The risk assessment lies at the core of risk management. Without a clear understanding of the risks faced, none of the other risk management activities can be undertaken meaning that the organization will remain reactive instead of being able to take proactive steps informed by risk-based decision making. However, risk assessments have the potential to become hugely complex, sometimes becoming the only risk management activity that is undertaken, as organizations become exhausted by the assessment process and don’t conduct any of the follow-up activities. Detailed here is a four-phase risk assessment process that can be used for most non-technical assessments.
The risk assessment process
There are many different types of risk assessment methodology (ISO recognizes over 30) ranging from very straightforward cause and effect models to more complex, data-driven methods. Many of these are very specific methodologies designed for specific situations, but a basic cause and effect model will suit our needs as this can be applied on most non-technical situations. However, in addition to a methodology, we also need a risk assessment process to guide us through the assessment from start to finish. The following four-stage approach – 1 Prepare, 2 Understand, 3 Assess and 4 Report – can be used in most situations with the applicable methodology inserted into the Assessment stage. These four stages of the process are shown below.
This essay works through these four stages explaining the key steps while trying to highlight some of the considerations to bear in mind while conducting a risk assessment. During the Assessment stage, we will also expand on the risk = threat x vulnerability x impact model we discussed earlier using this as the basis for our assessment methodology in a cause-effect model.
However, before we go any farther, it’s time you met Bob.
Bob is the Health, Safety and Environmental (HSE) manager for XYZ Widget Co, a small manufacturer of high-specification widgets, primarily for the oil and gas industry, based in Houston, Texas with a small facility in Janwick, a small country in West Africa. One afternoon, Bob calls in to see the CEO for their weekly safety round up and, after chit-chat about things in general, Xavier the CEO asks Bob how he feels about taking on a little project. Bob smiles – he has known Xavier for years and knows that this usually means the project is anything but little – and simply says, “Sure. What do you need, Boss?”
Xavier leans back and launches into his story. “So here’s the deal, Bob. I was speaking to some investment folks the other day and they were interested in our little business here, nothing to write home about yet but we had a good get-together all the same. But there was one thing that was bugging me afterwards – one of these fellas asked me what kept me up at night. Well, that stumped me a bit, as I have to confess I sleep pretty well when my back’s not bothering me, so I just replied that the Texans starting line-up always causes me some anxiety and we had a good laugh. But here’s the thing Bob, I’m getting asked this kind of question more and more and I think we need to have a better handle on our risks. I think we manage things pretty well and are good at firefighting when things go wrong but I think we need to formalize this a bit. Could you put together a risk assessment of the business for me?”
After a bit more discussion, Bob heads back to his office knowing three things about the project: he needs to conduct a risk assessment, he has three weeks to do it and he has no idea what that entails….
Now, Bob is fictitious, but there are plenty of Bobs out there (some of you might recognize this situation – I certainly do) so we are going to use Bob’s project as a way to put some meat onto the bones of what would otherwise be a relatively dry topic. For now, let’s leave Bob in his office Googling ‘risk assessment process’ and look at the first stage of the process in detail.
Phase 1 – Preparation
The first phase of the risk assessment process is Preparation, as you need to understand exactly what it is you’re trying to achieve with the assessment, in addition to the resources available to you and any limitations there may be. During this phase, you will also be considering the information required and where to obtain it from. You don’t necessarily need to start gathering information at this point, but – for example in the case of interviews with senior leaders – some information gathering may have to be arranged well in advance. Finally, this phase also ensures that you understand the context in which the assessment is being undertaken. For instance, conducting an annual risk review assessment in an organization where things are running smoothly is a very different situation from a pre-acquisition assessment of an organization that is being taken over.
Some of these elements have already been covered in the WDYMB…Understanding? article but the two key steps in the preparation phase are:
- Establish the objectives, scope and parameters. Ensure that you are clear about the overall objective of the assessment and its scope because, without clarifying these, it will be very difficult to achieve the overall objective. At this point, you also need to confirm the final user of the report (the client), the project manager if applicable, the assessment team, budget and timeframe. Budget and timeframe are the main parameters but there may be other restrictions that might affect how you conduct the assessment.
