Date: Tue 20 July 2021
Title: How to Establish Context
We are discussing High Quality Risk Assessment. We can best prepare by accomplishing that classic step called “Establish the Context”. But how does this apply in my unique business situation?
Summary of the series to date. At this point in our podcast series we established the rationale and practical working definitions for Enterprise Risk Management. Now we are discussing methods, in particular the all-important core practice in Enterprise Risk Management, which I call High Quality Risk Assessment.
Establish the Context. The first step (after, perhaps, communicate and consult) is usually taken to be: “Establish the Context.” What do the standards mean by that? They are rather vague about whether this applies only to the ERM initiative itself or not, we start with establishing the context for the purpose of preparing for a particular risk assessment.
Context Paper. To that end, in the last episode we explained in detail the best possible preparation for risk assessment is: it is to write what I call a Context Paper. The Context Paper sets out important headings. The purpose is twofold: to create a highly useful aid to facilitation; and to create a testament to due diligence.
This follows on the important realization that a risk session facilitator must not fall into the trap of trying to identify risk in business settings where there are no goals and objectives.
This, in turn, led us to consider over the course of two podcast episodes, the nature and quality of the planning regime in the organization.
Now the question arises, what if we can’t fit our operations to match the suggested headings? What if, especially, we don’t have a business with neat, hierarchical “goals” and “objectives”? Is that the only way to express our intended actions?
Special examples of Context
Consider these examples of what we can legitimately call “context” for the purpose of risk ID:
b. formal projects (project management)
d. workflows: administrative procedures or technical processes
e. performance management regimes
f. specialized disciplines
Caution: these various alternative contexts must still somehow express goals or intended actions that are clear, well-formulated, and substantiated through research.
Summary: What did we cover today?
1. A review of the true utility and rationale for “Establish the Context”.
2. The primary way to prepare for a risk ID session: write what I call the Context Paper.
3. Various types of context alternatives that can be encountered.
4. We reiterate necessity for the risk manager to scrutinize the planning prior to conducting risk ID.
“The ERM champion must scrutinize the planning and even coach managers to adopt a complete planning practice… As a consequence, the risk information ultimately developed will make clear sense.”
E. Robertson Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation (2016)
The discussion on Establish Context begins in Chapter 2.2.
[edited for clarity]
This is Episode 8 How to Establish Context. This is really the second in a two-part series on how to establish context. And I really answered the question with the last episode by setting out the elements of what I call the Context Paper. It’s so helpful to write a brief context paper to set out the scope and the assumptions that go into a particular discussion of risk identification. This irons out all kinds of misconceptions at the front end, so that when you finally get in the meeting room with your people, the session tends to go just so much more smoothly — it goes like clockwork and you will be really grateful for having done this work upfront.
At this point in our podcast series, we’ve established the rationale and practical working definitions for enterprise risk management. We did that in some earlier episodes. And now we’re right into methods.
The all-important core practice of enterprise risk management (at least in my concept of it) is what I call High Quality Risk Assessment, and the first step in that is to Establish the Context, by which we mean establish the context for the purposes of a particular risk ID.
[01:57] Now that context paper that we covered last time with its various headings really has two purposes: one is to serve as a facilitation aid. It’s going to serve to get everyone literally on the same page with respect to their understanding of what you’re going to be discussing, before they even get in the room. The second purpose is to serve as a piece of due diligence. It’s going to be a record of what the discussion was all about; what the scope was; who attended; perhaps even who was invited and who did not show up; and so on — including, by the way, the constraints that you are working within. Perhaps there were some instructions from the “higher-ups” on not to discuss this or that. Okay, that will be recorded in the context paper. That way you’ll be able to go back, and point to exactly the constraints and the conditions that were imposed upon your identification of risk for the given topic.
The more immediate concern now is that we simply do not want to start identifying risk in any business situation where we are unclear what the goals and objectives are. It’s doing this context paper that helps you check all of that, to make sure that everything is properly in place.
