I’ve written elsewhere about how you need to have a clear idea of what you’re trying to achieve with your risk assessment and to get everyone onto the same page. Without this kind of understanding, it’s very unlikely that you will complete the assessment in the time available. Even if you do, you might not have answered the original question.
So you need to plan your assessment properly but what does that look like?
Here’s a short five-step process to make sure that you are well-prepared for your assessment before you ask the first question or open up a spreadsheet.
Get a free project planning worksheet here
Establish the objectives, scope and parameters
This begins with answering ‘the big question’: what’s the assessment for? Ensure that you are clear about the overall objective of the assessment and its scope. Know what it’s for, what you need to cover, what you need to omit and who the client is (even if that’s someone internally). This is going to set the scene for the whole assessment and any inaccuracies or misunderstandings here could doom the whole project before you start.
At this stage, you also need to confirm the project manager, the budget and timeframe. The project manager may well be you but there might be someone else overseeing the whole project that you need to report to
As far as budget and timeframe are concerned, you need to look at these in the context of the scope of the assessment. Might travel be required to allow you to interview key people? If so, is that feasible? Do you need to use a consultant?
And what about time? Two months might be sufficient for a risk assessment but what if a major event is going to dominate the first month and the whole executive team will be unavailable? What about holidays? Think about both the total amount of time available and the amount of useable time you have.
You will have time to review and revise the project plan later but start to think about these issues of time and budget now.
Confirm your project team and the assistance available
Know who will be able to assist you throughout the process and who you can call on for specific support. This group will break down into permanent team members and occasional team members.
Permanent members are those who are going to participate in each step of the assessment even though they probably conduct other work activities in-between. This group is your core assessment team.
Occasional members are those you only need from time-to-time. For example, you might want a particular specialist to help with a set of technical interviews or someone to help with administration or to compile the final report.
Make sure that you have the authority and permission to use these people’s time and also check that there aren’t any scheduling conflicts during the assessment timeframe.
Think about the assessment structure
You won’t need to apply the assessment structure for a while yet but have this conversation now.
- How are you categorizing things?
- What methodology are you using?
- What’s the grading system?
Working this out now will avoid having to have a big discussion later, probably at the point where you ought to be compiling the assessment. It also makes sure that everyone is on the same page before you start.
Consider your information sources
Documents
A good place to start is at the top: the annual report or ‘About Us’ page, and then work down. Compile a list of the documents that are relevant to the assessment. Annual reports and strategy documents are useful to set the scene before you get into the specific policies and plans that are relevant to the assessment. You don’t need to gather the documents now, just work out what you need and start to think about where you can get these.
One point: I would avoid reading old risk assessment at this stage as these might influence your thought process.
People
Interviews are a great way to really understand the organization and are key to a good assessment. Plan to interview as many people as time allows but you need to prioritize these. Focus on the key leadership positions, subject-matter experts and the owners of the parts the organization that the risk assessment touches. If you have time, speak to people involved in the activity you are considering or those with a lot of experience in the business as these will give you additional insights.
Write up your project plan
The last step is to pull all of this together into a project plan. This doesn’t need to be complicated, just a summary of what’s laid out above will be sufficient. If you use a specific project-management process or tool in your organization, take all the info you have and apply it there.
Get your project planning worksheet here
And that’s it. This isn’t a lot of work and I guarantee it is time well spent.
So if you’re tempted to jump right into the assessment without planning, don’t. Assessments are hard enough to get right as it is and delivering on time and within scope can be even harder. Not having a plan up front is just going to make your life more difficult so spend 45 minutes or an hour now planning things out.
And remember, even if you have a plan in your head, there’s a team and a sponsor who are also part of this project. Writing things down gets everyone on the same page and will avoid a lot of heartache later on.
Andrew Sheves Bio
Andrew Sheves is a risk, crisis, and security manager with over 25 years of experience managing risk in the commercial sector and in government. He has provided risk, security, and crisis management support worldwide to clients ranging from Fortune Five oil and gas firms, pharmaceutical majors and banks to NGOs, schools and high net worth individuals. This has allowed him to work at every stage of the risk management cycle from the field to the boardroom. During this time, Andrew has been involved in the response to a range of major incidents including offshore blowout, terrorism, civil unrest, pipeline spill, cyber attack, coup d’etat, and kidnapping.
Andrew has distilled these experiences down to first principles to develop the KISS Risk Management framework, a straightforward, effective and robust approach to risk management. This aims to make high-quality risk management tools, resources, and training accessible to as many people as possible, particularly those starting out in the field of risk. He has also developed the dcdr.io risk management software platform and several online assessment tools to complement the KISS framework.
Andrew has an MSc in Risk, Crisis and Disaster Management from Leicester Univerity and has written articles for several publications including the RUSI Journal, ASIS Security Manager Managzine and the International Association of Emergency Managers Bulletin.
Email – andrew@andrewsheves.com
Website – https://andrewsheves.com
Software – https://dcdr.io
Linkedin – https://www.linkedin.com/in/sheves/