We have conducted hundreds of risk assessments in a number of sectors from homeland security to pension funds to Parks and Recreation departments. We have a number of hard lessons learned. These are some common mistakes we have made and seen:
- Lack of a common definition of critical risk terms. This is probably the # 1 challenge that we have seen in conducting risk assessments. Everyone seems to have a different context, point of view, definition, and understanding of critical terms such as even basic terms of what is risk. The fix is to develop a common taxonomy, framework, and dictionary of risk, RBT, and risk management.
- Lack of executive management support for the risk assessment. If a risk assessment is perceived as a low level activity or special project, then these can be early indicators of failure. The key is to have executive management support and follow a top down approach.
- Lack of established ground rules for conducting the risk assessment.Without a set of commonly accepted and understood ground rules, the risk assessment process will get bogged down in disagreements, circular arguments, and positioning and posturing.
- Lack of cultural or context understanding of the organization, function, or process being risk assessed. We have discussed context is worth 20 IQ points. We clearly understood this expression when we were conducting risk assessments of an organization that had an opaque culture and we were wondering why our estimates for the risk assessment were clearly wrong. We simply did not understand the organizational culture and did not include the right stakeholders in the assessment. We did not understand how the risk assessment was going to be used and the fear that it engendered.
- Lack of technical understanding of the organization, function, or process being risk assessed. It is very difficult to establish a peer level dialogue for risk based problem solving and risk based decision making if the process owners do not perceive the facilitators as technical or management peers.
- Lack of involvement of critical risk assessment While we planned the risk assessment carefully using a structured framework, we missed and did not consult with critical process owners. Critical process owners thought we were disregarding their expertise and dismissing them. Big mistake. The risk assessment took much longer than we anticipated and budgeted.Lesson Learned: Address each of the above challenges that are relevant to your organization in the business case. This will help ensure you have a realistic expectation of what is involved in RBT and becoming a risk aware organization