Risk Register and Breakthrough Mitigation

Episode: 012
Date: Tue 17 Aug 2021
Title: Risk Register and Breakthrough Mitigation

High Quality Risk Assessment means a process of sound planning; careful definition of context; and facilitating comprehensive risk ID. What is the true significance of the risk register you’ve built so carefully? How does it lead to dramatic, breakthrough risk mitigation?

Facilitating risk assessment
Last episode in our our discussion on how to facilitate High Quality Risk Assessment, we covered finer points on how to facilitate the session, as well as the minimum necessary steps to assess risk: Likelihood, Consequence, Existing controls; Tolerance. This methodology is presented as a generic model for your consideration.

Risk register – what goes into it?
Let’s move on now to consider carefully the full significance of the risk register.

What have we accomplished so far?
Do we have a one-dimensional risk assessment? No, it is multi-disciplinary.
Do we have notes from a wandering discussion? No, we have the result of a disciplined procedure.

In fact, we have semi-quantitative analysis; that is, the numerical ranking of a series of qualitative statements which might otherwise have simply been lumped together indiscriminately.

The qualitative statements (risk statements) are themselves a product of refinement, informed by:
– sound planning process;
– opinion of key persons;
– consistent definition of context and risk;
– contemplation of many sources of risk (risk categories).

Significance: Quality is being infused into the process at each step — without necessarily spending more time in planning and meetings than was done previously.

The risk ID process, using the closely defined and consistent formulation of risk statements — always focused on the intended goals and objectives — results in a document expressing a concentration of careful analysis.

The result: the risk register participants start to perceive the risk profile in a much more nuanced and insightful manner than they were able to do before.

Breakthrough Risk Mitigation
If the risk register is developed as we recommend, how does it lead to formulating mitigation action that is truly “breakthrough” and dramatic?

2 procedures
– expert participants in risk ID and mitigation sessions
– sorting on risk information to shed light on the risk profile

novel interpretation of risk profile: identify fundamental risks
– the risk profile that is more than the sum of its parts, thanks to the rigour in the process
– the insight is then possible into previously unnamed fundamental risks that undermine the business
– could be a trust issue, or personnel burnout, or something involving attitudes and motivations
– the sheer rigour in the process leads to addressing the issue and novel solutions

evidence-based decisions
– the risk register enables evidence-based decisions, where subjective experience can be gathered in a process that has credibility and rigour

consider values as serious risk criteria to arrive at novel solutions
– the mechanics of the operation seem fine, but complaints and harm to the business are values-related

creativity and innovation
– introducing imaginative and unorthodox solutions
– taking it offline as special project
– do not short-change this part of the process

How is the risk register used going forward?
– transformed from a static snapshot to a dynamic management tool

1. Facilitating High Quality Risk Assessment signifies not only procedural tips but also reviewing 4 distinct criteria for each risk.
2. The risk register, when complete, consists of highly refined and carefully qualified information, and has validity by virtue of the quality that went into the planning and risk ID processes.
3. The result is that participants are able to gain a much more complete, nuanced and incisive view of the risk profile than they would normally think of.
4. This enables, in turn, dramatic, breakthrough risk mitigation, often consisting of finally recognizing and solving fundamental and chronic business problems that were undermining the organization’s mission and operations.

”Poorly understood chronic problems often have to do with the nebulous and difficult questions of communications and working relationships…” (Robertson, p.58, Section 2.5 Risk Mitigation and Review)

(E. Robertson 2016) Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation

(E.Robertson 2006) Navigating the Labyrinth: Risk Analysis for Tough Issues
This article relates 2 case studies: the consideration of corporate values led to breakthrough mitigation.


[edited for clarity] 

This is Episode 12 The Risk Register and Breakthrough Risk Mitigation. In the last episode on how to facilitate high quality risk assessment, we examined some the finer points on how to conduct the risk ID and assessment session, as well as the details of the risk assessment itself; the fact that it consists of four criteria, four lenses through which we view the risk in order to make a decision on how to respond to it.

Keep in mind that this is all a generic methodology that was developed and refined over years with many different clients. And so you can check your methods against it, or if you’re just starting, out you can use it as a starting point. At all points in this risk methodology, I’ve tried to be as efficient and minimalist as possible, but still maintaining the quality and the depth of analysis that we need.  

[01:33] So at this point, I feel it’s important to consider carefully exactly what we’ve accomplished so far, and to see how the risk register, in the form that we now have it, compares to what you might have taken before to be risk assessment. If we consider risk assessment as we’ve built it so far, and expressed it in the risk register, how does it compare with the way you would normally conceptualize risk assessment?

First of all, clearly it’s not going to be risk assessment from the point of view of one discipline. That is, let’s say, risk assessment from the financial point of view. Now how does financial risk analysis compare and relate to what we’re talking about here? That’s a different discussion which will get into [planned for Ep. 17] but let it be said for now that we’re not simply considering the calculation of value at risk, and so on. Rather, we’re considering the risks that are impinging upon planned goals and objectives, but these are the uncertainties that are revealed by considering all sources of risk — not just through a financial analysis.  

