Date: Tue 03 Aug 2021
Title: How to do Risk Identification
We are explaining High Quality Risk Assessment, and can finally start the process of conducting a risk identification session. We can do so with confidence, because all of the procedural and conceptual elements we need are finally in place.
We discussed last time how supposed risk ID methods are a mix of (often problematic) procedures, addressing either ways to get at people, or to get at the content, or ways to think. What is needed is all of those elements in a coherent method.
What is the preferred method for High Quality Risk Assessment?
Preferred method: round-table of experts has several advantages; we recommend the number and selection of participants.
Prepared session: agenda; context paper; facilitation aids include charts and risk categories.
Risk formulation: rules for creating risk statements – see blog post.
Facilitation: trace through the context carefully, reviewing all goals; use the proper conceptualization of risk.
Review: conceptual and procedural foundation
Notice that in our preparatory work, we have:
– a proper concept and definition of risk ID and assessment (Ep. 004)
– a procedural grounding in proper planning (Ep. 005, 006)
– a procedural refinement in the creation of a Context Paper for the risk ID session (Ep. 007,008)
– avoided pitfalls entrained by some of the conventional risk ID advice (Ep. 009).
With that kind of preparation, you can rest assured that the risk ID session itself will go much more smoothly, and yield much better results, than the informal, unstructured attempts that usually characterize the first efforts by people trying to get started in risk management.
The question arises once more: is all of this too much work? I don’t think so. In much of what I describe, it really is a matter of doing what you’re already doing, but improving the quality.
Summary statement of your expected result:
As required in our definition of High Quality Risk Assessment (Ep. 4), we have to identify risk:
– that is understood among participants as uncertainty connected with goals;
– in direct association to intended actions that are researched and substantiated;
– in relation also to defined corporate values;
– comprehensively, considering all possible relevant sources of risk;
– efficiently, being mindful time constraints;
– rigorously, so as not to gather information based on vague and disparate ideas of risk;
– within a defined context, documented for due diligence;
– to aggregate qualitative information.
So, there we have a summary description of the prerequisites and elements of an effective risk identification exercise.
Statement of deliverable for the risk ID session: “A comprehensive list of risks, in several categories of analysis, with rankings and summary statements of mitigation, arrived at by consensus, to inform an improved business plan [policy,or program].” (Robertson, p.16)
(Robertson 2016) Enterprise Risk Management Tools and Templates
[edited for clarity]
Episode ten how to do risk identification. Well we’ve been discussing over, the course of several episodes high-quality risk assessment, which is the turm that I give to the risk identification and assessment procedure, that differentiates it from an informal or ad hoc approach to identifying risk.
So finally, after quite a lot of preparation, we can turn our attention to setting up and running the risk identification session. In the last episode, I was discussing several risk ID methods drawn from a conventional source. I questioned whether they could really properly be called risk ID methods, because they addressed different things, such as how to get at the people involved, or how to get at the content, or how to think about things with regard to risk — and what we really need is a comprehensive methodology, that looks after all of those aspects.
[01:38] So after a fair bit of experimentation in the early years, I finally came to the conclusion that the best way to identify risk was to use the round table of experts approach, in most administrative situations. One of the main difficulties with using this method is to get people to agree on a meeting time, especially senior people who are busy and who, arguably, have other priorities. They won’t agree to a lengthy meeting and it’s difficult to to coordinate their schedules, and so on. So that is the main problem. But that problem starts to dissipate a little bit when people start to see the value that risk identification really brings to any given program or project.
So despite that difficulty, there are several advantages that accrue to using a round table of experts for risk ID. The first one is that you’ve actually got a group process, rather than having isolated individual responses, through questionnaires or interviews. This means that everyone is going to be identifying risk using the same definition and concept of risk. It also means that at all points in the discussion — first of all there is a discussion — but at all points, each person will be able to see in other participants what the varying views of risk are, from different job functions.
[02:54] And so in this discussion that ensues, in identifying risk, they can start to understand one another’s motives and the imperatives that are demanded by one job function or another. That results in a risk assessment that is balanced and well informed; it also enables mitigation action to be decided upon and coordinated much more easily.
You can imagine the possibilities for team building are really significant using this method. You can get people around the table who, normally, are at cross-purposes; they’re at loggerheads. But when they’re focused on a common context, trying to assess risk, and move something forward together, then they really start to cohere and work as as a team.
[03:31] Now there’s another important advantage to using the roundtable of experts method. And that is that it’s very efficient. Within the constraints of the limited time and resources that we have to conduct risk ID on any given topic, what you want to do is map the “person-years” of experience against a certain context, and elicit all of the various ideas of risk, to the maximum degree possible. And the best way I’ve found to do that is indeed in this round table session.