- Develop an assessment project plan. Once the objective, scope and parameters have been identified, a simple project plan for the assessment can be developed. This should break down the key work streams, outline a project timeline and delegate tasks to team members. A project plan also helps identify any critical information requirements that may have long lead times. Again, it may be necessary to schedule interviews or site visits well in advance and this should be considered while agreeing to project parameters.
As with most things, a well thought-out plan provides a solid basis for the assessment and helps keep the focus on the overall objective whilst still remaining mindful of the parameters of the project. With that in place, it’s time to check back in with Bob.
Bob has made good progress since his meeting with Xavier. He came across an excellent risk assessment process guide online (one that looks a lot like this…) and has decided to use that as a road map for his assessment. He has put together a few bullet points as far as a project scope and plan and agreed these with Xavier as follows:
Objective: To provide a top-level assessment of XYZ Co’s risks in order to assist the CEO in determining any areas requiring particular attention in the next financial year.
Scope: All of XYZ Co’s business activities, concentrating on the company’s top-level objectives.
Parameters: The assessment will cover the whole organization, but no travel is budgeted for trips to other XYZ Co sites. The assessment will be reviewed by the senior leadership team in three weeks. This is an internal assessment and the HSE Manager is the lead on the project.
Bob also asks Xavier to send a note to all the senior leaders and department heads explaining that Bob is conducting this assessment on the CEO’s behalf and requesting their cooperation. He maps out a rough timetable: week one focusses on understanding, week two is set aside for drafting the assessment and a first review and the final week is set aside for follow up, revisions and a workshop with the senior leadership team to review the final report. Bob has already been able to book time in people’s schedules for interviews and he plans to get these done by the end of week one to leave plenty of time for follow up.
Feeling that he is making good progress, Bob now turns his attention to the Understand stage.
Phase 2 – Develop understanding
Before the assessment itself can be completed, it is necessary to develop a deep understanding of the organization, its operations, operating environment and the challenges it faces. This understanding will be based on reviews of the organization’s own documents, staff interviews and open-source research. The existing knowledge of the project team will also be useful but care should be taken not to bring pre-conceived ideas or biases into the risk assessment process. At this stage, the focus is on gathering facts and data.
The specific information requirements you have will depend on the purpose of the assessment but, in general, you are trying to understand:
- The organization’s goals and objectives
- Its structure and individual roles and responsibilities
- What ‘normal’ looks like
- The critical processes
- Risk attitudes, tolerance and appetite
- The operating environment and likely threats
- Sensitivities and potential conflicts / road blocks
- Any changes to ‘normal’ and how these might affect the organization.
This level of understanding is probably enough to begin to populate the assessment itself but you will find that as you dig into one area, additional questions will arise so keep asking ‘why?’ and ‘so what?’ to ensure that you really understand the organization before you start the Assessment phase.
Bob has worked with XYZ Co for several years but even though he interacts with everyone in the business as HSE manager, he still needs to learn more about some of the functions and departments. He draws up a list of documents he wants to review before he starts his round of interviews and also runs a few different searches on the main trade news sites and some general Google searches on XYZ Co to see what other kind of stories come up. Finally, he realizes that he doesn’t know very much about the facility in Janwick other than their day-to-day operations so he adds that to his list of information requirements. He aims to get all of this research completed by the middle of week one as his interviews are scheduled for Thursday and Friday of that week.
How you go about gathering information is largely down to personal choice but it can also be based on availability: sometimes you just have to begin with what is available. Personally, I prefer to start with a top-level document review of the whole organization. Even if I’m focused on one activity or a single project, I find this helps put everything into context. This would include looking at the organization’s overall structure, where it operates, reviewing top level policies and procedures, reading recent annual reports and conducting open source searches for news about the organization. Once I feel that I have a general understanding of the overall organization, I will then start to draw up the specific information requirements I think I need to meet the assessment’s objective. Throughout this research, I try to keep detailed notes and list key observations or additional information requirements I identify. This will be a great help later but I try to avoid drawing any conclusions at this stage.