Second, you’ll have to admit that the result here is going to be far better than what we would have gotten through an informal discussion of risk, with, let’s say, some action items or meeting notes that were taken in a rather random fashion. What we’ve actually accomplished is semi-quantitative analysis. This is not easy to do. We’ve taken qualitative information and somehow assigned ranking and numerical values to it, so that we are able to set things in priority according to numerical magnitude.

[03:06] Semi-quantitative analysis [takes] a whole series of qualitative statements [i.e., risk statements] and sets them in order of criticality. But already those statements were infused with a high degree of refinement. You know, I’ll insist on this point: they were the result of a careful planning process, eliciting opinion from all of the key people around the project, using a consistent definitions — of the context and of risk — as well as a comprehensive review of all of the various sources of risk.  

So what we’ve done is to sort of infuse quality and careful deliberation at each step [even] prior to the risk assessment. Even though this would not necessarily take a great deal more time than you would normally spend in planning and in meetings, the quality that is achieved is much higher. 

Now since we insisted at the front end on high quality, with regard to substantiating goals and objectives and formulating risks in a very precise way, always directly in relation to those goals and objectives and corporate values, the end product — the risk register — is a document that expresses a very fine and concentrated analysis. The result is that people start to perceive the risk profile of the business in a much more nuanced and insightful way than was even possible before.

[04:29] When you focus on identifying the uncertainty — the precise uncertainty that bears upon the ability to execute on goals and objectives — then you find that the analysis is very incisive indeed.  

Now I’ve seen examples of this time and again, where once people get into a risk ID session and start to participate in this cadence, this rhythm that is developed (considering the context; identifying the risk; formulating it; checking back to make sure it’s correct; then moving onto the next issue) — as they go through this, in a rather disciplined fashion, making sure that to trace through all of the different goals, objectives and corporate values, then at a certain moment things sort of reach a critical mass. It “clicks over”, people start to nod in agreement and say: okay now I understand what the true risk profile of this project is! I now understand what risk assessment is really all about. 

[05:26] That in turn allows for the identification of mitigation that is not normally considered. So how does this happen? Well first of all let’s consider two procedural things. First, if you don’t have them already, you can consider inviting around the table the people with the highest degree of expertise that you can possibly find with regard to the most difficult risks that you’ve identified. So often it’s bringing to bear this expert knowledge… people who’ve had experience in this area before but who you may not have consulted, who can actually bring fresh ideas to the table.  

Second, you can take the risks, which are set out in a relational database or spreadsheet, and sort on them, according to different categories. [This] starts to shed light on the risk profile in different ways. So for example, if you sort all the risks by “risk category”, then you could discover that, let’s say, 80% of the risks have to do with [for example] training issues. Then again, if you sort the risks by “department ”, you might find out that [e.g.] 60% of the risks reside in one part of the organization that needs special attention.  

[06:34] Instead of spending resources on risk mitigation in a rather fragmented way, where you encounter issues here and there, you’re setting clear priorities and coordinating mitigation efforts.

Now in searching for breakthrough mitigation, there’s something else that happens that’s worth mentioning, that is really the result of the rigour of the process, and the quality of the information you have developed. You see, there’s a distinction between “perceived risk” — what people imagine to be the risk at the start of the process, and then what people perceive to be “the real risk” as a result of your rigorous process.  

[07:11] What that leads to is a realization: something is stated that was perhaps floating around in people’s minds before, but never articulated. It was never conceived of as a risk, simply because it was the “water that all the fish were swimming in”, so to speak. It’s only that sort of detailed and exhaustive analysis which can suddenly reveal something to be fundamental [i.e., a fundamental risk] and sometimes it takes the facilitator to name that issue.

Often this sort of thing results in identifying… a trust issue. Something that is difficult to bring to the table, actually express and admit to, but in the face of this logical analysis, it becomes inescapable. That could be the real risk that was underlying the whole project; the whole uncertainty that is surrounding this endeavour.

Now this leads to positive action. I’ve seen this happen, where people, once having identified an issue that is fundamental to their risk profile, that is really undermining their efforts on a broad scale… once they admit this, then they can start to consider ways to address it, and even if they can’t fix it themselves, they can appeal to a higher authority. They can get help to somehow solve this problem.

[08:32] It could have to do with establishing trust between the core agency and one of its stakeholders. It could have to do with the fact that personnel are getting burnt out, and it’s not politically or culturally appropriate to admit that issue, or even bring it to the table as a problem, because it’s just considered to be whining. Whereas, if you have the risk register completed, to point to as evidence, you can say: “this is not subjective whining, this is an objective problem that is affecting the delivery of our services.”  

Many solutions in healthcare, for example, have to be evidence-based. It’s hard to marshal evidence in many areas where it relies on the subjective experience of groups of people. So this is the best way I’ve seen to collect subjective experience around a given issue, and yet do so in a balanced way, with all different viewpoints being expressed, and then… to aggregate and quantify the information in a way that has credibility and rigour.  