[03:14] So at the risk of repeating myself, let me just quote you a brief passage here:
“One key message is do not fall into the trap of trying to lead a risk idea session, much less implement an entire ERM program, where goals and objectives are poorly defined. Do not become embroiled in conducting risk assessment for groups who have not done their research and created coherent plans. Any discussion of risk without adequate preparation will end up going around in circles because the target for identifying risk keeps changing in people’s minds.” [Solving the Enterprise Risk Management Puzzle, p.32]
You know many times in the early years of trying to sort all this out, I would accept just at face value the expression of goals, objectives, plans and so on that people would give me in preparation for a risk ID session. Why would I do that? It’s because, of course, we wanted to be conciliatory, to cooperate with people; we wanted to get the job done quicker, and so on. But I can tell you it’s just not worthwhile. You’re going to lead people down the road of confusion, and it’s going to reflect poorly on the risk ID process itself. Not only that, it’s going to affect the credibility of the facilitator. It’s going to affect your own professional credibility.
You may not get a second chance with any particular group, so it’s important to get it right from the outset. And that’s why I really strongly counsel you to take seriously this whole business of establishing the context, as I explain it in today’s episode (and the one last week); and before that to take a look at the planning regime to make sure the planning practice is really of good quality.
Well in the summary for this episode, I was saying: What happens if “establish the context” — at least the way I was describing it, where we prepare a context paper with headings for goals and objectives — what happens if that does not apply in my particular business situation? If that’s the case, you’re not alone. In fact, it’s going to be a very small minority of businesses that already have documentation set out where they’ve got clear hierarchical goals and objectives.
[05:25] What is more likely is that you’ve got some other situation: I’ve got a series of possible contexts that we can discuss here that are all perfectly feasible.
Now the first example of an alternative context (if you don’t have hierarchical goals and objectives set out in sort of a classic fashion) could be simply a budget. This is something that, of course, many organizations will have in common, whether that’s a budget at a grand level for the entire year or at a departmental level. I would still recommend writing the context paper along the lines of what I suggested in the last episode #7, but this time the context itself, the plan, so to speak, will be the budget. The task will then be at the risk ID session to simply trace each line item of the budget and to identify the risk that the intended action, the goal that is implied in the line item, may have some uncertainty attached to it, or indeed that the budgeted amount that is assigned to that line item will be insufficient.
So, in other words, on each line item in a budget you’re going to have the opportunity to identify risk with respect to executing on that item, or with regard to the fact that it might be under-budgeted, underfunded, or with regard to the fact that you’re going to have a delay and you won’t meet the scheduled time line.
[06:50] The second alternative context I want to discuss is project management. You’re going to be identifying the risk… within the process of the formal project management methodology.
If you’re using project management methodology, it already gives you a much more structured context to deal with to identify risk, because the goals are clear, the timelines are clear. All of the various factors and elements that feed into a given result are already set out in a critical path. I recommend that instead of a cursory review of risk within project management, you actually apply the full High Quality Risk Assessment process.
That leads us to the third possible alternative context. If it’s not a budget or a formal project, it might be actually a contract that you need to review. Because a contract is a formal arrangement, it’s going to lend structure to the discussion of risk, with respect to its deliverables; various conditions that will impinge upon timelines, and so on.
The discussion of risk identification within the context of a contract could really be greatly expanded. I’ll give you one example. In a formal institutional setting like corporate or government, a contract template could be imposed by one side or the other, which contains “boilerplate language” clauses that are not strictly necessary to the case at hand, but are conferring some sort of advantage to the people who are proposing them.
Moreover, it’s possible to identify ready-made risk financing solutions that actually could be just too expensive. So in that sense, conducting risk ID in the context of a contract can be an important way to establish equitable terms and conditions for both sides. The final plan for risk mitigation and risk financing becomes a tool (as my former supervisor used to say) “to paper the deal”.
I’ll make one final comment with respect to projects and contracts, and that is that the scope, the magnitude of the work at hand, could be long term. It could be something that really requires risk assessment be applied at each of the defined stages of a long-term [major] project or contract.
[09:08] Well, let’s move onto yet another alternative context. You might find that your work really is best expressed in terms of some sort of a workflow. You might have an administrative procedure that is repeated on a daily or on a weekly basis. Or you might have a technical process — something in manufacturing or in a scientific setting.
This is a perfectly feasible context within which to identify risk, because after all, there are certain inputs to the process, there are defined processes and transitions between stages, and of course there are outcomes or outputs, which probably have quality criteria attached to them.
Now I’ve done risk assessments in this sort of setting where you’ve got a process that needs to be reviewed and assessed for risk. The best way to set it out is in the form of a graphic flow chart. Each person in the risk ID session can have a visual cue to be able to trace through the various steps, stages and transitions, and to identify risk at any point. The whole point is to identify risks so that eventually you’ll be able to optimize this procedure (whatever it is you’re scrutinizing).
