Risk Assessment Challenges

We have conducted hundreds of risk assessments in a number of sectors from homeland security to pension funds to Parks and Recreation departments. We have a number of hard lessons learned. These are some common mistakes we have made and seen:

Lack of a common definition of critical risk terms. This is probably the # 1 challenge that we have seen in conducting risk assessments. Everyone seems to have a different context, point of view, definition, and understanding of critical terms such as even basic terms of what is risk. The fix is to develop a common taxonomy, framework, and dictionary of risk, RBT, and risk management.
Lack of executive management support for the risk assessment. If a risk assessment is perceived as a low level activity or special project, then these can be early indicators of failure. The key is to have executive management support and follow a top down approach.
Lack of established ground rules for conducting the risk assessment.Without a set of commonly accepted and understood ground rules, the risk assessment process will get bogged down in disagreements, circular arguments, and positioning and posturing.
Lack of cultural or context understanding of the organization, function, or process being risk assessed. We have discussed context is worth 20 IQ points. We clearly understood this expression when we were conducting risk assessments of an organization that had an opaque culture and we were wondering why our estimates for the risk assessment were clearly wrong. We simply did not understand the organizational culture and did not include the right stakeholders in the assessment. We did not understand how the risk assessment was going to be used and the fear that it engendered.
Lack of technical understanding of the organization, function, or process being risk assessed. It is very difficult to establish a peer level dialogue for risk based problem solving and risk based decision making if the process owners do not perceive the facilitators as technical or management peers.
Lack of involvement of critical risk assessment While we planned the risk assessment carefully using a structured framework, we missed and did not consult with critical process owners. Critical process owners thought we were disregarding their expertise and dismissing them. Big mistake. The risk assessment took much longer than we anticipated and budgeted.Lesson Learned: Address each of the above challenges that are relevant to your organization in the business case. This will help ensure you have a realistic expectation of what is involved in RBT and becoming a risk aware organization

About Greg Hutchins

Greg Hutchins PE CERM is the evangelist of Future of Quality: Risk®. He has been involved in quality since 1985 when he set up the first quality program in North America based on Mil Q 9858 for the natural gas industry. Mil Q became ISO 9001 in 1987

He is the author of more than 30 books. ISO 31000: ERM is the best-selling and highest-rated ISO risk book on Amazon (4.8 stars). Value Added Auditing (4th edition) is the first ISO risk-based auditing book.

« How to Test Clocked Circuits

How Fluid Flows in Pipes »

Comments

Robert Muganyizi says
November 8, 2020 at 5:33 AM
Hello,
I am currently doing some research on risk assessment and I happened to find this article very interesting. I would like to refence it in my research as a way of giving credit to the author. Is it possible to get to know the date when it was published? Thank you.
Reply
- Fred Schenkelberg says
  November 8, 2020 at 6:53 AM
  HI Robert,
  Thanks for the read and interest in the work here. You may use the date that you accessed the article in your reference.
  Cheers,
  Fred
  Reply
Greg Hutchins says
November 8, 2020 at 7:08 AM
Hi Robert:
Much thanks for the kind words. Risk Assessment Challenges was written 11/8/2015.
Sorta a long time. Reach out to me if you need additional information.
My email is GregH@europa.com
Reply
Irfaan Ahmed says
December 17, 2020 at 10:11 PM
While we planned the risk assessment carefully using a structured framework, we missed and did not consult with critical process owners. Critical process owners thought we were disregarding their expertise and dismissing them.
This last point brings up more questions than answers. I am curious as to why were critical process owners not consulted and didn’t this disregard of their expertise impact the risk assessment process? What was the motivation for such an action?
My thesis is looking at ISO 27001 and its impact on security investment and your article has been cited in my work. Would you be available to support the research part of my thesis by answering a short anonymous questionnaire, if I sent you a link?
I am happy to share all of my contact details privately, so you are reassured that this is all above board.
Thank you for your time
Irfaan
Reply
- Greg Hutchins says
  December 18, 2020 at 8:43 AM
  Hi Irfaan:
  We follow an architect – design – deploy – assure model. Think of it as a PDCA.
  The architecture of the controls framework would have precluded some of the challenges.
  Sure. Pass along the survey to GregH@europa.com.
  Best with your thesis. HOpe we can assist you.
  Happy Holidays
  Reply
FARIS says
August 15, 2021 at 11:49 PM
A common problem associated with risk assessment is using team people rather than an
individual? is that right?
Reply
- Fred Schenkelberg says
  August 16, 2021 at 9:48 AM
  Hi Faris,
  not sure what you mean here? A well-functioning team can certainly conduct an assessment thoroughly – and individuals will always have a limited view of the organization and potential risks. A risk with a team approach is if it’s not working well, for example, dominated by an individual or it’s unsafe to raise a concern or question out of fear, then a team would not be able to conduct a meaningful asssessment.
  cheers,
  Fred
  Reply

About Greg Hutchins

Comments

Leave a Reply Cancel reply