|Home / more articles - The author - Contact on your terms - Links - Services|
How to run a risk management meeting
by Matthew Leitch, 31 May 2004
Read on if you expect to lead or attend a meeting to discuss risks and what to do about them. This does not apply if the meeting is to discuss in detail some risks that have already been defined and analysed.
The ideas here are to help you with important things like getting the meeting finished on time, not wallowing in worries, coping with politics, and still getting useful results. This is not general advice about running meetings. Meetings to talk about risks and what to do about them have special characteristics so this guide explains them and what you can do about them specifically.
Meetings to talk about risks and what to do about them are usually done according to some procedure laid down by your organisation and the idea is to fill in some forms including, usually, one called a risk register. Your organisation's procedures may tell you how to conduct a risk management meeting, but the instructions are probably about how to fill in the form and what the theoretical process of analysis is imagined to be. What you really need to understand is how people typically behave in these meetings, so it won't be a shock when it happens to you.
Risk management meetings typically have three characteristics that account for most of the behaviour found in them:
They are unfamiliar to most people.
The content is often about bad things that might happen and tends to stir up feelings and politics.
The paperwork process and formal procedures laid down by your organisation or a regulator can make things worse instead of better.
Here's what to expect when a group tries one of these meetings for the first time:
Ask for risks and people will tell you what is wrong now. Technically, these contributions are not risks because they are not in the future and there's no uncertainty; they are problems now. The same thing happens when you ask for opportunities. Instead of talking about helpful things that might happen unexpectedly in future people will talk about opportunities that exist now, quite possibly things they've suggested before but still think should be considered.
All the "risks" will be bad things. Again, technically this is not right, at least according to most official standards and guides on how to manage risk. Nevertheless, most people associate the word "risk" with bad things that might happen and naturally assume you want to know only the downside.
Ongoing battles will play a powerful role in controlling the conversation. One of the benefits of risk management meetings is that they can create a relatively safe environment in which people can air their worries. Often it is less senior people at the meeting who are raising current issues in front of their more senior colleagues. There may also be inter-departmental disagreements driving the conversation. Whatever the reason, the main players will try to control the 'message' sent upwards by the points that get recorded on the risk register or whatever forms have to be filled in.
Good ideas for dealing with risk and uncertainty will not flow freely. Unless at least one of the participants is unusually creative and skilled the participants will probably find it a lot easier to talk about what is wrong and why nothing can be done than to think of worthwhile things they can do.
If you try to be rigorous about risks it's easy to write a very long list of them. Some techniques demand that every risk has a trigger event, a consequence, and an implication of that consequence. Three-step causal chains like this quickly give you an endless supply of risks and you could easily write them all day. Other techniques are less likely to give an endless list of risks but this is still a danger.
People will not be open about risks and uncertainty even if they feel the meeting is safe. There are lots of reasons why we don't mention risks we have in mind. For example, doing so might be taken as a criticism of a feared person or department. You might keep quiet about something that's hard to manage because you know you would be assigned as 'owner' of the risk. Sometimes a senior person has subtly but unmistakeably made it clear that they do not want to know about certain risks. Their motive for this may be that the feel they are less liable if they haven't been told of something than if they have been told but nevertheless did nothing. This is just a small sample of the reasons for suppression of uncertainty!
People with different backgrounds tend to have different fixations. Certain professions have a perspective on risk that is all their own. Certain risks they will regard as very important and it could be that one or two people suggest a lot of risks in a particular area just because they know a lot about it.
The "risks" suggested may be a jumble. The things we call "risks" are not like physical objects, able to define themselves. Two people will rarely see the same "risks" in the same situation. What happens in your meeting depends in part on the procedure defined for it, but also reflects your influence in ordering the various ideas that people put forward, each coming from a different way of seeing the world.
By now you're probably thinking "AAAAAAAAARGH! I don't want to have anything to do with one of these meetings." Fortunately, over time the meetings improve and there are things you can do right from the start to get through to a good result. Best of all, people normally say risk management meetings are worthwhile and want to do more, almost regardless of the technical quality of the conversations. It is so rare that people are given a chance to air their concerns or encouraged to take their blinkers off for just a few hours.
Hold on to the thought that most people like risk management meetings. Stay positive and enthusiastic throughout the meeting to set the tone for everyone else. Conversations about risks and what to do about them can be encouraged to flow along productive lines. Here are some suggestions:
Always "define"; never "identify". The things that go on risk registers and that most people call "risks" are really sets of risks. Consider something very specific sounding like "Contravention of the Copyright, Designs & Patents Act leading to prosecution and/or adverse publicity resulting in loss of public confidence in the company." Even this is a set of risks because of the many different ways you could contravene the Act, and the different extents of impact contraventions might have.
