Saturday, May 21, 2011

Talbot's Top Ten Tips for Presenting Risk Assessments

  1. Bind it. Just this tip alone will probably improve your acceptance rate. When you’re happy with it and your boss, colleagues etc have had at least one review of it, bind it.  It doesn’t matter whether it is spiral bound, comb bound, wire bound or whatever but put a clear plastic front sheet on it and a black plastic back cover on it then bind it.  It’s easy to scribble comments on a report that is just stapled together because it looks like a draft.  Conversely, it’s easy to sign off on a professionally bound document. Even if it isn’t perfect, it looks finished. So the moral of the story is: If you want something signed and accepted – Bind it!
  2. Format it nicely.  Make it look professional.  If you don’t have the skills to do it, then find someone to help you with it.  You’ve spent a lot of time on doing the analysis, interviews, and legwork but in the years to come, most people will judge all that effort purely by the quality of the report.  Make it worth reading, but also put the odds in your favor – structure, format and present it in a way that will make people want to read it. 
  3. Corporate templates.  Use the corporate style sheets, templates or formats if they exist. People are more receptive to information that is presented in a familiar way.
  4. Structure it in the way that people want to read it.  By all means do the analysis in the logical sequence (Eg: As per Section 5 of ISO31000) but don’t present it that way.   Assuming they even read past the Executive Summary, most people want to read the results of your analysis in something like the following order: Executive Summary, Context, Risk Register, Proposed Treatment Plan, Conclusion, Appendix A: Terms of Reference (Scope), Appendix B: Methodology and Analysis
  5. Back it up with a PowerPoint Presentation.  Build a succinct presentation of the key points using supporting diagrams (only if they are relevant and aid communication). You may never need to present it but if you do, you’ll look like a true professional (Tip: If asked to do a presentation just say “Sure thing, give me 30 minutes and I’ll have it ready.”).  Even if you never present it using a data projector, a 4-page printout based on a PowerPoint template will look professional (and you again come out looking like a legend). 
  6. Take one last read of it before you submit it and ask yourself: what would my audience want to know/see/understand after reading it, and what action do I want them to take after reading it? 
  7. Use diagrams, graphs and visuals wherever and whenever you can.  Most of us are busy people – a picture paints a thousand words and if you want to get your message across to someone who is skimming your document (let’s face it, we all do it) then put a graphic in for each key point. 
  8. Tell a story.  The human mind is more attuned to learning and interpreting information through stories rather than facts or statistics. Equally importantly, we remember stories much more readily than we can recall facts.   Find a way to link the key points in a narrative that speaks to emotion as much as it does to facts.   It may be equally true to say that “Our Lost Time Injury Frequency (LTIF) rate was 0.04% last year” or that “Last year 43 out of our 1,200 employees suffered injuries severe enough that they were unable to work one or more rostered shifts” but the latter version gets the point across in a much more meaningful way.  Use natural frequencies and real events where you can in order to illustrated key points.
  9. Back the story up with facts.  Use statistics, references, incident reports or in-house data wherever you can reasonably and appropriately do so.  If you don’t have the facts, don’t make promises by saying XYZ “…will create…”.  If the message is important enough to included but you don’t have the data, use a phrase such as “is likely to create…” or “has potential to…”.  Eg: “Failure to adequately train staff as part of the project roll-out is likely to create delays and budget overruns due to additional help-desk intervention.”  You still get the key message across but your audience won’t get distracted by refuting your unsubstantiated claim.  
  10. Show us that it’s not just something you made up on the weekend while watching the tennis.  Include a list of all the persons you consulted. Reference the documents, databases and records that you reviewed and list the dates/places/attendees of all brainstorming workshops, etc. It adds credibility to the overall report and answers many of the questions that critics or budget holders will have regarding the analysis and recommendations.
Bonus tips
Two final tips for large organizations.
  1. Control the document.  Do a Stepback 5x5 on the completed document by taking a metaphorical 5 paces back and spending 5 minutes thinking about: Who may/can/should/must see this? Could it be misinterpreted or misunderstood? Does it have the right classification, version control, author (take credit where it’s due), document sponsor, etc. 
  2. If it’s big enough and important enough, hire communications experts to get the message across, especially when you are presenting plans and recommendations across a large organization.  Like any product, good marketing and advertising can repay itself many times over.


