If you have a specific issue or question that you’d like to address, please let me know but here's a short list of thoughts that are finding their way into the book.
Let's start with the three most common errors when doing a risk assessment:
- Inadequate risk identification. Will the real risk please stand up! How to identify and document a risk in watertight fashion.
- Failure to show a link between proposed treatments, the risks and organizational objectives. Watch out for an example of a risk register which links risks to both organizational objectives and to treatments. If you can't show these linkages, then why should your treatments get funding?
- Failing to understand the context. Don’t do it. If you don’t nail the context, you will never get agreement on the risks.
Why failure to identify risks is the leading cause of inadequate risk assessments
Inevitably, we will fail to anticipate or identify many risks simply by the nature of uncertainty. The main problem is typically a failure to explicitly state a risk in terms which allow stakeholders to accurately consider it and agree on effective treatments. You can't just say 'Terrorism' is a risk or 'Climate Change' is a risk. Those aren't risks! They are words from a dictionary. Have a look at 'The CASE for risk identification' for a simple way to correctly describe a risk.
How to know whether or not you need a subject matter expert to help you and if so, how to select the right consultant for the job
This one is worth an entire book on it's own. The section on 'The Elusive Risk SME' will cover a ten step process that should help you find someone who has the skills you need when you need them.
How to build a watertight yet succinct risk management plan that will get funded
Ah, yes. One of the Holy Grails of risk management. Designing a good risk management plan is one thing but as most people will agree getting it funded is a whole other step.
How to spot the flaws or weaknesses in a risk report (yours or someone else's) in minutes
This is much easier than it looks. Just ask these three questions:
- Do all the risk statements satisfy the four requirements of the CASE Tool? (Condition, Asset, Source, Event)
- Do all the treatment recommendations satisfy the requirements of the 4A’s? (Appropriate, Agreed, Actionable, Achievable)
- Can you easily draw a causal link back from each risk treatment to the risk that it’s treating?
That’s all there is to it. Hit those buttons and you’ll pick up 90% of the strengths or weaknesses in a risk report – and look like a guru in the process.
How to build an all-hazards risk management framework that deals with Black Swans
Plenty of research can help you out on this. In particular the studies that have been done into a group of organizations which continue year after year with better than average safety records despite operating in some of the most dangerous and complex arenas the world has ever seen. ‘High Reliability Organizations’ (HRO’s) is the common term for a category of organizations such as air traffic control systems, aircraft carriers and nuclear power stations that seem to continue on and on despite dicing with calamity on a daily basis. Karl Weick and Katherine Sutcliffe have a great book on how to incorporate the lessons from HROs into your organization called 'Managing the Unexpected'.
Enterprise risk management
Enterprise Risk Management (ERM) is more than just a question of scaling up. You can’t simply aggregate all the risks for an organization into a database and say that you have ERM sorted. What the CEO and shareholders see and what they care about at the enterprise level are often much different to risk management issues at the operational or tactical level. If on the other hand, you implement ISO31000's Risk Management Framework, you will be 90% of the way there. Let's not over-complicate things - Enterprise risk management is just risk management with a scope that includes the entire organization.
How to introduce a continuum of risk management tools so that everybody from the cleaner to the CEO can apply appropriate risk assessment tools
Often people complain that “risk management is too complex” and usually they are right. Not because risk management is too complex but because they are trying to use a chainsaw to prune a bonsai plant. Get the right tool for the job and you’ll be fine.
Adapting ISO31000 to meet the needs of everyone - whether in safety, procurement, finance, security, information technology, human resources of the Board of Directors – and do it in such a way that they will buy-in to it
Read the book! OK, just kidding (sort of). ISO31000 has been designed to be generic. It works for everyone at all levels. In fact, that’s the real power of the standard. It’s not that it’s inherently the best of all possible risk management systems – nothing could promise to do that – but when you apply it across the board it allows you to aggregate and compare risks in a consistent fashion. I was asked after a presentation in the United States recently, what I thought of risk management in the US. I replied that I thought it was great but that there were about 432 different flavors to choose from. At the same conference two presenters had given excellent presentations on terrorism risks to US ports. One system was done by the New York Port Authority and the other was done by the US Coast Guard using Los Angeles as the first test of the model. They were both excellent. Sadly they were so different that it was impossible to tell which port was more at risk and hence which one needed the funding most of all.
ISO31000 is my pick because it supports an apples for apples comparison.
Managing personal career risk – why do our leaders make such (seemingly) misguided decisions?
Why do our bosses and politicians allocate resources to some items and not others that seem to be blindingly obviously of more concern? This question has intrigued me for years, and I think I’ve come to some sort of understanding on the contradictory nature of some of these complex questions. The answer is – as you’d expect – not so simple. But it’s not that complicated either - but it's the 'elephant in the room' when it comes to modern risk management.
Advanced Risk Modelling
How to crunch the numbers and come up with some reliable risk management using stats, Monte Carlo modeling and more - without having to do a PhD in statistics or spreadsheets. And yes, there are some relatively easy ways to get reliable data. It all starts when you change the mindset from a statement of "we don't have enough data to model that" to "what data do we actually need, what do we already have and what can we inexpensively source?"
No comments:
Post a Comment