Once you have completed the basic document review, you can move on to the interview phase. I recommend researching before interviews whenever possible as you might otherwise find that you have too many knowledge gaps to be able to conduct an effective interview. Interviews are an opportunity for you to help fill in gaps you have after the document review and then get a better idea of what issues people have and their concerns. Care should be taken here as simply cataloging people’s concerns will just give you a fear registry so make sure you dig deeper. Nevertheless, understanding people’s concerns can often explain why a seemingly disproportionate amount of time or effort has been focussed on one area rather than another. Again, during interviews keep detailed notes, because you will want to refer to these later. Quotes can be used anonymously in reports to allow people greater freedom to be forthright. I also recommend that you have a basic script for each interview and ensure that you cover the same core questions each time; I have found that this kind of repetition can generate interesting results.
Throughout the understanding phase, and indeed the whole risk assessment process itself, it is important to remain curious and somewhat skeptical so ask yourself, ‘so what?’ and ‘why?’ a lot. This isn’t suggesting people are misleading you – although that can happen – but you are trying to identify gaps, discrepancies and matters that might be overlooked otherwise. Unless you ask ‘why?’ or dig a little deeper, you will end up with a superficial perspective on the organization’s risks and more complex, less obvious, but nonetheless critical risks might be overlooked.
Putting this into practice – what Bob did
Feeling confident that he has a better understanding of the company as a whole, and armed with an interview ‘script’ and set of specific information requirements, Bob starts his interviews on Thursday. He plans to start with a bottom-up approach, speaking to the managers in each department before he speaks to the COO (Yasmin, Xavier’s daughter) and the Sales, Strategy and Marketing (SSM) Manager (Zack, Xavier’s son).
The XYZ Co Org Chart
He splits each interview into three parts. First is a general set of questions to clarify the exact role of that individual and department, how that function supports the overall organization and what the department’s key objective are. Throughout this first part, he uses follow up questions to close any information gaps remaining after his research. Once he is comfortable that he understands the department’s role and function, he asks about areas of concern and previous events to determine what kind of threats the department faces and how these might affect the business. Finally, he asks about the measures they have in place to prevent or respond to events.
He finishes his interview with Zack at 4:00pm on Friday and heads back to his office, dropping his notepad onto the growing pile of documents he has gathered for the assessment. He remembers that he still has to finish his weekly safety summary report so he puts the risk assessment aside for now and gets to work on his routine reports. At around 5:00pm he hears a knock and looks up to see Xavier at the door. The CEO looks around Bob’s office and sees the growing piles of paper.
“I guess that wasn’t such a little project after all. What do you say you just send me the draft of the weekly safety report now and call it a day? I can finish that up myself and let you get off.”
“See you Monday,” Xavier calls over his shoulder as he heads back to his own office.
Bob doesn’t need to be asked twice. He hits ‘send’ on the report and heads out the door before the CEO changes his mind.
Phase 3 – Structure and complete the assessment
Once all the information has been gathered, the assessment itself can begin. The first action is to ensure that there is a logical structure for the assessment itself. If an existing structure exists then this should be used, particularly if the assessment is meant to draw comparison with previous surveys. However, at other times it may be necessary to develop a structure from scratch. In general terms, there are usually three components to the risk assessment itself: a set of categories to help collate risks into similar ‘baskets’, a methodology for evaluating risk and a grading system to evaluate these risks. Normally, this assessment is developed in a form or table to help with data entry and manipulation. Once the structure is in place, completing the first draft of the assessment should be as straightforward as dropping the relevant information into this template and applying the appropriate value. If an existing system is in place this should be used, particularly if a comparative assessment is required as different methodologies cannot be used for like-by-like comparison. If a new system has to be developed, the project team should begin by brainstorming possible options to determine the most appropriate structure.
