Risk assessments can be complex beasts. Some of them can take months to complete. But if you have a requirement to get a risk assessment done and done now, then ISO31000 (using SECTARA to facilitate the assessment) is the shortest, fastest approach I can recommend.

The Process

1. The risk assessor conducts a one-hour meeting with the 'client' (the stakeholder/s responsible for the assessment) to confirm the scope of the risk assessment, context, risk criteria, and deliverables.

2. Facilitate a 2-hour online (or face-to-face) initial risk workshop in the first week with all key stakeholders to list and evaluate the assets, sources of risk, and controls.

3. Prepare and provide the client with a draft risk assessment report and register (minus risk treatment recommendations) within days after the risk workshop.

4. Update the draft based on feedback from the client.

5. Facilitate another 2-hour workshop with stakeholders to confirm and rate the risks and recommend draft treatments.

6. Revise the text and ratings of the risk statements and the risk treatments.

7. Present the draft report to the client.

8. Incorporate client feedback into the risk assessment.

9. Provide the client with the risk assessment and treatment plan during a 60-minute presentation.

Deliverables:

1. Risk assessment report

2. Risk treatment plan

The Fine Print

It sounds easy to describe the process this way, especially if you ignore the days for work for the poor risk assessor to refine and polish the stakeholder inputs between the risk workshops. It isn't that easy and takes a lot of skill and experience. But it works.

At the most fundamental level, this is the best way I can suggest you do an operational risk assessment for a project, critical infrastructure facility, venue, or business unit. It won't suffice for an enterprise risk assessment, but that is an entire project in itself, and I have a book coming out soon to address that topic.

The Hard Part

The hardest part of this process is getting all the stakeholders to the two workshops. Only run two workshops, and be sure you get the stakeholders to attend both workshops together. It will make herding cats look easy. But you will have an agreed result if everyone is there to discuss the risks as a group.

Don't be tempted to run the same workshop twice with different stakeholders. Group B will overrule or disagree with some of the views of Group A, and you risk being stuck in the bottomless pit of revision purgatory. You'll find yourself caught in the middle. Adding material previously removed or vice versa, and negotiating by email the differing opinions about the risks or risk ratings. I speak from experience. :-)