Alright so if we agree that the roundtable is the way to go, then the next step is to select the participants. So I assume first of all that there’s the risk champion or the chief risk officer. That is the person who’s taking the lead in the risk identification. And then that person is working with, let’s say, the person who is the head of the department, or the project manager for the topic under discussion. So that person will naturally want to invite the people who represent the key functional areas of the project: the finance person; the IT person; the engineering; and so on.
[04:36] I can offer a couple of guidelines. First of all, don’t invite people who are at different levels in the hierarchy, because it just means that the people who are at the lower levels are going to feel rather embarrassed, sort of constrained. They won’t really feel free to identify risk; they won’t feel comfortable identifying risk in the presence of their superiors. It’s much better to conduct separate sessions, each dedicated to one hierarchical level or another.
My next suggestion has to do with the number of participants. If you’ve got too few, than it’s simply not enough people to generate a rich discussion, and if you’ve got too many, then it changes the dynamics of the session. It becomes more like a lecture format. What I found through experience is that a roughly six to eight persons seems to be the ideal number, plus the facilitator.
[05:27] So in preparing for this session, as I suggested in an earlier episode, what you want to do is take that context paper draft, and shop it around to the various intended participants. Get their feedback on it. The advantages are really great, because it means that they’ve had a hand in actually establishing the scope and the assumptions that will go into the discussion. I’ll repeat a warning here: if you don’t do that, then you’re likely to waste a lot of valuable time at the beginning of the meeting just getting core concepts agreed upon. You may not even have time to finish the risk ID session, and you won’t be able to convene another meeting for quite some time — especially if it’s with senior people.
In addition to the context paper, you’ll want to prepare an agenda, just like you would for any meeting, and the advantage there is that you’ll be able to point out to the participants the points of the agenda, [especially] the deliverable for the session (which is also reiterated as the last item in the context paper) to reinforce that that notion. It is just a good facilitation tool to keep people on track, not to mention a good tool of due diligence, to act as a record to show who was invited, who showed up — who participated.
[06:40] Other aides to facilitation that you want to prepare for the session are the actual project document itself, which lists the goals and objectives; as well as any flow chart, illustrations, or any other graphics to refer to in the discussions; and the list of risk categories, that is sources of risk that you want people to review during the discussion to inspire people’s ideas about what the risks might be.
Now at the beginning of the session itself, you’ll of course want to review the agenda and review the context paper, and really reinforce the idea of the deliverable for the session. During the introductory remarks, you want to go over the guidelines for formulating a risk. Now this is important, because if you don’t do this you’re going to have risk expressed in so many different ways.
You know, during early experimentation we tried just using a few key words to express a risk. We found that that didn’t work. We tried using a longer, sort of run-on sentences or even paragraphs to describe a risk, and that doesn’t work either, because that approach simply crams too many risk issues into one statement — you can’t assess that and you can’t manage it very well either.
[07:53] So the end result of that was to establish a set of guidelines to create risk statements. I created a blog post on just that topic. Just go to my website RiskCommentary.com and scroll down to the search window. Type in “risk statement” and you’ll see the blog post there.
The great advantage in following such a set of rules is that you’ll have a body of qualitative information; that is, a whole bunch of text, put together in a consistent format, and that makes it much easier to aggregate and analyze.
By way of preparation, or even during the introductory remarks at the risk ID session, you want to review this set of guidelines for formulating risk statements. Give one or two examples so people get the hang of it, and at the same time repeat the definition of risk. People [must] really have reinforced in their minds the idea that it [risk] has to do with identifying the uncertainty that will impinge upon their ability to execute on planned goals and objectives.
[08:54] Well, at this point you ready to begin the risk ID session, and you might feel a bit of hesitation as to how to begin. If you do, just perhaps turn to your project lead and ask that person to kick off: to suggest the most obvious, or one of the most important, risks that has been on their minds. That will be a way to formulate the first risk; get it into the risk register; demonstrate the methods a little bit, and just in general break the ice and get the discussion started.
Now as facilitator, what you want to do is be very clear on whether you’re facilitating or you are participating as someone who can actually help to identify risk. And that is fine to do both; just make it clear on which role you’re undertaking at any given moment.
To facilitate the session, it is really is a question of going around the table, tracing through that context paper very carefully; that is, going through the goals and objectives piece by piece, step by step. Elicit the various ideas of risk from each participant as they peruse and consider the various categories (sources) of risk. This is the best way to map all of those person years of experience against the given context.
[10:17] Now you’ll have to exercise some judgment, because on the one hand it’s good to let the discussion run on a little bit. Let people start to, as I say, learn about each other’s job roles; understand one another’s view of risk, and yet you don’t want the discussion to go too far off track. Bring them back in gently to try to identify the risk for the goal or objective that is under consideration at that moment.