Structuring the assessment
Categorization is a simple way to help with the development of the assessment and makes things easier to follow for the reader. Two common methods are to collate threats by type and origin – for example, market, environmental, political – or by organizational function and both approaches have pros and cons. For organization-specific assessments, categorization by department helps align threats to objectives and is also useful when it comes to developing risk treatment plans. For more abstract situations, such as an assessment of a country or region, thematic categories would be more effective.
As noted above, there are multiple different methodologies available for risk assessment. Personally, I like the r=tvi framework where risk is a combination of threat, vulnerability and impact using a basic cause and effect model, similar to the risk bow-tie. (This is explained in more detail in the WDYMB…Risk? essay.)
Once a methodology is agreed, we need some way to evaluate and grade risks so we can then categorize or prioritize them. This can be achieved using descriptive statements, e.g. high / medium / low, color coding such as a red / amber / green system or with a numerical scale. We can use a combination of descriptive, qualitative statements and associated values to develop a set of ‘scores’ that allows us to put risks into order. As I have noted previously, I do not believe it is possible to measure risk so care should be taken to avoid any system that appears to give a precise measurement for risk (for example saying X% risky) as I feel this can be misleading.
Bob is well-rested on Monday and is actually excited to get back to the risk assessment. He has put aside that morning to set out the structure for the assessment and begins by considering the categories. He feels that a functional structure will be easiest as both a way to complete the assessment and as a way to present the results. He ends up with this basic template into which he can begin to insert and grade individual threats.
Bob’s blank template is shown below. (This is also available as a template here.)
Again, Bob is keen to keep things simple so he is going to use the r = tvi method and apply a high / medium / low scoring system. He is also going to color code the results as he feels that this will give him a lot of options for differentiating between high and low priority risks when he presents the assessment results.
I believe that assessments should be as objective and as evidence-led possible but you should not try to get all the evidence into the main assessment table as this can make things unworkable. Rather, I recommend keeping the entries in the assessment as clear and succinct as possible, but support these summary statements with a clearly documented set of references. For example, if an event would result in a 48 – 72 hour production delay impact, you don’t need to include a full explanation of why that is the case, but the report should cite a reference or help the reader find that explanation in the annexes. The next section on risk reporting will give some additional thoughts on how to describe a risk in a way that can be used in the assessment form itself.
Putting this into practice – what Bob did
Now that the template is complete, Bob clears the rest of his normal Monday work schedule and blocks off Tuesday just to concentrate on completing the template. At first, he struggles a bit, trying to get too much information into the template but he reminds himself of the old adage ‘KISS: keep it simple, stupid’ and finds that this makes the whole risk assessment process easier. He has a comprehensive set of notes from his research and the interviews, so it is easy for him to insert references and explanations in an Annex document so he can keep the main assessment document simple and straightforward.
By Tuesday lunchtime, he is slightly surprised to see that he has pretty much completed the draft assessment. There are a couple of outstanding items that don’t quite make sense and he wants to follow up with some managers to clear those up. He schedules quick follow up meetings with the relevant individuals and sends Xavier a quick note to report on how things are going and to set up a review meeting for that Friday morning.
“Time for the XYZ Co Risk Manager to grab some lunch,” he thinks to himself.
Phase 4 – Complete the Report
Risk assessments are decision-making tools so we need a way to share the final report with the client and a wider audience in the organization.
Structuring your report
Spoiler! Risk assessment reports might not be the most exciting document someone finds in their inbox so you need to think about how to make this as accessible and easy to use as possible without dumbing the whole thing down. Four techniques can assist with this.
- Firstly, use descriptions that are consistent throughout and explain these as early in the report as possible. If you use a grading system, ensure that readers understand what that is before they read the report, but again, keep it simple.
- The next step is to use natural language and a format for describing a risk that is easy to read and understand. Risk descriptions can become tortured, complex phrases loaded with double negatives and weird syntax so find a way to represent the risk and its component parts in a format that is easy to understand. You can use the same language in the assessment template which also makes the compilation of the risk description much easier. I try to reflect the r = tvi formula in the description but move things around a little to make the description flow more easily. This structure also presents the key information as early as possible: what is generating the risk and how severe is it. As an example, here is a threat as it is laid out in Bob’s template followed by a summary description that he included in the main assessment report.
