Strategic Risk Assessment-4/6

2010-07-29 / How to do Risk Assessment / 0 Comments

This is a series on the risk manager’s role in strategic planning. In parts 1/6 – 3/6,  I listed risk methodologies, reviewed mission statement examples, and addressed the question “What is an environmental scan?” – all to establish context.

Here I address reasons for poor risk assessment and the importance of risk facilitation skills.

Risk Methodology

Interviews are a common method of risk ID; surveys are also popular, and economy of scale of effort, in particular, recommends them. However, these two techniques commonly encounter methodological problems that invalidate their results.

I believe one reason for the use of interviews is that senior management and executive do not see a risk identification group session as worthy of their time. Organizations beginning an Enterprise Risk Management program will administer, if not interviews, then a survey to get the so-called “top 10 risks”. What can happen is that people responding to both interview and survey questions use very different language, frames of reference, time lines and definitions of risk. The shifting assumptions are not detected when the information is collected and aggregated.

The results of such risk surveys and interviews are not very compelling, and end up on a shelf. I have posted an introductory presentation on how to do risk assessment which quotes 5 studies from 2008 – 2009 in which firms of all types lament their poor risk assessment capability. Here is a screen shot:


I wrote a piece for Canadian Underwriter coming out in September on yet more similar findings in 2010. Essentially, information collected without rigorous risk methodology is not worth the effort.

Risk identification must be done in such a wide variety of contexts. Interviews and surveys (if well designed) will continue to be useful. But in many respects, a facilitated round table of subject matter experts is preferred, and it is an important competency for risk managers.

Risk Facilitation

The benefits of a structured discussion with a measured degree of free interaction – provided you establish the context – are quite amazing. As one client remarked, “People need to hear others’ views of risk around common issues.” This is particularly helpful in contexts where you are trying to achieve consensus in complex and controversial topics. I wrote piece back in 2006 for Risk Management Magazine with a case study of the risk facilitation process.

Formal training in facilitation is good preparation, especially if the subject matter is highly controversial or emotionally charged. If you can chair a meeting and lead a group through a complex agenda, that’s a good start. The crucial difference is that you are carrying out an ordered method, and must meet its requirements.

At the beginning of this series of posts, we listed methods: business continuity and emergency planning; innovation; high quality risk ID and assessment, and risk scenarios. These activities are scarcely possible as solitary research or surveys; they require group sessions. I believe the risk practitioner can facilitate such processes, and transfer this skill to other managers to build organizational capacity.

The next post compares and contrasts two essential risk methodologies:  risk ID and assessment,  and future scenarios planning.

Read More

Complex Risk Contexts-Pt2

2010-07-08 / How to do Risk Assessment / 0 Comments

Here is a diagram — my Complex Risk Contexts Schema. In Complex Risk Contexts – Part 1,  I introduced the idea of muddled risk contexts that can make it difficult even to begin to conduct effective risk assessment. The first one was planning problems.

I think many risk managers would be able to write their own lists. Then how interesting it would be to compare our risk context statements and find out just how common our difficult business situations happen to be! I have posted here a summary of complex risk contexts. Let’s look at two more.

Multiple Assessments – Delicate Risk Context

Field risk assessments must often be repeated many times. Loss control inspections come to mind. But it could occur in social services, engineering or marketing. The problem is: how to you get consistency in such reports when they are conducted by field personnel with varying viewpoints? If the work has any degree of sensitivity, and demands a delicate balance of criteria, then general guidelines or policy will not answer.

I worked with a forestry team overseeing such risk assessments for tree sites across the province that were both a public hazard and a conservation refuge. The fate of these trees, determined by contractors, was not being decided with sufficient due diligence. The answer turned out to be a sort of auditable assessment tool, with refinements to balance contradictory criteria.

How to Choose the Optimal Solution?

One of the features of a mature Enterprise Risk Management system is that significant business investments, programs and initiatives are the result of a risk-based decision-making process.

Often a risk-based decision is required to select one of many possible solutions, whether a project, software application, or other sizable investment. It is not very thorough to just compare checklists of features. Conversely, you cannot conduct a High Quality Risk Assessment (link to online course) on each and every option. Even if you could, how can you compare the risk profiles when the trade-offs keep shifting from one case to the next?

I developed a solution to select the best risk financing option for a major Canadian federal crown corporation. It involves, indeed, a comparison of features of the various solutions. But it adds value by incorporating a comprehensive risk identification process. The team reviewed opportunity cost and mitigated the risk of foregoing the other candidate solutions. (It worked. They eventually decided on going with a captive.)

Those interested in seeing a fuller discussion of complex risk contexts may be interested in a new Risk & Insurance Management Society online course, currently in development – Special Case Studies in Risk Management. There are five more complex contexts discussed, with solutions and examples. The other modules within this course include Risk Scenarios Planning and Creative Contracts.