Saturday, May 14, 2011

Dealing with nebulous risks and risk adaptation

I’d just got off a long distance bus ride in India, at the usual crowded chaotic celebration of life that is an Indian bus station.  The bus had made its first stop in about 4 hours and we had 3 more hours to go.  I was in dire need of a pit stop, so I was one of the first off the bus and quickly found what passed for toilets in an Indian bus interchange in 1982. Despite my need, I was back on that bus 5 minutes later and chose to sit for another two hours with legs locked tightly together rather than use the facilities.  It wasn’t that I couldn’t find them or that they were too filthy – I’d been standing in front of the relatively clean urinals when I decided that I do the formerly impossible, and hold on for another two hours.

So what was it that made me change my plans? I’ll put it down to experience and being prepared to change plans if the environment required it. Even though I was only 19, I’d already spent 18 months backpacking in remote and wonderful locations so I had a good sense of what was ‘normal’ in that part of the world.  Quite simply, I’d walked in completely fixated on using the facilities and had ignored the three men already in there. Now three men in the gents isn’t exactly abnormal, but my instincts had picked up that something was wrong well before I’d even noticed anyone or anything. Fortunately I listened to them and despite being standing squarely in front of the urinals, I turned around and walked straight back out without so much as unzipping my fly.

The odd part of the equation was my behavior but what had prompted it? Well, one of the men was lingering at the doorway keeping a lookout (which was obvious in hindsight), another bent over at the hand basins but not washing his hands and a third chap was of the urinals but not urinating.  To this day I don’t know for sure but I’m convinced that the moment I was in full flow, I would have had two guys behind me, possibly with a knife, lifting my wallet while the third kept a lookout to make sure no-one was coming. A perfect setup for a robbery with little that I could have done to prevent it. Some of the things that convinced me of this were: the look of surprise and disappointment on their faces, the fact that the two in the toilets moved towards me as if to cut me off as I walked out (I was too quick fortunately) and the fact that none of them walked out in the few minutes I spent watching from outside. In retrospect, I should have told a police officer in order to prevent another person being robbed, but frankly at the time, it didn’t seem like I would get much response if I told them that there were three men standing in a toilet.  In any case, it wasn’t a normal response to their carefully prepared plan and I walked out with a straining bladder but with my cash and dignity intact.

The point of this story is twofold:
1. Firstly that I changed plan in response to a changing environments
2. Secondly that my response was unexpected – particularly to the other three (although also to myself).

The story illustrates two of the issues at the heart of risk management. All risks are complex, multi-dimensional and changeable, but too often we stick to our carefully determined plans with a “full speed ahead and damn the torpedoes” mindset. Indeed, in the business world, changing plans is often seen as a sign of weakness or vacillation. Sometimes it is, sometimes it isn’t. The trick is to honestly be open to new information or circumstances, and being prepared to act on it.

This applies to any type of risk, whether man-made or natural, financial or physical. Equally though, we need to consider the other side of the coin. What happens when our adversary or business counterparty change their plans. Will we be as unable to adapt as my three adversaries at the bus station were? It’s the unexpected that changes the risk dynamic, and even the experts often get it wrong in this regard. When the Noble prize winning economists behind Long Term Capital Management thought they had derivatives risk fully calculated, they took on ever-larger trading positions, but even they couldn’t factor in all their counter-party risks. When Russia devalued the rouble in 1998 and declared a moratorium on 281 billion roubles ($13.5 billion) of Treasury debt, the LTCM exposures created an international financial crisis. In the end the Federal Reserve Bank of New York had to organize a bailout of $3.625 billion by the major creditors to avoid a wider collapse in the financial markets.

 In a similar vein, we might put serious countermeasures in place to prevent a terrorist attack, but how do you factor in, just how the terrorists will change their plans based on your changed defenses.  Equally, do we adequately consider human factors to changes in natural disasters? If for example, we build a public hurricane shelter in a small town, could that mean a higher death toll because nobody leaves town when a hurricane alert is declared? Risk is a complex equation with no simple answers.

So just how do you address those nebulous risks?

There is no single way to address every equation around nebulous risks.  You’ll have to figure out each situation for yourself but here are the three best ways that I know of to address such risks:

  • training
  • training
  • training  

Investing in training for managers at all level (including risk managers) is the most effective way I know to address those volatile and little understood risks which can only be described as ambiguous or nebulous. One simple example: When I was managing security for the Australian Trade Commission, one of our big risks was travel safety.  ‘Travel safety’ is a nice catch-all term for everything from bad food to terrorist attacks and about a million other issues in between.  As most similar organizations do, we used government travel advisories along with in-house analysis and information from a range of sources to provide travel safety briefings to our people.  This by itself is a good thing but when you factor in the different issues not only between countries but also within regions, cities and even suburbs in any given country, a ‘one-size fits all’ travel advisory is manifestly inadequate. Our biggest challenge however wasn’t the country risk but working out the capabilities and experience of our staff.  On one extreme we had ex-military personnel with a pile of used passports who we could have dropped into Iraq without hesitation, while at the other extreme we had people who’d never left their home country.

