- Julian Talbot
Some risk(y) thoughts
Let's start with the three most common errors when doing a risk assessment:
Inadequate risk identification. Will the real risk please stand up! How to identify and document risk in a watertight fashion.
Failure to show a link between proposed treatments, the risks and organizational objectives. Watch for an example of a risk register linking risks to organisational objectives and treatments. Why should your treatments get funding if you can't show these linkages? MS Excel is a tried and proven tool but has its limitations. A few of us have built a dynamic multiuser platform called SECTARA which has a free trial if you need a better platform.
Failing to understand the context. Don’t do it. If you don’t nail the context, you will never get an agreement on the risks.
Why failure to identify risks is the leading cause of inadequate risk assessments
Inevitably, we will fail to anticipate or identify many risks simply due to the nature of uncertainty. The main problem is typically a failure to explicitly state risk in terms that allow stakeholders to accurately consider it and agree on effective treatments. You can't just say 'Terrorism' is a risk or 'Climate Change' is a risk. Those aren't risks! They are words from a dictionary. Look at 'The CASE for risk identification for a simple way to correctly describe a risk.
How to know whether or not you need a subject matter expert to help you, and if so, how to select the right consultant for the job
This one is worth an entire book on its own. My article on finding a risk management consultant can help you find someone with the skills you need when you need them.
How to build a watertight yet succinct risk management plan that will get funded
Ah, yes. One of the Holy Grails of risk management. Designing a good risk management plan is one thing, but most people will agree that getting it funded is a whole other step. You can download a couple of business case templates from the Downloads menu.
How to spot the flaws or weaknesses in a risk report (yours or someone else's) in minutes
This is much easier than it looks. Just ask these three questions:
Do all the risk statements satisfy the four requirements of the CASE Tool? (Condition, Asset, Source, Event)
Do all the treatment recommendations satisfy the requirements of the 4A’s? (Appropriate, Agreed, Actionable, Achievable)
Can you quickly draw a causal link from each risk treatment to the risk it treats?
That’s all there is to it. Hit those buttons, and you’ll pick up 90% of the strengths or weaknesses in a risk report – and look like a guru in the process.
How to build an all-hazards risk management framework that deals with Black Swans
Plenty of research can help you out on this. In particular, the studies that have been done on a group of organizations that continue year after year with better than average safety records despite operating in some of the most dangerous and complex arenas the world has ever seen.
‘High-Reliability Organizations’ (HROs) is the common term for a category of organizations such as air traffic control systems, aircraft carriers and nuclear power stations that seem to continue on and on despite dicing with calamity daily. Karl Weick and Katherine Sutcliffe have a great book on how to incorporate the lessons from HROs into your organization called 'Managing the Unexpected'.
Enterprise risk management
Enterprise Risk Management (ERM) is more than just a question of scaling up. You can’t simply aggregate all the risks for an organization into a database and say that you have ERM sorted. What the CEO and shareholders see and what they care about at the enterprise level are often much different to risk management issues at the operational or tactical level.
If, on the other hand, you implement ISO31000's Risk Management Framework, you will be 90% of the way there. Let's not over-complicate things - Enterprise risk management is just risk management with a scope that includes the entire organization.
How to introduce a continuum of risk management tools so that everybody from the cleaner to the CEO can apply appropriate risk assessment tools
People often complain that “risk management is too complex” and are usually right. Not because risk management is too complex but because they are trying to use a chainsaw to prune a bonsai plant. Get the right tool for the job, and you’ll be fine.
Adapting ISO31000 to meet the needs of everyone - whether in safety, procurement, finance, security, information technology, or human resources of the Board of Directors – and do it in such a way that they will buy into it.
ISO31000 has been designed to be generic. It works for everyone at all levels. That’s the real power of the standard. It’s not inherently the best of all possible risk management systems – nothing could promise that – but applying it across the board helps you aggregate and consistently compares risks.
After a recent presentation in the United States, I was asked what I thought of risk management in the US. I replied that I thought it was great but that there were about 432 flavors to choose from.
At the same conference, two presenters had given excellent presentations on terrorism risks to US ports. One system was done by the New York Port Authority and the other was done by the US Coast Guard using Los Angeles as the first test of the model. They were both excellent. Sadly they were so different that it was impossible to tell which port was more at risk and which one needed the funding most.
ISO31000 is my pick because it supports an apples-for-apples comparison. Designing and implementing a risk management framework is another topic, but fortunately, I've covered that at this link.
Managing personal career risk – why do our leaders make such (seemingly) misguided decisions?
Why do our managers and political leaders allocate resources to some items and not to others that seem to be more concerning? This question has intrigued me for years, and I think I’ve come to some sort of understanding of the contradictory nature of some of these complex questions. The answer is – as you’d expect – not so simple.
It’s not that complicated either - but it's the 'elephant in the room' when it comes to modern risk management. Putting personal career risks ahead of business risks. It is a truism that incentives drive behaviors. Quarterly bonuses and stock options skew risk management, often with unintended consequences. And it's not just financial rewards. Training, promotions, or just avoiding being made redundant are part of the tapestry of modern life. Until we deal with that particular issue of career risk, the other (organizational) risks will take second place.
Advanced Risk Modelling
How to crunch the numbers and come up with reliable risk management using stats, Monte Carlo modelling and more - without having to do a PhD in statistics or spreadsheets. And yes, there are some relatively easy ways to get reliable data. It all starts when you change the mindset from a statement of "we don't have enough data to model that" to "what data do we need, what do we already have, and what can we inexpensively source?"
Beware of three types of software in particular:
Enterprise risk management software that promises to be all things for all people.
Enterprise resource planning software (you know the one I mean) comes in with a quote in the order of tens of $million but ends up costing you hundreds of $millions. The one I'm thinking of has even been the cause of some companies going bankrupt. Not just that it's so expensive, but the processing throughput is ridiculously slow. And, to add insult to injury, you have to modify your processes to the system. The system doesn't modify to meet your processes. Did I mention ISO31000, for example?
Quantitative risk management software. Particularly if it promises accuracy to three decimal places or somesuch. Monte Carlo modelling is excellent, but it is an input to risk assessment. Not risk assessment, and certainly not risk management. Equally so for laboratory trials, quantitative financial risk management, and statistical models. Excellent information but not a substitute for risk management.
Microsoft Excel is pretty good (very good, in fact), but the only one I know that works is the one we built to replace our multitude of Excel spreadsheets. Fast, easy to use, defensible, and rigorous. My favorite risk management flavours.