In the meantime I have posted here a summary of the complex risk context models – maybe they will inspire you to add your own.

Read More

Complex Risk Contexts-Pt1

2010-07-06 / How to do Risk Assessment / 0 Comments

In a previous post Common Mistakes in the Risk Context Statement I described one of the situations most often encountered when trying to establish context — the lack of coherent planning. If the working team does not have plans or (what is perhaps more common) confuses planning terms, it is really impossible to set up the context and identify risk in a meaningful way.

I think we have all been there: where we tend to state department or business goals in vague or undefined terms that sound good on the surface, but are not verifiable or tangible. I could say, the company aims to achieve “best-in-class service”, or the “highest degree of professionalism” or “impeccable accountability”, but these, at best, are part of a vision statement, and do not constitute goals, in the sense of a tangible deliverables.

Risk context can present a whole variety of challenges that need to be recognized and solved. I believe the reason many joint projects fail, or let’s say, the reason many risk ID sessions with the slightest degree of complexity go around in circles, is because the facilitator does not recognize traps. I’ve seen many meetings begin with tons of goodwill, but participants disperse in a despondent mood because they were not able to establish common ground.

It all has to do with setting the risk context properly. And rarely does the context consist of a single set of ordered goals and objectives, conceived with crystal clarity. I made notes on what I call complex contexts, and created a diagram and a solution for each one – I’ve probably hit on typical situations that others might find useful.

The first situation is the one described above. Is there a planning regime? Are departments required to set out business goals, with some kind of performance management, that are aligned with corporate strategy? Is there a commonly understood and applied planning language? If so, you are miles ahead, because risk management cannot substitute for good planning.

The other complex risk contexts have to do with multiple risk assessments in the field (technical, social or health care); selecting the best of many possible solutions (e.g., short-listed IT applications); or reconciling two diametrically opposed parties in a common project. In the next post, I will discuss them in more detail, along with a pdf summary of the complex context models.

Read More

Risk Assessment: Manufacturing and Credit Risk

2010-06-10 / How to do Risk Assessment / 0 Comments

How should risk assessment in business be conducted? We might differentiate risk identification as an exercise in exposure analysis, using conventional categories of loss, from a more comprehensive concept of risk ID called for in Enterprise Risk Management.

An expanded idea of risk ID and assessment is useful in complex contexts.

In recent weeks I’ve been corresponding with a loss control expert based in Dubai who took my online course (How to Conduct High Quality Risk Assessment). We were trading notes on how risk assessment in business is done. He has particular challenges in risk assessment: construction and manufacturing firms are his specialty. He described credit risk analysis for manufacturing concerns:

“The most important factor is the collateral back up shown to the credit manager at the time of availing the credit, and the projected revenues after (supposed) infusion of the borrowed funds.”

He went on to say that the analyst has to check the deployment of the borrowed funds, using his/her knowledge of the manufacturing process, inputs and associated costs. The next task: “root cause analysis of failure (if the venture is on the red side ) and of the activity to generate the required revenues”, using both financial and technical engineering expertise.

I suggested: It seems to me that just here might be the right stage at which to conduct a comprehensive risk identification and assessment session, or a series of them, using a round table of experts. As long as the sessions are carefully prepared by establishing context, and the right visual and discussion aids are used, it is possible to identify risk reasonably comprehensively along several lines of inquiry in a systematic fashion:

  • strategic concept: macro-economic risk and market conditions;
  • cash flows and financial model: examine assumptions and probability estimates;
  • business continuity and resiliency;
  • manufacturing process flows and technical infrastructure;
  • management and HR; organizational culture;
  • supply chain: sole/single source and third party suppliers;

and so on, depending on the scope of the project and time available to conduct the analysis. As a rule, in past projects, I’ve been able to complete sessions with 6 to 8 participants on a particular risk context in 2 or 3 sessions of 3 hours each, assuming adequate preparation and follow-up by email.

This idea seemed to strike a chord with my correspondent:

“Yes, the 4th para of your second mail [multi-disciplinary risk ID session] is a good solution. The finance professional alone holding responsibility for the risk management of any organisation is definitely a misconstrued idea… Statistical data, models, assumptions and precedents can help to some extent only. A correct and responsible study of the risk exposures and arriving at mitigation is the correct and useful method. Many times the collateral is not properly and professionally assessed and is commonly over-stated /over-valued to satisfy the lender.”

Read More

Common Mistakes in the Risk Context Statement

2010-05-27 / How to do Risk Assessment / 0 Comments

Has everyone had enough of risk context yet? According to Google, I see that a grand total of 58 persons on the planet searched for “risk context statement” last month. OK, this post goes out to you 58!

