If you’ve ever read anything about software start-ups, you will have heard the term MVP (minimum viable product). The idea is that you create something that does the bare minimum necessary to allow you to test your idea.
This lean, minimalist approach lets you produce something quickly, test your assumptions and then use this feedback to go on to develop something more detailed or comprehensive. This is in contrast to building a fully functioning piece of software up front which might mean that you invest a significant amount of time and effort only to find out that you’ve missed the mark.
In many ways, we can run into the same problem with a risk assessment.
We want to cover every eventuality, dig into each threat as deeply as we can and to produce the most comprehensive report possible. Unfortunately, because of the sheer size of this task, we often get distracted, wander off course and lose our way. The end result is a product that covers a lot of ground but lacks depth.
Worst of all, we fail to address the critical question that we set out to answer.
I had something similar a few years ago where a consultancy I was with had some very detailed and comprehensive tools for evaluating projects and assessing risks. But these were all big, cumbersome, ‘all or nothing’ tools which took days to complete. This meant that we couldn’t use these to answer a lot of the straightforward questions we encountered on a daily basis.
We didn’t have the ability to use our own tools to help with our own decision-making.
So we created lightweight versions of each tool which we automated and templated to give everyone something they could use in minutes or hours, rather than days. So even though we might need a full spectrum risk assessment tool as part of the final project, these ‘minimum viable’ versions what actually what we needed and used on a day-to-day basis.
I don’t think there’s anything wrong with taking the MVP philosophy and applying it to risk assessments.
We can identify the critical components we need to target if we work backwards from the decision we are trying to make or question we are trying to answer. We can then conduct an MVA – a minimal viable assessment – that focusses on these key components to get us the results we need.
Basically, keep things as simple as possible.
This is not only faster but we now have less chance of getting side-tracked by areas that seem relevant to the assessment but turn out to be distractions or dead ends.
One key thing to keep in mind is that we are saying minimum viable assessment: we still need a useable assessment and this could still be a big piece of work depending on the project. We’re being lean, not starving ourselves of what we need.
This is why the MVA concept fits naturally into a ‘lean’ system. You’re taking a fast, iterative approach to risk management rather than the more bloated, sluggish, traditional approach.
So when you next about to start a risk assessment, be lazy for moment and ask yourself ‘what’s the absolute minimum I have to do to answer this question, support these decision-makers or get the information I need?’
That’s going to allow you to concentrate on only what’s absolutely necessary, turn the assessment round much more quickly and ensure that you are totally focused on generating the output that you and the decision-makers need.