The widely different levels of experience meant that no two people ever really faced the same risks. The sort of scams, robberies or even food poisoning problems that would have been the end of a trip for some of our people were virtually irrelevant for others.   Assessing peoples experience levels was something that our team did as a routine practice, but it was time consuming and relied on their intuition, so we couldn’t really call it systematic.   One of the things that I’m most proud of from my time at Austrade was leading the exceptional team that built the travel safety training program. The purpose of that 3-day program was to provide a base level of awareness, ability and skills that any individual could apply without having a security advisor standing beside them. And equally importantly, we needed to deliver those skills consistently and systematically to all staff who travelled. With a team of highly experienced individuals, we did indeed develop a training program, which continues to be critically acclaimed by attendees and their managers.

We couldn’t manage every risk by remote control and we couldn’t prepare people for risks that we couldn’t anticipate but what we did manage was to prepare them by giving people a level of proficiency sufficient to manage most risks themselves.

Monday, May 9, 2011

5.3.4 Risk Management Context

At this stage of 'Establishing the Context', you might like to consider what assets you are trying to protect and from what events, hazards and sources of risk.  This is the place for considering issues such as:
  • Sources – What are the sources of risk that the organization faces?
  • Assets – What assets are we trying to protect?
  • Stakeholders – Who are they? Which ones have influence and which ones are affected? 
  • Goals and objectives – What do we hope our risk management systems will contribute to the organization? What are the strategies that we will or do use to achieve them?
  • Responsibilities – Who exactly, is responsible for what in the our risk management systems?
  • Resources – How many resources do we have available? Is it enough or too much? What budget and resources do we actually need?
  • Scope – What is the depth and breadth of our risk management activities? What exactly will we address and what will we not address? What activities, processes, functions, projects, services, assets or products are we addressing? What locations, departments or businesses are we concerned with?
  • Documentation – What records will we keep? Who will keep them? Where? For how long?
  • Methodologies – What methodologies will we use?  To what extent and in which areas?

Answer each of the above points as a section heading or in a table in your risk assessment and you'll have covered most of the bases for

Examples of Sources of Risk Facing an Organization
·       Animal health
·       Asset management and resource planning
·       Audit
·       Bank management and risk analysis
·       Biological agents
·       Business continuity planning
·       Business interruption
·       Business law and practice
·       Computer networks
·       Conservation and environment
·       Contingency
·       Contract management
·       Corporate environmental management
·       Corporate governance.
·       Criminal elements
·       Design liability
·       Disaster
·       Discrimination
·       Emergency planning
·       Employment procedures
·       Engineering changes
·       Environmental health risk management
·       Environmental issues
·       Ethics issues
·       Feasibility studies
·       Federal government
·       Finance
·       Financial management
·       Fire detection
·       Fire prevention
·       Foreign exchange operations
·       Foreign intelligence services
·       Fraud
·       General liabilities
·       Global resources and energy management
·       Harassment
·       Human factors
·       Human health
·       Human resource management
·       Information systems
·       Information systems security
·       Insurance
·       Investment and portfolio management
·       Knowledge management
·       Legislative compliance
·       Local government
·       Maintenance systems
·       Managing people and organizations
·       Occupation health and safety
·       Operations management
·       Organizational change
·       Organizational culture
·       Plant health
·       Political change
·       Politically motivated violence
·       Probity issues
·       Product liability
·       Professional advice
·       Project management
·       Public risk
·       Quality assurance
·       Reputation issues
·       Research and development
·       State government
·       Strategic management
·       Technological change
·       Terrorist groups
·       Training
·       Transport
·       Treasury management
·       Zoological agents

The table below, offers a number of typical internal and external sources of risk broken up into four primary categories of Strategic, Financial, Operational and Hazards.   This list is by no means exclusive but can be a useful analysis tool for starting to consider and evaluate sources of risk.