In previous posts we’ve covered the reasons why you need to establish context (if you contemplate conducting a risk assessment) and the elements of a risk context statement. I can share with you now some of the common pitfalls I have encountered over the course of preparing and facilitating many risk ID sessions in a variety of organizational settings:

1. Lack of Planning: Hands down, the most common pitfall in writing context is trying to make up for poor planning. You feel you have to take an educated guess at what the project team plans to do, because the organization in question does not really have a mature planning practice and associated terminology. The idea of individual tasks, objectives, broader goals – and the future vision and mission these are all serving – are not clearly conceived and documented. I have seen this in both public and private settings.

Now, there is no need to drown in paper, but I feel there must be an ordered documentation of what the organization (or department) in question intends to accomplish, how they want to go about it, and how they like to conduct business. Then you have a basis for discussing risk. If you have a project management culture, then this is likely solved.

2. Lack of Rich Context: The next pitfall is to conceive of the context (and so its associated risks) very narrowly or superficially; it reads like a bit of vague background. Rather, context should be a detailed map that lets you discover all types of risk.

I’m convinced the risk context statement can address any conceivable project, on any scale, in any content area. You can identify risk in all of these:

  • work breakdown structure in a conventional project document;
  • administrative procedure;
  • industrial process;
  • technical workflow or materials handling operation on the plant floor;
  • new product launch;
  • implementation of a new HR policy;
  • execution of a strategic plan over the course of three years;
  • plans for a marketing campaign;
  • terms of a complex service contract;
  • implementation of a new IT system;
  • creation of a social services agency;

…and so on, ad infinitum. So “establish the context” applies to virtually any strategic or operational plan.

Now, this means that you can present that context in just about any format you can imagine; e.g.,

  • point form notes;
  • hierarchical ordered lists of tasks;
  • critical path diagrams;
  • flow charts;
  • conceptual diagrams;
  • spreadsheets;
  • drawings/sketches;
  • photographs;
  • inspection tours;
  • working models;
  • audio/video recordings, etc.

Let your risk ID session participants scrutinize a rich and detailed risk context!

3. No Values. Another pitfall is to gloss over values. Risk assessments commonly ignore ethical and procedural guidelines, including professional codes – and yet these are assets at risk, and a source of competitive advantage. If they are included, they should go beyond a few “motherhood and apple pie” statements copied from the annual report (sorry). For example,  I’ve led sessions where medical personnel have listed in point form their entire professional code in the context paper; subsequently, we reviewed each item for potential risk in the project at hand – an excellent approach!

4. Underestimated Stakeholders. They should at least be identified, and assessed with regard to their views and expectations. Then you will be able to determine what the risks are in relation to your program goals. One strategy far too under-utilized is to include certain stakeholders, constituents or program beneficiaries – somehow – in the risk assessment process itself. This is a distinct improvement on ordinary consultation that adds to the credibility of your risk management program. For example, I’ve seen government project teams invite industry reps and subject matter consultants to help identify risk in major public policy drafts. Result: a risk-adjusted implementation plan for a controversial policy that everyone agreed to. Another option is to conduct first a closed-door session (often preferred), but then share results with stakeholders to allow them to add comments.

5. Procedural Pitfalls:

a. Do not permit risks themselves to be listed in the context paper, because you are likely to forget to include them in the risk register.

b. Don’t forget to document any constraint or limitation that has been imposed on your risk ID and assessment process, including no-shows. This is simply to make clear the conditions under which you conducted the risk analysis and drew conclusions.

c. Don’t forget to state and draw attention to the intended deliverable (item 9 in our risk assessment template-establish the context.) This is a technique used in facilitation to ensure that participants understand what they must produce by the end of the session. It could read something like this: “Comprehensive list of risks associated with implementation of project X, identified and assessed by consensus of round table members, with corresponding summary plans for risk mitigation.”

Final note: it’s not quantity, it’s about quality. The context paper need not be longer than a few pages.  As long as it is authoritative, this work at the front end of the risk process is well worthwhile.

Read More

How to do Risk Assessment–Establish the Context-Pt2

2010-05-25 / How to do Risk Assessment / 0 Comments

In How to do Risk Assessment–Establish the Context Part 1, I gave references to risk context in ERM standards, and described a dual purpose for writing the risk context statement (scope/assumptions and risk ID agenda). Also, I posted a template pdf Risk Assessment Template-Establish Context with some commentary to help you (or the project manager) write a context paper.

Here is a little more detail to help anyone responsible for setting up a rigorous risk identification and assessment process.

First, the philosophy that informs this approach says that risk is relative, and identified in relation to planned goals and values – whether for operational or strategic risk assessment. A valid risk assesment process is logically consistent, reasonably comprehensive, and transparent. Using the context paper helps meet these conditions and leads to high quality results.

You know, the more I think about the context paper, it occurs to me how many conceptual difficulties get sorted out when you do the preparatory work.

