#55 – RISK ASSESSMENT LESSONS LEARNED – GREG HUTCHINS

Greg Hutchins pixWe have been conducting risk assessments in a number of sectors from homeland security to pension funds to parks and recreation departments.  We have had hard lessons learned.  These are some common mistakes we have made and seen:

  • Lack of a common definition of critical risk terms.  This is probably the number 1 challenge we have seen in conducting risk assessments.  Everyone seems to have a different context, point of view, definition, and understanding of critical terms such as even some basic terms of what is a risk.  The fix is to develop a common risk taxonomy, framework and dictionary of risk.
  • Lack of senior management or executive support for the risk assessment.  If a risk assessment is perceived as a low level activity or special project, then these can be early indicators of failure.  The key is to have executive management support and follow a top-down or Enterprise Risk Management approach.
  • Lack of established ground rules for conducting the risk assessment.  Without a set of commonly accepted and understood ground rules, the risk assessment process will get bogged down in disagreements, circular arguments, and positioning and posturing.
  • Lack of cultural or context understanding of the organization, function, or process being risk assessed.  Once, a friend of mine told me that understanding context is worth 20 IQ points.  I puzzled over this for a while but understood clearly when we were conducting risk assessments of organizations that had opaque cultures and we are wondering why our estimates for the risk assessment were clearly wrong.  We simply did not understand the culture and the context of the organization and we hadn’t included the right stakeholders in the risk assessment.
  • Lack of understanding of the end purpose of the risk assessment.  Deming said: “Drive out fear.”  He was absolutely right.  We did not understand how the risk assessment was going to be used and the fear that was engendered.
  • Lack of technical understanding of the organization, function, or process being risk assessed.  It is very difficult to establish a peer level dialogue for risk-based problem-solving and risk-based decision-making  if the risk assessment facilitators are not perceived as peers by the process owners.
  • Lack of involvement of critical  risk assessment stakeholders.   While we planned the risk assessment carefully using a structured framework, we missed  and did not consult with critical process owners.  Huge mistake.  Critical process owners thought we were disregarding their expertise and dismissing them.  The result was the risk assessment took much longer than we anticipated and budgeted.

Lesson Learned:   Address each of the above challenges that are relevant to the organization being risk assessed.  This will help ensure that you have a realistic expectation of what is involved and ensure that you have a successful risk assessment and happy client.

Bio:

Greg Hutchins PE and CERM (503.233.101 & GregH@QualityPlusEngineering.com)  is the founder of:

CERMAcademy.com
800Compete.com
QualityPlusEngineering.com

WorkingIt.com

He is the evangelist behind Future of Quality: Risk®.  He is currently working on the Future of Work and machine learning projects.

He is a frequent speaker and expert on Supply Chain Risk Management and cyber security.  His current books available on all platform are shown below:

Leave a Reply

Your email address will not be published. Required fields are marked *