Strategic
Financial
Operational
Hazards
External
Competition
Customer changes
Industry changes
Customer demand
Interest rates
Foreign exchange
Credit
Financial markets
Legislation
Culture
Board composition
Contracts
Counterparty risk
Natural events
Suppliers
Environment
Hazardous materials
Internal
Management decisions
Research and development
Intellectual capital
Capability
Cost Management
Liquidity
Cashflow 

Accounting controls
Information systems
Supply Chain
Recruitment and retention
Public access
Human factors
Property
Products and services
Work practices

A similar analysis of each of the key questions above (Sources, Assets, Stakeholders, Goals, Responsibilities, Resources, Scope, Documentation and Methodologies), although time consuming will yield all the answers you need. For a short risk assessment, you might find that all you really need is a paragraph on each and you'll have covered it.  For a more complex risk assessment, you might need a large table and a full section on each item. Context is king, in this as in all things risk. 

Wednesday, May 4, 2011

5.3.3 Internal context

The internal organizational context is (unlike the external environment) something which most organizations are able to at least influence if not control.   An organizations risk management systems operate within the parameters of the organization's culture, processes, structure and strategy.
Understanding the internal context is fundamental to any risk management activities and TECOP analysis is one of the easier ways to quickly gain this understanding.  TECOP stands for Technical. Economic. Cultural, Organizational and Political factors. Another variation of TECOP replaces Cultural with Commercial, however the significance of Cultural factors in the internal context warrants a place of it's own.

  • Technical factors include information and communications technology (ICT), R&D, equipment and machinery.
  • Economic factors include the financial management systems, cashflow, capital reserves and commercial viability of the organization.
  • Cultural factors include demographics, collective attitudes and behavior characteristics of the organization.
  • Organizational factors include capabilities, policies, standards, guidelines strategies, management systems, structures and objectives.
  • Political factors include governance, internal politics, decision making systems, stakeholders, roles and accountabilities. 

 Getting the bullet points together to establish the internal context is relatively quick and easy if you put a matrix on a whiteboard as part of a brainstorming activity, and TECOP is one of the quickest ways I know to achieve this.

Organizational Culture
The most challenging area for an organization to establish is typically the third element of TECOP analysis - culture. This area of organizational culture deserves several books in it’s own right so I’ll just mention it in passing as it’s an as yet, underexplored area. A popular definition of culture is "the way things are done around here"  and a recent public inquiry described culture as an organization’s "personality – sometimes overt but often unstated – that guides the decision-making process at all levels of an organisation" .

Many organizations have developed and implemented risk mitigation procedures to assist management and control key business outcomes both before, during and after incidents. A significant body of research is available to suggest that there is a correlation between organizational structure and culture which impacts the effectiveness of risk management solutions.  Henri Fayol  in his early management studies suggested that esprit de corps is a vital ingredient in any organization. More recently, the NSW Independent Commission Against Corruption (ICAC) stated that “...organisational culture has a strong influence on the way people (staff) act in their day-to-day work…”

Organisations often know their operational climate from observing on a daily basis or simply know it intuitively.  To measure, assess and report on deep seated drivers of beliefs, values, practices and assumptions in an organization on the other hand can be a much more challenging task. Cultural surveys, particularly a survey of risk culture, conducted by an independent expert is often the only way to really objectively understand what is going on inside an organization to drive behaviours in relation to risk.

--------------------------------
Example of an Internal Context Statement

Approximately 20% of ABC Megagroup revenue is from gold processed at Alphaville and the XYZ mining operations in Panaland constitute a critical part of ABC’s asset base.  


XYZ maintains an office in Sydbourne and a permanent minesite camp in western Panaland known as Alphaville which is roughly in the middle of a 800 square kilometer exploration lease.  Alphaville is located in an area known as Woomerera which is between Bogabilla township and Lake Freshwater.  During the exploration season a number or temporary camps are also established as needed to support exploration activities. 


XYZ operates an ICT network using Macintosh computers and servers.  Alphaville is connected to the internet via 2 satellite connections to provide redundancy and the internal network operates via VPN over these satellite links.  All facilities have HF radio, satellite phones and internet however mobile phone coverage is not available at Alphaville.


Mining activities are conducted year round while exploration activities at Alphaville are only conducted during the dry season (April to October) as the roads and rivers in the Woomerera area become impassable during the wet season.  The minesite at Alphaville commenced operations 2 years ago and utilizes state of the art open cut technology (Ref: Appendix X: Assets). 


Two hundred and twenty staff are permanently based in the Sydnbourne office while approximately 900 to 1,000 staff are based out of Alphaville.  A recent cultural survey highlighted a strong risk management culture and high levels of morale among the workforce.