Risk Commentary

How to do Risk Assessment–Establish the Context-Pt-1

The basis of sound risk methodology is to establish the context. I’ve found that if people pay attention to risk context at all, they often treat it as background information or a pro forma introduction. But it’s really a tool to ensure a rigorous and comprehensive risk assessment. (In future articles, we can discuss subsequent steps in risk assessment.)

The original AZ/NZS 4360 (now replaced by ISO 31000) addresses context, although mostly in connection with organization-wide implementation. The CAN/CSA-ISO 31000-10 (public review copy) and the accompanying Q850-10 Implementation of Risk Management – I was on the CSA technical committee – specify context for the purpose of applying the risk process. Similarly, in the ERM Guideline ver. 2.2 that I wrote when I was in BC Government, you’ll see “Context Analysis to Prepare for a Risk Identification Session” (section 2.2.2, page 17). The idea is to write a short risk context statement following recommended headings. Use this more complete template for context posted in this article: Risk Assessment Template-Establish Context.

Establishing the context means to define the bounds of what you want to analyze for risk, whether a strategic or operational plan, industrial or administrative process, program, project or other management initiative. The context paper sets out the scope of the analysis and the criteria you will use to assess risk. NB: This means your work will be internally consistent, and the results defensible.

Apart from establishing scope and assumptions, there’s a second purpose to writing a context paper: it serves as an agenda to help the team identify risk in a reasonably comprehensive and ordered way.

In the next post I’ll discuss context in more detail.

Risk Management Surveys

Enterprise risk management is greatly helped by knowing how to do a risk assessment that obtains high quality results. I really think this is a key answer to difficulties reported in recent risk management surveys, and the best way to develop a culture that uses evidence-based and risk-optimized decision-making.

On my other site I’ve discussed the results of several risk management surveys 2008-2009, in an Introductory Presentation. It’s a veritable crisis, because many organizations don’t have confidence in their risk identification process, and implementation is often a dry compliance exercise. I’ve outlined a recommended approach in these posts:

• High Quality Risk Identification and Risk Assessment
• Enterprise Risk Management Manifesto
• Four Keys to Successful Enterprise Risk Management Implementation

The January 2010 Aon Global Enterprise Risk Management Survey (free download) reports improvement in overall ERM program maturity among 201 respondents, compared to results of three years ago (p.3). But is it the same target group? – 320 organizations participated in 2007. Selection bias would I think invalidate their conclusion. Anyway, the “hallmarks of top performing enterprise risk management programs” (p.3) are interesting even if only as exploratory research.

Well, 40% of this year’s respondents report “lack of tangible benefits” as an ERM implementation barrier; while lack of “skills and capability to embed ERM” (34%) and no “clear implementation plan” (28%) are also at fault (page 13).

In my next post I will give an example of a successful enterprise risk management plan. Comprehensive and rigorous risk ID and assessment are at the heart of it.