One of the things I’ve enjoyed most as a consultant is having the opportunity to learn about organizations from a wide variety of sectors. These have ranged from schools, NGOs and the private offices of high net-worth individuals to Fortune Five oil and gas companies and governments. On the one hand, I’ve discovered that there are considerable similarities in all organizations, no matter their sector or size. However, I’ve also become acutely aware that the things that make the most significant difference – good or bad – are often very subtle. ...

“Without data, you’re just another person with an opinion.” [W. Edwards Deming](http:// https://deming.org/deming/deming-the-man), US academic and father of the continuous quality improvement movement in the US.* A big part of the risk assessment process is the risk assessment, and a large part of that is usually the risk analysis. The problems is that this involves metrics and math which people often find challenging for two reasons. Firstly, the math can be fuzzy and complicated to follow. ...

There are two times you get punched: when you’re expecting it and when you aren’t. Sometimes you know what’s coming, but there might also be times where you get punched, seemingly out of nowhere. Spoiler for those that haven’t tried this: getting punched hurts, no matter what. The question is, what can you do to make it hurt less? In some ways, knowing you’re going to get punched is worse because you know what’s coming. I’ve only boxed a couple of times, but it turns out that the ring is really (really, really!) small. Half the people in there want to hurt you, and the other half isn’t going to stop them. You also realize that three minutes getting hit by someone feels a lot longer than three minutes of Game of Thrones. ...

Gary Vaynerchuk uses the term micro speed: macro patience to describe his approach to business. This goes a long way to explain the seeming contradiction between his 100-miles-an-hour life and his Zen-like view of when things will come good. Looking back on the last two and a half years working mostly for myself, this is a useful mindset for anyone who’s starting out on their own, part of a startup or busy small business. ...

“Well, there was the kidnapping. Is that something you’re interested in?” It was our last day of a week-long site security survey. We were meeting with the site manager to wrap up our visit but this was the first time we had heard anything about something as serious as this. So yes, a kidnapping was something we were very, very interested in learning about…. I have no idea why it hadn’t come up before: we had conducted dozens of other interviews that week and had dozens of pages of notes. However, it almost didn’t come up at all: at this late stage, we were going to skip the interview and go straight into a review of our findings. ...

I’ve written before about how you need to have a clear idea of what you’re trying to achieve with your risk assessment and to get everyone onto the same page. Without this kind of understanding, it’s very unlikely that you will complete the assessment in the time available. Even if you do, you might not have answered the original question. So you need to plan your assessment properly but what does that look like? Here’s a short five-step process to make sure that you are well-prepared for your assessment before you ask the first question or open up a spreadsheet. ...

There are lots of different methodologies for assessing or breaking down a risk. The most common is a two-factor approach where the likelihood and potential impact of an event combine to create a risk. Likelihood (of the thing) + Impact (how the thing affects you) = risk This is what’s used for The World’s Simplest Risk Model. However, this two-dimensional approach leaves out one thing. Sometimes there are barriers between the event or threat and you. So in addition to the event and its potential impact, there’s the concept of vulnerability or exposure: factors that make you more or less susceptible to the event. These can be passive factors – e.g. physical distance – or active measures you’ve taken to reduce your vulnerability to an event. ...

Naturally, a lot of time and effort in risk management goes into understanding the risks that you face. After all, if you don’t understand what you’re up against, there’s not a lot of risk management to be done. However, even when you complete a comprehensive risk assessment, this is just the beginning of the process. Now the real work starts and you have to answer the big question. What do we do next? ...

Original image – Partnership for a Drug-Free America There are lots of things that are hard about risk and risk management: you are often dealing with abstracts and potential events; showing success can be challenging when your job sometimes means nothing happens; you might not be seen as adding value. But the biggest challenges always seem to concern discussions about risk. These discussions are hard, even when we have set out clear definitions for what we mean by risk and have everyone on the same page theory-wise. ...

*Photo by Ula Kuźma on *Unsplash To manage your risk management system, you need to have a way to categorize your threats. This is a key part of being able to structure your risk assessments and you need to identify a set of imaginary buckets or folders into which you can group similar threats. But this also helps with information gathering as data on a specific threat category might be grouped together. It also assists when it’s time to address the risks as one action could help mitigate a whole category of threats. Finally, these categories will also help you identify trends and patterns and start to develop an overall picture of your risk environment. ...