Risk: Civil unrest in Janwick, HIGH
Description: XYZ Co faces a HIGH threat [severity description] due to the potential for civil unrest in Janwick [threat description] which could have a HIGH impact on our global supply chain as our key manufacturing sites are concentrated there [impact statement and explanation]. The firm has MEDIUM vulnerability to civil unrest as our local safety and security arrangements were designed when the country was peaceful and have not been updated to address the deteriorating security situation [vulnerability statement].
- Third, ensure the reader can find the key information as easily as possible. To assist with this, think about putting the key risks – those with the greatest severity that should be prioritized for action – up front in an executive summary. You can also list risks in their descending order of severity to ensure that the key risks aren’t buried in an alphabetized list. It can also be helpful to bundle the risks by category so the ultimate risk owner can find the items that he or she will have to address. You can either structure the report this way or have a tabulated list that readers can use to easily find the risks that they are particularly concerned about.
- Finally, include the necessary references to help readers understand the basis for the ratings and comments given in the assessment. This is important when you are developing a treatment plan as the user will need to get into the root causes of the risk to develop a risk treatment plan. Also, anyone conducting a risk review later will also need to see the rationale for your work. Wherever possible, use links, summaries and annexes to keep the report as user-friendly as possible but also be mindful of confidentiality, especially for comments made in interview. Using quotes to back up observations can be useful but ensure the these don’t become a source of friction or contention which can rob the observation of its value.
Presenting, reviewing and revising the report
To mangle Churchill, this is not the end of the assessment but it is the beginning of the end. We now have the initial report, but it needs to be reviewed and there are two objectives here.
Firstly, there are likely to be mistakes in the report: items you overlooked or information that was recorded incorrectly. You obviously don’t want to issue a report with typos or incorrect calculations but a detailed risk assessment will be the product of hundreds of hours of work, a review of thousands of pages of material and dozens of interviews. I have even been involved in assessments where the organization itself was changing during the assessment so we had to keep altering terms as we went. The point is that the chances of getting everything 100% correct on the first go-around are (in my experience anyway) slim. This first review is therefore a chance to ensure that you haven’t overlooked anything and to correct any inaccuracies. A good way to do this is to review the draft with the project sponsor or client. If that isn’t possible, have someone else review the report to look for anything that isn’t backed-up by data and to question anything that seems out of place.
Bob agrees with Xavier that their Friday meeting will cover both the methodology and the preliminary results of the assessment. Xavier gets a draft of the report from Bob that morning to give him some time to become familiar with it but not so long that he will get into the details without Bob there to explain any methodology questions. During their meeting, Bob tries out some slides he plans to use at next week’s workshop to explain the methodology and the CEO likes the combination of low / medium / high descriptions with the green / amber / red coloring. He also appreciates Bob’s KISS approach – “Good, let’s make sure we can walk before we run!”.
With the methodology covered, they review the initial results and Xavier is generally happy with the draft. He spots a couple of areas where he feels people have exaggerated or downplayed things. Bob still asks the CEO for data to back up his comments and he notes this additional information to help with his final draft.
After a couple of hours, and a lot of coffee, the CEO seems happy with Bob’s work. He stands up and slaps the HSE manager on the shoulder. “See,” he says, “not such a big deal after all. Good work, Bob.”
With that, Bob headed back to his office, pleased that the first review went well, but already thinking about how he would manage the workshop. With Yasmin and Zack in the same room, it was going to be more tricky than this last session with their father, but that’s a problem for next week, he decides.