I find that you can use some generic criteria to apply to just about any technical or administrative process, as follows: the cost, the quality, the timeliness, the efficiency, and the efficacy of any given step or transition in the flow chart process.
So you can see that identifying risk with the benefit of a flow chart to illustrate a workflow is really a way to be comprehensive and quite effective in identifying risk.
[10:47] For example, you might have manufacturing setting, where the first operation is, let’s say, to receive materials. Alright, so each person sitting around the table when reviewing this sub-process of receiving materials is looking at it from their own perspective. The safety expert will have certain comments with regard to the uncertainty [i.e., uncertain safety] about this action or that action. The supply chain expert might say: the uncertainty here is that the supplier will not be able to provide us with this material or that material. The people charged with managing inventory and materials might see uncertainty with regard to how barcodes are functioning — or something like that.
Well, let’s move onto our next example of an alternative context. It could be the case that in your organization, you don’t necessarily have clear goals and objectives, but they are expressed in a different format, and that is through a performance plan — a performance management regime.
Now that’s the advantage of a performance management regime! — that is, there are certain structures: criteria, targets and so on, that are set out explicitly, and that gives you a structure for identifying risk. That means that in the risk ID session the question will be: what is the risk (what is the uncertainty) with respect to achieving this or that performance target?
This is only meaningful if the performance management regime itself is really well-constructed, that is, if you’re measuring the things that are truly important and relevant to the business.
[12:17] The final example of an alternative context that I want to discuss is the possibility for conducting a session within a specialized discipline. So let’s say you have identified the need to conduct a dedicated session within a specific branch of risk management. That could be something like IT security, or Environmental Impact Assessment, or Health & Safety, and so on. The experts in each of those areas will have their own criteria — their own risk categories, their own risk mitigation methods, and so on, that someone who’s a non-specialist simply can’t bring to the table.
Keep this in mind when you’re conducting risk ID in a generic planning context and people bring up risks that are really pertaining to one of these specialized areas. You’ll simply have to take off line, make a note of it, and if need be convene a session that is dedicated to that topic.
Well so far, we’ve discussed several examples of alternative context. If you don’t have goals and objectives set out in a classic form, you can just as well establish context in some other form, whether it’s a contract, performance management regime, project, etc. Now, I hasten to add that any particular alternative context that we’re talking about will still have to meet the quality criteria that we were talking about for planning in general. In other words: the goals or intended actions have to be properly expressed and formulated; they have to be substantiated, justified through research.
[13:45] You know, I’ve been in many situations where I’ve had to go back and forth with the project lead to make sure that the program goals were properly formulated, properly substantiated, and really gave a clear picture of what the intended actions were. I’ll read you a quick quote:
“Even if it takes several iterations, take advantage of this opportunity to work with the project lead to identify and resolve any vagaries, deficiencies or contradictions in the planning context. Doing this work in advance will prevent a great deal of confusion later on when identifying risk.” [Solving the Enterprise Risk Management Puzzle, p.41]
The strange outcome of this is that, as risk manager, you actually end up being a sort of consultant for planning. You end up coaching managers on how to properly formulate plans, how to research them, how to substantiate them, and so on. I think you’ll find that many people will actually welcome that kind of help, because a lot of people are good at doing what they do, but they’re not so good at documenting and analyzing in abstract what they do.
This process of establishing the context in a documented form helps them see their business in a way that they just hadn’t considered it before — even before you get to the risk ID session.
[15:01] So what did we cover today? This was the second episode in two episodes dedicated to “Establish the Context”, which is the preparatory step in High Quality Risk Assessment. But it’s not adequately treated, I find, in the standards. We needed to expand on the concept so you could understand what the rationale for establishing the context really is [and] give you different ways to do that, including writing a context paper with various headings. Different ways to conceptualize the context itself [include] going through not just goals and objectives, in a hierarchical planning fashion, but also to consider alternatives, such as contracts; projects; budgets; performance management regimes; technical and administrative workflows.
Remember, the risk champion must scrutinize the planning, and even coach managers to adopt a complete planning practice. As a consequence of doing that, the risk information that is ultimately developed in the risk ID and assessment session will make clear sense!