign of giving up anytime soon.
But if what you produce is too specialized or esoteric, it’s probably not something that the rest of the organization can use. Using a totally untested methodology, producing a report solely in emoji or using 5 different shades of red to show risks is going to be really interesting. Really, really interesting….
However, it won’t be very effective.
So remember KISS. Make sure that your work will align with the organization’s risk management system and adhere to whatever guidelines or regulations are in place.
The Overlooked Risk Assessment Problem is…
I said that there were five problems but in addition to the challenges listed above, there’s a sixth, squishier problem.
People simply lose interest.
Every organization has a lot going on and everyone is ‘busy’ but people also have limited attention spans. So they get bored with the risk assessment and it gets less and less attention. Or something more shiny and exciting comes along which takes priority. This happens even when they have paid – or may still be paying – a lot for consultants to manage this process.
The result is a zombie project: one that’s stumbling along, not fully dead, waiting for someone to put it out of its misery.
Think about your project like a gym membership. Most people are only interested in the first month or two. After that, you will see a real drop-off in interest so plan accordingly.
Keep interviews tightly scheduled and make sure the participants see some results within a few weeks. Plan activities over a six- or eight-week sprints, not a six-month slog. And embrace ‘good enough.’ The ‘perfect’ 12-month plan doesn’t exist and trying to create one only benefits one group: consultants on a day-rate.
Stack the Odds in your Favor
There are other things that can go wrong and derail your risk assessment. Civil unrest, key staff being fired or the company simply going out of business. I’ve seen projects abandoned for all these reasons.
But these are the exceptions.
The six issues noted above recur time and time again. These account for the majority of abandoned or unsuccessful risk assessments.
So keep these in mind when planning your assessment and you are much more likely to achieve your aim. This way you can stack the odds in your favor and see the whole process through. Don’t just add another file to the abandoned projects stack.