In the workplace, people rarely think they’re infallible. We can have an optimism bias whenever we’re trying to do anything. This is a great mindset when trying to learn how to ride a bike, but not so great when it comes to trying to practically figure out what might go wrong and what we have in place to ensure things go right.
People don’t intentionally ignore problems. They’re faced with a huge number of factors, scenarios, things that could go wrong, multiple voices from different stakeholders and all of this can add up to just being a huge ball of wibbly-wobbly confusion. It can be easier to just focus on the straight line. To the end point and ignore that the road is running towards a sheer cliff.
Of course, that usually means that risks are not identified, controls are not improved, and we end up facing an avoidable problem.
So, what can you do to mitigate risk?
Option 1 is to wait for the Doctor to take you away on a whirlwind adventure. This could also be termed avoiding the risk. I’m still hoping for that to happen, but I’ve started introducing myself as Doctor Hu (Who) to see if that speeds up the process.
Option 2 is a bit more realistic. These are five things I’ve found useful to keep in mind when trying to improve risk management.
Keep the end point in mind
We don’t manage risks to comply with a policy or to fill in a template or even to satisfy the Audit Committee. We manage risks because it helps inform us to make better decisions.
Whenever you’re undertaking a risk assessment, ask yourself if the approach you’re taking is resulting in any tangible improvements or if it is just resulting in more paper labelled ‘risk plan’ and ‘risk assessment.’
- Have we made any decisions as a result of the risk assessment?
- Are we doing anything differently?
- Have we accepted any risks?
If the answer is ‘no’ to all three questions, chances are you don’t have a useful risk assessment that adds value.
At Noetic, we’ve found that focusing on critical controls is a good way to keep the end point in mind. For more on this, read our paper on Keeping Risk Under Control, which provides more detail on the critical control approach.
No decision is still a decision
“Sometimes the only choices you have are bad ones, but you still have to choose,” The Twelfth Doctor.
Thankfully, most of us aren’t faced with life-and-death decisions, but we’re usually expected to make decisions about risks daily.
When faced with risk information, not making a decision can be worse than making the wrong decision.
It can be tempting to continually ask for additional information and more context. Our environment is always changing so why wouldn’t you want to make the decision using the most relevant information? Sometimes, you need to make a decision based on the best available information at the time, even if it is imperfect.
Adapt your messaging to your audience
If you were a physicist, you wouldn’t explain the concept of string theory the same way to a colleague as you would to a first-year university physics major or your 10-year old child. Yet, often, we try to explain risks and risk management in the same way to senior leaders as we would to operational teams.
If you explain why risk management is important to somebody in your team, you must explain what it means for their role and that of the rest of the team. It can be tempting to only explain the overall benefits of risk management to your organisation, but that’s unlikely to resonate if you don’t also explain the direct impact to them.
Similarly, if you’re trying to describe specific risks to senior leaders, must give them a snapshot of ‘how worried they need to be about each risk’ and then the ability for them to drill down into details, if necessary.
More is not necessarily better
How many times have you seen a 50-page risk assessment? A 100-page risk assessment? A 300-page risk assessment?
A longer, more complex risk assessment isn’t just difficult to read, it can actively mislead people into thinking that the risks are better controlled. Whereas, true skill comes in being able to simplify a complex topic enough so that it can be understood by most people.
The same rule applies to risk policies, processes and frameworks – a policy document shouldn’t be lengthy. The longer it is, the more likely it is that the document is prescriptive, which limits the usefulness of risk management.
Risk tools are simply enablers
A risk matrix, a control profile, a risk bowtie, a fishbone diagram, the barrier model – these are examples of tools to help us manage risks better. They exist to help us structure our thinking and document things in a consistent manner. Each tool serves a specific purpose and has its advantages and disadvantages.
For example, the purpose of a risk matrix is to prioritize risks in a more consistent manner so that you know where to focus more effort. It’s an easy tool to use. However, it can be tempting to think of it as a scientific methodology, but there is usually very little direct evidence that goes into the colors behind the heatmap or the definitions of likelihood and consequences.
Even a well-designed risk matrix can be interpreted differently by different people. However, if you are aware of the limitations and if the risk matrix helps prioritise risks in a more consistent way than mere guesswork, then it can still be useful.
Applied correctly, each risk tool can have their place; however, if applied incorrectly, they can mislead the user and make it harder to make better-informed decisions.
The above five tips are not a universal panacea for poor risk management. However, if you use them as a guide, they will ensure you move in the right direction.
And I’ll leave you with a quote from one of my favourite Doctor Who characters: “You’re not gonna make the world any better by shouting at it!” Wilfred Mott.
You need to actively work to make the changes you want to see.