We are discussing High Quality Risk Assessment. We can best prepare by accomplishing that classic step called “Establish the Context”. But how does this apply to my business? Context for risk assessment means projects, contracts, administrative workflows, technical processes, etc.

Show Notes


Main points              
Summary of the series to date. At this point in our podcast series we established the rationale and practical working definitions for Enterprise Risk Management. Now we are discussing methods, in particular the all-important core practice in Enterprise Risk Management, which I call High Quality Risk Assessment. 

Establish the Context. The first step (after, perhaps, communicate and consult) is usually taken to be: “Establish the Context.” What do the standards mean by that? They are rather vague about whether this applies only to the ERM initiative itself or not, we start with establishing the context for the purpose of preparing for a particular risk assessment.

Context Paper. To that end, in the last episode we explained in detail the best possible preparation for risk assessment is: it is to write what I call a Context Paper. The Context Paper sets out important headings. The purpose is twofold: to create a highly useful aid to facilitation; and to create a testament to due diligence. 

This follows on the important realization that a risk session facilitator must not fall into the trap of trying to identify risk in business settings where there are no goals and objectives. 

This, in turn, led us to consider over the course of two podcast episodes, the nature and quality of the planning regime in the organization.

Now the question arises, what if we can’t fit our operations to match the suggested headings? What if, especially, we don’t have a business with neat, hierarchical “goals” and “objectives”? Is that the only way to express our intended actions?

Special examples of Context

Consider these examples of what we can legitimately call “context” for the purpose of risk ID:
a. budgets
b. formal projects (project management)
c. contracts
d. workflows: administrative procedures or technical processes

e. performance management regimes
f. specialized disciplines

Caution: these various alternative contexts must still somehow express goals or intended actions that are clear, well-formulated, and substantiated through research.

Summary: What did we cover today?
1. A review of the true utility and rationale for “Establish the Context”. 
2. The primary way to prepare for a risk ID session: write what I call the Context Paper.
3. Various types of context alternatives that can be encountered.
4. We reiterate necessity for the risk manager to scrutinize the planning prior to conducting risk ID.


“The ERM champion must scrutinize the planning and even coach managers to adopt a complete planning practice... As a consequence, the risk information ultimately developed will make clear sense.” (Robertson, p.31)


E. Robertson Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation (2016). The discussion on Establish Context begins in Chapter 2.2.