Conducting a risk assessment is a big project and, like any big project, there are a lot of things between you and success. However, there are five common risk assessment problems that crop up time and time again. These make the difference between success and failure no matter what else you do. Keep these five problems in mind and plan accordingly to maximize the chances of success with your next risk assessment.
Since 2002, I’ve been involved in well over 100 risk assessments as both an in-house risk manager or as a consultant.
Actually, let me rephrase that.
Since 2002, I’ve been involved at the beginning of well over 100 risk assessments. However, I’ve seen many fewer risk assessment completed. Of those completed assessments, fewer still actually get turned into any kind of meaningful action.
Take a minute and think about your organization. How many risk assessments were started but then fizzled out? Even when a risk assessment was completed, how often were the recommendations acted upon? Did anyone really know what to do next? How many of these assessments are in a forgotten folder or gathering dust on a shelf somewhere?
This has always frustrated me: an incomplete risk assessment, or one that doesn’t prompt corrective action, is unsatisfying, and a waste of time and money. Worst of all, it erodes the organization’s faith in the whole risk management process. This makes people question the importance or usefulness of a risk management system as a whole.
I’ve done a review of the assessments that I’ve seen started versus those that were also completed successfully to identify what makes the difference. I noticed that the same five risk assessment problems cropped up time and time again. At a minimum, these will make your assessment much more difficult. At worst, these will kill your assessment altogether.
No Mandate or Buy-in
Management support and buy-in is critical for any major initiative to succeed. You will definitely need this for something that requires you to poke around into the organization’s deepest, darkest corners and then tell people to change their work habits. Make sure that you have genuine buy-in from senior management before you start. You also need to make sure that this mandate is is public. This will ensure that everyone involved knows that you are working with the support of the senior management.
Even then, that might not be enough to guarantee plain sailing.
Years ago, I was on a three-month project with an oil and gas firm in West Africa. They had contracted me to conduct for a risk assessment and develop a series of corrective steps to help comply with some maritime regulations. This had all been agreed and sanctioned by their corporate security team who had issued the contract. However, the local Operations Manager didn’t think this was necessary. Every week, we would meet to review the project. And every week, he would spend the first half of the meeting telling me why it was a waste of time.
This made the project more challenging but at least I had the mandate from Corporate Security to fall back on. Without that, the Operations Manager would have simply stonewalled me and the risk assessment would have fizzled out.
I think that the lack of a mandate from senior leadership is the single biggest risk assessment problem you can face and the one that will have the greatest impact on the success or failure of your assessment.
A mandate without resources is almost as bad.
Make sure that you have the support you need to actually see this through. Do you need additional staff? What about a travel budget to get you to the various sites? Do you need external consultants or to buy software?
And what about time?
Do managers across the organization know that the senior leadership team wants them to allocate time to this? Has your time been freed up to complete the task or is this yet another ‘to-do’ on your list?
You can complete a risk assessment from your desk. However, without the time and resources required, it will be a thin piece of work which will make definitive action difficult. Make sure that your mandate also includes approval for the resources you need.
In case you think that I was being too hard on the Ops Manager I mentioned before, he did one thing right.
He’d always ask “Tell me again, why are we doing this?”
Although it was frustrating to rehash the conversation each week, he wasn’t wrong to keep asking that question. If you don’t have a purpose for your risk assessment, you will lose your way and are unlikely to fulfill the mandate.
For example, an annual risk assessment to meet a compliance requirement will look different from a pre-merger assessment of a potential partner. Without keeping the end result in mind, you and the assessment could easily get off track.
So keep asking what’s the purpose? Who is going to implement the mitigation? Is there even a need for an action plan or is this more of an ‘academic’ survey?
Remember, that the risk assessment is part of a bigger risk management process. You need to do something with the results so have a clear purpose and a defined path to turn the report into action within a specific time frame.
Sometimes, teams can get quite far on in the risk assessment process before they start to think about how they will actually assess the risks. A lack of clarity about the methodology, language and metrics that you are planning to use at the start of an assessment has significant repercussions later on.
The worst example of this was a major assessment that I was involved in where two different groups were using two different methodologies! Safe to say, bringing the whole assessment together was an emotional time.
Luckily, we had the time and resources needed to fix this problem. Without that buffer, the whole thing would have been a write-off.
It’s worth noting that everyone involved was a risk management professional and we should definitely have known better. Our mistake was to assume that we were all using the same process without explicitly checking before we started. If we had been a less experienced team, we probably wouldn’t have made this mistake as we would have spent time discussing and confirming the assessment process.
Make sure that everyone involved understands the process and methodology that you are using from the get-go. At a minimum, this will save you a lot of work later. Otherwise, the results could be so garbled as to be unusable and you will have run out of time.
Too Specialized / Esoteric
Finally, keep things simple. There are a lot of different risk assessment methodologies and I have been guilty of looking for a better mousetrap at times. As someone who has dabbled in security risk management, I would say that security teams are repeat offenders here with no sign of giving up anytime soon.
But if what you produce is too specialized or esoteric, it’s probably not something that the rest of the organization can use. Using a totally untested methodology, producing a report solely in emoticons or using 17 different shades of red to show risks is going to be really interesting. Really, really interesting!
However, it will unlikely to be very effective.
So remember KISS. Make sure that your work will align with the organization’s risk management system and adhere to whatever guidelines or regulations are in place.
The Overlooked Risk Assessment Problem is…
I said that there were five problems but in addition to the challenges listed above, there’s a sixth, squishier problem.
People simply lose interest.
Every organization has a lot going on, everyone is ‘busy’ but people also have limited attention spans. So they get bored with the risk assessment and it gets less and less attention. Or something more shiny and exciting comes along which takes priority. This happens even when they have paid – or may still be paying – a lot for consultants to manage this process.
The result is a zombie project: one that’s stumbling along, not fully dead, waiting for someone to put it out of its misery.
Think about your project like a gym membership. Most people are only interested in the first month or two. After that, you will see a real drop-off in interest so plan accordingly.
Tightly schedule interviews and make sure the participants see some results within a few weeks. Plan things in six or eight week sprints, not a six-month slog. And embrace ‘good enough.’ The ‘perfect’ 12-month long plan doesn’t exist and trying create that only benefits one group: consultants who get paid by the hour.
Stack the Odds in your Favor
There are other things that can go wrong and derail your risk assessment. Civil unrest, key staff being fired or the company simply goes out of business. I’ve seen projects abandoned for all these reasons. But these are the exceptions. The six issues noted above recur time and time again. These account for the majority of abandoned or unsuccessful risk assessments.
Keep these in mind when you are planning your assessment and you are much more likely to achieve your aim. This way you can stack the odds in your favor and see the whole process through. Don’t just add another file to the abandoned projects stack.