There’s a couple of [four] other finer points that I want to try to describe.
[10:47] 1. People will quite often go around and around on a certain set of problems, but at a certain point… and I know I’m not alone on this because I used to compare notes with my supervisor back in back at the office, or in the kitchen!, and we would find that we would be encountering the same thing. And that is that people tend to go around and around on a certain set of issues, but we would always have to encourage them: “Yes, but what is the risk?” In other words: What what is the precise uncertainty that is impinging upon your ability to execute on the given goal or objective? That is what we’re after!
[11:26] 2. That kind of precision in thinking about risk is really beneficial, because, first of all, it does away with the idea of just naming general trends, conditions and so on, as risks. In other words, people cannot simply put up their hands and say: oh, interest rate risk, or demographic risk, or something like that.
Let’s take an example. Let’s say that your business is particularly sensitive to US/CAN exchange rates. Well, you can’t suggest that the risk is the US/CAN exchange rate changing. Because that’s already a problem that has been studied and accounted for, and the response to that is already built in to your plan for action [i.e., as contingency plans]. If it’s not, then we have deficient plans (which I already covered in previous episodes on the planning function).
So it’s really not on to mention just a few glib keywords, and say, well that’s a risk statement; or to discuss some general condition or trend that should already have been studied [i.e., identified and understood as part of the environmental scan] and really taken account of in the design of the plans themselves.
[12:36] 3. Another attitude that you might encounter, though this is somewhat less common, is that people say that their plans for action are already the risk mitigation. They’ve already taken into account all of the risk and it’s already expressed in their plans, and therefore there’s no risk to discuss whatsoever!
Well, of course, that’s a misconception. You know, they might have well-prepared plans — and we want to see that, of course! But there will always be some degree of uncertainty with respect to their ability to execute on those intended actions.
You know there are a lot of finer points and nuances in the discussion of how to conduct a risk ID session…and a lot of this discussion is in my book. I can’t possibly summarize it all here, but one other point is:
[13:21] 4. It [the approach to facilitating risk ID] is going to be contingent upon your own personal style; the culture that you’re working with; how people process information; their learning styles, and so forth.
If you find this rather daunting, or even intimidating, don’t worry — you can start small-scale. Just start with a small group of people, on an experimental basis, maybe with some department that needs help on some project [who is] willing to help you explore the value of this method.
It’s perfectly feasible to run the session in tandem with somebody else, so that you’ve got a risk team that is working together to: prepare the risk ID session; prepare all of the various aids to facilitation, the context paper, and even to conduct the session in tandem — one person perhaps scribing, and the other one leading, and then maybe even switching roles.
I should say that for the purposes of ERM itself, that is, an enterprise practice, the idea is to do skills transfer, so that eventually everyone who’s a department head, or responsible for managing risk at the project or program level, is capable of preparing, setting up and conducting a risk ID session.
[14:37] Well, in the remaining few minutes of this episode what I want to do is to cast our minds back over the materials that we’ve been covering in the past several episodes, and [consider] how [those materials] really prepared us, and led us to the present point of actually being able to conduct a risk ID session.
Now, the reason for that is because, when you’re considering new ideas or new methods, it often takes several iterations, several repetitions, even in different slightly different words, to internalize and get the sense of what the whole thing is about. So let’s just review how much we’ve really accomplished in our preparatory steps.
[15:16] First of all we’ve considered a very specific definition of risk, and risk identification, and we refined that notion to make sure that we’re really focusing in on the goals and objectives.
Second, we took the time to really appreciate the necessity for a comprehensive and really profound planning function, so that we can make sure that the goals and objectives that are formulated are really well substantiated, and well expressed.
Further, we considered creating a context paper to define clearly the scope and the assumptions that go into any particular exercise of identifying risk on a given topic.
Finally, we avoided some of the pitfalls that could have been encountered by following risk ID methods that are incomplete; that have some sort of validity problem; or that ignore the value of actually having a group discussion.
In the first episode of this podcast series, I was talking about survey results showing that people really having difficulty with enterprise risk management. I traced the whole thing to misconceptions about definitions, and also a deficiency of methods.
[16:27] I think it’s very unlikely that, if you follow the suggestions I’ve been giving so far, you will find yourself in the same boat as those survey respondents. That is, you won’t find that your risk ID session is just a vague rehash of familiar issues. No, you’re actually going to be conducting a session that will deliver something much more profound than that.
Here’s my suggestion for the description of the deliverable [in a risk identification and assessment session]: “A comprehensive list of risks, arranged in several categories of analysis, with criticality rankings and mitigation measures, arrived at by consensus, to inform an improved business plan.”
Well, to actually complete that deliverable, after listing all of the various risks… we have to move on to risk assessment and that will be the subject of our next podcast episode.