Managed Luck website by Matthew Leitch (consultant, author, educator, and researcher)
Home / more articles - The author - Contact on your terms - Links - Services

Risk Meeting Graphic

How to run a risk management meeting

by Matthew Leitch, 31 May 2004

Should you read this?
What to expect
How to succeed
Two dangerous syndromes to watch out for
Summary by role

Should you read this?

Read on if you expect to lead or attend a meeting to discuss risks and what to do about them. This does not apply if the meeting is to discuss in detail some risks that have already been defined and analysed.

The ideas here are to help you with important things like getting the meeting finished on time, not wallowing in worries, coping with politics, and still getting useful results. This is not general advice about running meetings. Meetings to talk about risks and what to do about them have special characteristics so this guide explains them and what you can do about them specifically.

What to expect

Meetings to talk about risks and what to do about them are usually done according to some procedure laid down by your organisation and the idea is to fill in some forms including, usually, one called a risk register. Your organisation's procedures may tell you how to conduct a risk management meeting, but the instructions are probably about how to fill in the form and what the theoretical process of analysis is imagined to be. What you really need to understand is how people typically behave in these meetings, so it won't be a shock when it happens to you.

Risk management meetings typically have three characteristics that account for most of the behaviour found in them:

Here's what to expect when a group tries one of these meetings for the first time:

By now you're probably thinking "AAAAAAAAARGH! I don't want to have anything to do with one of these meetings." Fortunately, over time the meetings improve and there are things you can do right from the start to get through to a good result. Best of all, people normally say risk management meetings are worthwhile and want to do more, almost regardless of the technical quality of the conversations. It is so rare that people are given a chance to air their concerns or encouraged to take their blinkers off for just a few hours.

How to succeed

Hold on to the thought that most people like risk management meetings. Stay positive and enthusiastic throughout the meeting to set the tone for everyone else. Conversations about risks and what to do about them can be encouraged to flow along productive lines. Here are some suggestions:

Two dangerous syndromes to watch out for

The "everything is about risk" ploy

Sometimes people hit upon a wheeze that enables them to have a risk management meeting easily without coming up with any new ideas. They realise that almost anything can be expressed as if it is a response to some risk and start going through all the things they are already planning to do or wish the organisation would do, justifying them using this trick. For example, suppose we think it would be a good thing to increase customer satisfaction. We write:

I hope you can see without me spelling it out that this is a useless sham. This example is paraphrased from the top level risk register of a leading company listed in the UK, and the other 9 risks in their top 10 were written in the same way.

(Rather than fill the risk register with actions that add nothing new, it would be much more useful to start from the fact that the Customer Satisfaction Programme is on the plan and think about what uncertainties affect its outcome, perhaps changing the programme to make feedback more rapid, include more research, make the programme more flexible, and generally make it more risk-smart.)

We need to be able to spot the "everything is about risk" dodge when it happens, and stop it. It's easy to spot the trick when the wording of the risk set and response makes it blatant by using the form:

It's harder to spot when people disguise the RESPONSE part with things like "Make a plan to do X", "Allocate adequate resources to do X", "A programme to do X" or "Ensure that X is done."

Another way to spot the trick is by considering whether the action would be needed in a world without uncertainty. For example, suppose you are talking about risks on a project and someone suggests "training users to use the new software" as a risk response. If the project was carried out in a very stable and predictable environment, in a world where all our forecasts and plans proved to be correct, would we still need to train users to use the new software? Yes. So this training is not a risk response. We would have to do it even in a world without risk. Would we still have to make a plan to do training? Yes. Would we still need to allocate adequate resources to do training? Yes.

In contrast, but still in a world without uncertainty, would we need to do early trials of the training materials to find out how long training really takes? No! Would we need to test users' knowledge in some way to check that the training has been successful? No! These are actions that our uncertain world makes necessary so they are proper risk responses.

The earlier example of a Customer Satisfaction Programme is yet another way to avoid doing real risk management. The basis of the trick is that a reader cannot state definitely that the item is a sham because there might be some risk managing actions within the programme. In this case I suggest being skeptical. An honest attempt at risk management would read very differently.

Death by prioritisation and analysis

Another dangerous syndrome to watch out for usually happens when people feel they are short of time and resources, though it can also be the by-product of the procedure and forms used. Stressed and under pressure our vision tends to narrow. We start asking questions like "What are the really key things we must do?" Good ideas for managing risk that seemed important earlier now seem like luxuries we don't really need, which some of them may be. Encouraged by buzz phrases like "80:20 rule", "prioritise", "focus", and "critical success factors" we eliminate things from task lists. We declare risks to be "within our risk appetite".

This kind of tunnel vision is a route to disaster.

The trouble is that although each of the many things we exclude from consideration is individually insignificant, collectively they are anything but. For example, if you exclude 20 things that each have an independent probability of occurrence of just 2% this is the same as excluding one thing that has a probability of occurrence of 33%. In other words, a third of the time at least one of those 20 very unlikely things will happen. We also tend to evaluate the impact of risks as if nothing else unexpected happens.

The importance of a risk set depends in part on how aggregated it is. By the dangerous logic of prioritisation a risk set that is big and important can be split into a collection of smaller sub-sets that are each small and not worthy of action.

Another factor is that the systematic feel of many corporate risk management processes creates the illusion that we really can identify all the possible things that might happen, and know in some sense what their probabilities are. As this illusion takes hold the fog that actually clouds the future is ignored and we begin to make plans as if what we have written down are the only things that can happen.

Mistakenly discarding risk sets can happen accidentally even when there is no pressure if the technical procedure and forms used in your organisation encourage it. The danger signs are:

Under these circumstances the level of aggregation of risk sets is not controlled and anything can happen.

As meeting leader you need to realise when there is a risk of this happening and have a plan to deal with it. Explain the danger. Suggest aggregating the "smaller" risks and managing them with lightweight actions where possible. Make sure the risks of doing nothing are reported. Do not allow pressure or blind adherence to flawed technique to sweep uncertainty under the carpet.

Summary by role


Note taker



Reading the advice above I find myself depressed by the odds against a truly successful first meeting. But be bold and persistent. Over time a group can become very skillful and productive.

If you have any ideas, questions, or complaints feel free to let me know at I usually respond within a couple of days.

Words © 2004 Matthew Leitch

Home / more articles - The author - Contact on your terms - Links - Services

If you found any of these points relevant to you or your organisation please feel free to contact me to talk about them, pass links or extracts on to colleagues and friends, or just let me know what you think. I can sometimes respond immediately, but usually respond within a few days. Contact details

Matthew Leitch - Author

About the author: Matthew Leitch is an independent consultant, researcher, and author specialising in internal control and risk management. He is the author of and and has written two breakthrough books. Intelligent internal control and risk management is a powerful and original approach including 60 controls that most organizations should use more. A pocket guide to risk mathematics: Key concepts every auditor should know is the first to provide a strong conceptual understanding of mathematics to auditors who are not mathematicians, without the need to wade through mathematical symbols. Matthew is a Chartered Accountant with a degree in psychology whose past career includes software development, marketing, auditing, accounting, and consulting. He spent 7 years as a controls specialist with PricewaterhouseCoopers, where he pioneered new methods for designing internal control systems for large scale business and financial processes, through projects for internationally known clients. Today he is well known as an expert in uncertainty and how to deal with it. more

Please share:            Share on Tumblr