Another reason to review the report is to start to sense-check the results with the organization’s senior leadership and to observe their reaction. Remember, the risk assessment is a decision-making tool but if the users reject it, it won’t fulfill its purpose. ‘Selling’ an assessment report could be a big topic by itself but delivering the report in person in a workshop format is better than simply emailing a PDF to the senior leadership team. This will allow you to immediately respond to questions or comments; if you have maintained an objective, fact-based approach, defending anything controversial is relatively straightforward as you have the evidence to fall back. Finally, this kind of meeting helps gauge people’s reactions to the assessment and you will begin sense which treatment options might work and those that might not.
These workshops can be difficult to manage and take a lot of work to get right but they are hugely valuable as far as ‘selling’ the assessment and getting the organization to buy-in to the results.
Putting this into practice – what Bob did
As Bob expected, the workshop the following Tuesday was harder work than the meeting with the CEO, but he also felt that this wasn’t that different from some of the senior leadership meetings he had attended. Both Yasmin and Zack were good at their jobs but sibling rivalry was a stubborn thing….
Nevertheless, the final result was an assessment they could all agree on and a list of priority risks to address. They started to look at treatment plans but Xavier halted the meeting before they got into too much detail.
“Let’s leave this to soak for a while and let Bob write up the final report. If you can get that done by close of business tomorrow, Bob, then we can get back together at the end of the week and start putting together a treatment plan.”
The meeting broke up shortly after that but not before the CEO and everyone thanked Bob for his work. Yasmin and Zack were particularly complimentary as they had both had risks identified that were more severe than they had previously thought.
After the reviews are over, and you have recovered from the workshop, the final report can be produced, reflecting any changes that are required. You might find that something remains inconclusive even after the review, and this can be noted too. For example, there might be significant disagreement about how effective a particular mitigation measure is and this can be noted in the risk description as a prompt for further action.
After the Assessment
Although the risk assessment is now complete, we are really only at the beginning of the overall risk management process as we now move into the Address stage. Depending on the purpose of the assessment, we might find ourselves immediately developing treatment plans for the most severe risks. Alternatively, a project team might have to re-evaluate some of their planning assumptions if some of the project risks are simply too high for the organization to tolerate. The assessment will also have identified triggers or flags that signal a change or an impending event. These ‘tripwires’ can be monitored to offer some early warning of a potential event and to prompt any response that might be necessary.
You should find yourself referring to this assessment regularly during the Address phase as this is the baseline for modeling how different treatment plans might alter the risk profile. Once treatment plans are in place, you should compare the original assessment to updated results to ensure that risks are being addressed. The assessment should also be reviewed regularly to assess how changes in the situation might increase or decrease a threat and therefore require amended treatment plans. Although the baseline assessment is ‘frozen’ as a record of the risks at that moment in time, reviews and developing updated assessments is an ongoing process to ensure that the organization understands their current risks and is not using outdated information for decision-making.
It is important to ensure that managing the risk assessment does not become a business function in its own right. This can lead to that previously-mentioned never-ending assessment and people become risk-fatigued. However, if you can instill the mindset that the risk assessment is a tool to support decision-making, then you can develop a healthy relationship with the risk assessment process which will benefit the organization.
Many of these steps and the resultant stages in the risk management process will be covered in subsequent articles, but for now, that wraps up this How-To. There are many different reasons to conduct a risk assessment, varying methodologies and every organization has its own way of doing business which means that a rigid, one-size-fits-all approach can be hard to apply. However, the framework outlined should provide a guide to the risk assessment process in the majority of cases: stick to these core elements as a start and you can then determine where you need or want to make changes to suit your situation.
That Friday, the final assessment is delivered and they were already at work on a treatment plan for some of the key risks. Bob heads back to his office after lunch and finds a box on his desk. Inside is a set of business cards with an updated title: ‘HSE Manager and Head of Risk’. He smiles to himself as he read the note that was taped to the box.
“Good work, Bob. Now I know what I should be worrying about at night! Thanks, Xavier.
PS – Come and see me on Monday as I’ve another little project to discuss…”
Obviously, this is a pretty substantial topic and the essay could have been twice as long, but I hope this puts the risk assessment process into context and gives you a good starting point for your assessments or maybe a few ideas to apply to your existing system.
Good luck to all you Bobs out there.