The project lead can actually write the draft of the context paper. That means that you, as the risk professional, need only provide guidance. Keep the paper concise; use attachments or references to existing documentation to avoid duplication.

If the plan in question is informed by an environmental scan, so much the better. The scan should paint a picture of fairly well understood and predictable conditions (demographics, industry developments, etc.) that have some effect on the organization’s strategy. Once these are set out in a report, it is easier to discern specific threats and thus compile a strategic risk assessment.

The items in the context paper template – project goals and detailed tasks; professional values; stakeholder interests, etc. – should be considered sources of risk. You should list them carefully because you will review each to identify risks that can impede the success of the project. The context paper will help you trace through the project and ask: “What could stop us from achieving this goal?”; “What could affect our efforts to accomplish this task, with respect to cost, quality, or timeliness?”

The value of leading the session participants through such a list is that you “map” several uniquely informed brains against the key elements of the project. Each round table member will have a different response to the context, and different ideas of risk, which means you increase the chances identifying all of the most critical risks.

Well, it happens that people sometimes do not like, for political reasons, the risk profile you develop and the conclusions of your risk report. But when you share the context paper and make your scope and assumptions transparent, critics will be hard pressed to fault your method. More often, you will find that uniting a diverse array of opinion around a common context leads to effective solutions. This only adds to the credibility and strategic value of your risk management program.

Read More

Risk Assessment Template-Establish Context

2010-05-20 / How to do Risk Assessment / 2 Comments

Let’s take a look at the elements of a risk assessment template to Establish Context which you can use in the first step in the risk ID/assessment process. Keep in mind that this to establish context for an individual risk identification and assessment exercise on a given topic.

This is a list that has evolved over time, and can be modified to suit the risk context of your organization and line of business:

  1. Organizational Setting; Roles and Responsibilities
    You want to define the organizational unit that is responsible for this particular risk assessment.
  2. Planning/Program Setting and Time Frame
    In other words, what is the process, plan or project under review? There must be some sort of project charter or authoritative documentation.
  3. Goals and Objectives of the Plan/Program under Review
    NB – Not the risk management goals, but rather goals of the project you are scrutinizing for risk. List available work breakdowns.
  4. Environmental Scan: Key Trends and Conditions
    NB – these are not risks; rather, they are largely known. You can state the associated risks during your risk ID session.
  5. Procedural Standards / Organizational and Professional Value Criteria
    Even business rules, ethical guidelines  or customer service ideals – whatever guides the behaviour of your organization.
  6. Analysis of Participants / Stakeholders / Agents / Constituents
    The key here is to note their objectives and values – these can easily be sources of risk.
  7. Relevant Risk Categories
    Generic categories of risk, as well as specialized ones that are unique to your business, should be listed in preparation for the risk ID exercise.
  8. Procedural Constraints on Risk ID/Assessment Process
    NB – not constraints of the project; not risks – rather, known constraints of time/resources that will compromise your effort to conduct a comprehensive risk ID.
  9. Deliverable of the Risk ID/Assessment Process.
    Just to clarify to risk ID session participants what they must aim for.

Get the risk context statement reviewed and signed off by the project lead and round table members. The risk identification session itself then goes like clockwork, because you’ve clarified assumptions beforehand.

You can find detailed discussion to accompany the template in these posts:

How to do Risk Assessment-Establish the Context Part 1

How to do Risk Assessment-Establish the Context Part 2

Pitfalls in Writing the Risk Context Paper

Read More

How to do Risk Assessment–Establish the Context-Pt-1

2010-05-18 / How to do Risk Assessment / 0 Comments

[rev 15 Jul 2017]

The basis of sound risk methodology is to establish the context. I’ve found that if people pay attention to risk context at all, they often treat it as background information or a pro forma introduction. But it’s really a tool to ensure a rigorous and comprehensive risk assessment.

The original AZ/NZS 4360 addresses context, although mostly in connection with organization-wide implementation. The CAN/CSA-ISO 31000-10 and the accompanying Q850-10 Implementation of Risk Management – I was on the CSA technical committee – specify context for the purpose of applying the risk process.

Similarly, in the ERM Guideline that I wrote (edited since) when I was in BC Government, you’ll see Establish the Context (section 3.3). The idea is to write a short risk context statement following recommended headings. Use this more complete template for context posted in this article: Risk Assessment Template-Establish Context.

Establishing the context means to define the bounds of what you want to analyze for risk, whether a strategic or operational plan, industrial or administrative process, program, project or other management initiative. The context paper sets out the scope of the analysis and the criteria you will use to assess risk. NB: This means your work will be internally consistent, and the results defensible.

Apart from establishing scope and assumptions, there’s a second purpose to writing a context paper: it serves as an agenda to help the facilitator lead the team to identify risk in a reasonably comprehensive and ordered way.

In the next post I’ll discuss context in more detail.

Read More