[09:35] Alright so you can consider how the most critical risks have been identified in this structured process, and now you’re considering them with the help of, perhaps, some expert participants sitting around the table. You’ve highlighted aspects of the risk profile that you hadn’t realized before by sorting on risk information in different categories. You’ve got perhaps the realization that there are fundamental issues that were never admitted before, that are really staring you in the face, by virtue of the clear evidence in the risk register.  

So all this leads to the possibility for dramatic or breakthrough risk mitigation. You’ve finally arrived at the point where you’ve got a unequivocal identification of a real problem, and you’re concentrating your efforts on trying to solve it.  

[10:18] The solution need not be particularly novel. It’s just the fact that you’re taking action that makes it special. I’ve seen a case, for example, where [people in] a very conservative culture agreed to take courses in interpersonal relations and negotiation — something that they would never normally consider doing. Then again, I saw a group that was able to identify professional burn-out as the most critical risk, and finally get help with the issue.

Now when you’re dealing with risks of this magnitude, that fundamentally undermine the efforts of the organization, then of course it’s entirely feasible to take it off-line, and to create the mitigation as a sort of side project, to arrive at the most innovative, the most effective solution that can possibly be found. That’s not wasted time, because that’s going to fix the core business.  

[11:08] Now at the strategic level, I’ve seen solutions that consisted in things like giving more resources to this program or that program, or attenuating the resources and perhaps closing off this program or that program. Those sorts of decisions are not easy to arrive at, because they they involve considerable amounts of resources and personnel. And yet you can’t make a decision like that unless you balance out all of the various possibilities, all of the various risks in a strategic view, in a process that has structure, that has credibility, that can be signed off by all the various participants. 

[11:50] In another example, dramatic or breakthrough mitigation was found by a group, by virtue of them considering corporate values as risk criteria. Before that, they had an operation that was going, seemingly, pretty well on the surface, and yet they were experiencing bad press, so to speak — criticism, complaints, but no fault could be found upon reviewing the mechanics of the operation. 

 The dramatic risk mitigation was formulated after they considered the fact that their values — that is, their rules on how to treat clients — were not being consistently followed.

There’s a point of process that bears mentioning here. When you get to the stage of risk mitigation in high quality risk assessment, often it’s later in the process, that is, later in the day, and people are tired. They actually might be anxious to end the meeting, and carry on with their working life. But if you think about it, this is not the part of the process to short change. You want to take a break, make sure that people come back to the risk mitigation portion of the exercise with a fresh mind, with fresh energy.

[12:54] After all, if you don’t focus your energies here, and really arrive at solutions to the most critical risks that you’ve identified, then the whole process will have been for nought.

Well, let’s circle back around to the risk register, and make some comments on the significance of that document. The value that you’ve created by fixing the planning process, by creating the context paper, by convening risk ID sessions on major projects and endeavors for the organization — all of this value is not lost. Rather, it is perpetuated as you go forward, because the risk register is transformed from a static snapshot of the risk profile into a dynamic management document.

[13:36] What that means is, you use the risk register as a way to manage the business, to manage the project going forward. You can review the risk register at regularly scheduled meetings, by seeing which mitigation strategies have been acted upon; which ones are complete; which ones are still outstanding; what new risks might have come up that need to be added; and which old ones can be retired. In that case you don’t delete the risks from the risk register. You simply strike them through so that you’re still able to read them. That way you can refer to the document at a later date when you’re comparing it to a similar project: you can see historically what the risks were that you identified — that were mitigated, the ones that came to pass, and so on.  

[14:17] I mentioned before about how so much meeting time is wasted. And that’s been shown in the studies. Introducing the risk register — which you’ve taken a lot of care and time to build properly — into the management practice, to actually help you run meetings and make them more efficient and to stay on track, could be very beneficial.  

[14:35] Well, let’s review what we covered today. Here’s a summary:
1. Facilitating high quality risk assessment signifies [involves] not only the procedural tips that we’ve been discussing, but also reviewing four distinct criteria for each risk. Those were: Likelihood, Consequence, Tolerance and Existing Controls.
2. The risk register, when complete, consists of highly refined and carefully qualified information, and has validity by virtue of the quality that went into the planning and risk ID processes.
3. The result is that participants are able to gain a much more complete, nuanced and incisive view of the risk profile than they would normally think of.
4. This enables, in turn, dramatic breakthrough risk mitigation, often consisting of finally recognizing and solving fundamental and chronic business problems that were undermining the organization’s mission and operations.

Let’s close off today’s episode with a brief quote on the nature of some of the more challenging problems encountered in organizations: “Poorly understood chronic problems often have to do with the nebulous and difficult questions of communications and working relationships.”

So I hope that today’s episode was helpful, to point to ways to identify and get to the bottom of some of these more difficult challenges, and actually solve them.







Share on facebook
Share on twitter
Share on pinterest
Share on linkedin

Leave a Comment

Your email address will not be published. Required fields are marked *

Social Media

Recent Posts

Get Transcripts | Resources

Subscribe To Our Monthly Newsletter