It is fair to say that, these days, most medium to large organisations will have some form of formal risk management process. It is also fair to say that most of these organisations generally view these processes with some suspicion as, deep-down, they don’t believe that the effort involved is returned in value delivered. Why is this?
There are, of course, many reasons, but here are just a few that we have seen frequently:
- Risk statements are captured which are too generic to communicate the real concerns (e.g. “insufficient resources”) and therefore cause confusion and give no insight to guide risk action planning. This furthers the perception that the risk process is not adding value. At the opposite end of the scale, some risk statements may resemble essays and therefore never get read properly or actioned.
- Any quantitative analysis (including any attempts to quantify impact and probability) is often based on wild numerical guesses and leads to incorrect prioritisation and therefore inappropriate action. Subsequently, people tend to concentrate on the risks that they can quantify (eg contractual penalties, direct cost of resources) and play down risks that have “softer” impacts that can’t be quantified (eg impacts on quality, relationships or reputation) which ultimately may have a far greater impact.
- Qualitative analysis is often based on high, medium, low type scales that can lead to a default rating of medium risk exposure for just about everything. This of course leads to inappropriate prioritisation so that it is impossible to “see the wood for the trees” (eg high impact x low probability = medium risk exposure).
- Typically, the risk analysis results in very little real action other than work that was already planned and therefore the process is obviously not valued by the team. In addition, the actions required to manage the risks are not specific and therefore not followed through.
These problems can be addressed with a carefully considered methodology. That methodology must take care to look at the assumptions underpinning the venture. Over many years, our Strategic Delivery Assurance (SDA) process has been used as assurance to save many programmes which could have failed. We have found this methodology brings a robustness to risk analysis of a wide variety of programmes – more info here.
If you find yourself in an organisation with an established risk management process, look very carefully at the above points and be honest if you are falling into these bear traps and pit falls.
For more information on how our SDA works click here – https://www.de-risk.com/strategic-partners/