I’ve had a lot of conversations about risk assessments recently and just finished a new feature in the Decis platform, both of which prompted this thought: What if we have things backwards? What if our risk assessment updated us instead of the other way around?
We spend days — sometimes weeks — building a comprehensive risk assessment to understand our risks and build mitigation measures. But these are snapshots in time and can quickly become overtaken by events. That’s when we move from risk management to incident management or at minimum, we have to review our mitigation.
(The offending feature that prompted this thought)
But a lot of risk assessments suck up so much time that by the end, there’s no energy or enthusiasm for implementing the mitigation measures.
So what if we turned things around? What if the risk assessment updated us?
If we establish parameters for ‘normal’, then measure those automatically we’d have a dynamic picture of our risk that updates in near real time.
Once we have that system, it’s easy to set additional triggers to alert decision-makers that the situation has changed. And in the same vein, we could even start warming up some contingencies automatically.
That way, our risk assessment informs us and initiates pre-agreed measures in response.
This would only work for a data-driven risk assessment (versus a simulation-driven model), so the model only moves when the situation changes meaningfully, but we can easily set up filters to track what’s important and notice when it changes.
This still leaves a lot of human-centric control in place: a human reviews the evidence to determine if they agree with the model’s assessment; a human has to decide to implement a contingency plan, etc.
But we’ve now built a proactive, automated system to alert us when something moves outside of our normal parameters and we’ve been prompted to take action right away.
There’s probably some better language to use here: the risk assessment is a forward-looking forecast of what might happen so we can prepare appropriately. Maybe this should be a risk tracker or event monitor, but the nomenclature isn’t a priority right now.
Too often, we genuflect to the risk assessment and treat this as the pinnacle of the industry, but that would make us risk assessors, not risk managers.
So let’s stop working for the risk assessment and get the risk assessment to work for us.
Simplifying risk management 