In addition to being able to flex their facilitation style to meet the varying challenges of the risk workshop and different risk identification techniques, the risk facilitator also needs to handle the people who participate in the risk workshop.
Too many organisations use a risk process without understanding the principles that underlie effective risk management. But what are those principles? One place we might look for guidance is the international risk standard ISO 31000:2009 Risk Management – Principles and Guidelines, which includes a set of principles for us to consider. Each of these principles tells us something important about risk management, and together they set a challenging target for organisations who want to manage risk well.
Risk management is about looking forwards, scanning the uncertain and unclear future in an attempt
to discern what awaits us. It offers businesses, projects and individuals a “forward-looking radar”,
identifying threats to be avoided and opportunities which might be captured. Even though the precise
details of such uncertainties may remain unclear, the “risk radar” can make us aware of their location
and size, helping us to formulate appropriate action plans in advance.
Five frogs are sitting on a log; Four decide to jump off : How many frogs are on the log?
Which is the most difficult step in the risk management process? Where do most businesses and projects fail to gain the benefits of their attempts to manage risk proactively? If your organisation is typical, there’s one particular step where it all seems to go wrong, and the risk management process becomes just another frustrating hoop to jump through, with no tangible benefits.
Several things help to make risk management work. These include a risk process that is simple and scalable, which can be applied across the organisation to manage all types of risk. We also need competent people, with the knowledge, skills and experience to deal with the risks that might arise. Infrastructure is also important, providing the tools to support risk management and handle significant amounts of risk data.
It is easy to understand why some people think that the risk response development phase is
the most important part of the risk process. This is where we get the chance to make a
difference to the risk exposure of our project. If we design and implement good risk responses
to address the risks we have identified and assessed, we will be able to minimise threats and
maximise opportunities, and so optimise the likelihood of achieving our objectives. But if our
risk responses are ineffective (or not implemented), the level of risk exposure remains
unchanged – or may even get worse!
If you ask people which technique they use to identify risks, most will include brainstorming in the list,
usually conducted as part of a facilitated workshop. Indeed for many, brainstorming is not just one
technique among several; it’s the only one they use. Brainstorming is popular for a range of reasons:
- Everybody feels involved, with an opportunity to share their opinion openly
- It produces visible results quickly as the flipcharts fill up around the room
We all know that risk management is supposed to manage risks. But people often understand very different things when they use the word “risk”. One way to solve this problem would be to insist that everyone uses the definitions found in risk standards and guidelines. These definitions have usually been produced by groups of experts who work hard to be clear, to say what they mean and to mean what they say. Unfortunately most people ignore official definitions when they manage risk in practice. Instead they rely on their own ideas about risk which are often limited or misleading. This in turn can reduce the effectiveness of the risk process and stop it delivering the full range of potential value.
The most simple definition of risk as “uncertainty that matters” provides two simple tests for whether something is really a risk or not. The first and most obvious characteristic of a true risk is that it is uncertain. If something is a fact, constraint, requirement, problem or issue, then it is not a risk. However not all uncertainties are risks, which brings us to the second test of a real risk: Does it matter? The majority of uncertainties in the universe are not risks because they are irrelevant. The only reason we need to identify, understand and manage risks is if they matter.
Different projects are exposed to different levels of risk, so the project risk management process must be scaleable to meet the varying degrees of risk challenge. While we can apply a common risk process to any project, that process can be implemented at different levels, from a few simple informal steps to a fully rigorous and integrated process.