So, instead of talking about "identifying risks" say instead "defining sets of risks" or "defining areas of uncertainty." Encourage people to be clear about what is included in each one and if you are writing down the risks make sure your wording is clear. When someone suggests a current problem is a "risk" do not bother to correct them, but instead interpret their suggestion as being "the set of risks flowing from our current problem."
I particularly like and recommend the phrase "area of uncertainty" because it is familiar, reduces the tendency to think too narrowly, increases the tendency to think about how to find out more, and does not trigger people to think only of the downside.
Don't drive for detail early on. Because you are really talking about sets of risks you have choices about what sets of risks you define. A good game plan is to start by defining some big sets and then sub-divide where people feel more detail is worthwhile. In practice you won't have enough control to make that happen in the ideal way but you can get most of the benefit by just letting people bring up big areas of worry and not pressing them immediately to cut them up into more specific areas.
Once you start to unpack an area you have choices about how. One good technique is to follow causal links. You could ask "What could cause this?" or "What could this lead to?" Analysis in either direction will help people think of management actions.
Trust your intelligence, not the process. Some corporate risk management processes have impressively detailed forms with carefully defined jargon and cunning rating and ranking systems. They seem almost scientific. Almost, but not quite. In reality nearly all of these are technically flawed and too far from the way people naturally think. The discipline of a sensible agenda helps you keep control but if you push people to follow the procedure to the letter the meeting could become less effective, not more.
Instead, think in advance about what the discussion is likely to centre on. Think about the various ways the conversation might develop and be ready. Take advantage of the fact that the risk areas people mention first and talk about the longest tend to be the most important. You could list 50 risks, rate and rank them, then work more on the highest rated ones but you will probably find you get to the same things more quickly by just going with what people mention first.
Have a strategy for breaking down the risk sets, but be prepared to be flexible. As part of your preparation, think about how you might be able to organise the risk sets as the meeting progresses. The key point is that you have choices and, while there's no right answer on how to break down the risks, some alternatives will be better than others.
If your organisation's procedures and forms lay down the risk sets you have at least part of the answer you need. What you still have to think about is how to relate each suggestion to one or more of the prescribed risk sets and, possibly, how to break down the prescribed sets into smaller risk sets where that is worthwhile. For example, a participant might say "I think we've got a really big risk around e-business." Somehow you have to develop this vague platitude into one or more worthwhile risk sets that flesh out the overall scheme. Perhaps the scheme established earlier in the meeting is to split risks related to contracts and transactions with other parties from risks related to your internal infrastructure. You will have to split the "e-business" risk set between its customer and supplier related risks and its technological/infrastructure related risks, ask the proposer if this is ok, and get some more details about what precisely the proposer had in mind.
If your organisation's procedures do not lay down the risk sets you have more flexibility but it can be harder to arrive at something orderly in the meeting. Consider alternatives before you start and have a game plan that's flexible. You might divide the risks first on the basis of organisational unit (because risk sets usually need to be assigned an owner and this cut makes it easier), then by association with different operational processes (if that is relevant to your meeting), and then by type of effect, and then by cause. That's just one of many possibilities. It's quite likely that you will not have time in the meeting to go down to a level of detail where all the splits you have considered are needed. It may be that you use different methods to break down different branches. It may be that you make up your mind about which way to go during the meeting.
Sometimes people remain inward looking and all their risks are about internally arising failures. Take action to make sure external sources of risks are considered for at least half the time. External sources are more likely to be a surprise and need more attention.
Develop the risk responses in parallel with the risk sets. Official guides to risk management tend to describe a strictly linear pattern of thinking. First you define your objectives. Only then can you define your risks. And only when you have defined all your risks can you analyse their characteristics. And so on. Does that sound like human thinking to you? Of course not.
The way people think about potential events and current problems is much more interlinked than this linear idea suggests. If they've just thought of a risk set they will want to talk about it, including its characteristics, actions they think will not help, and perhaps actions they think will work. Other people will want to respond immediately. Don't stop their flow. You need people contributing connected trains of thought, not just disembodied words thrown in to fill out a form.
In particular, make sure you write down important risk management actions as soon as they arise - even if that is before all the risk sets they relate to have been defined. This can speed up the meeting dramatically. Why break down a load of risk sets when they're all addressed by a single, powerful action that has already been agreed? Feel free to let emerging action plans influence the risk sets that are defined, just make sure people try to think of risks that would defeat the actions!
Agree a "next action" for everything, even if you don't yet know how to manage the risk set adequately. Sometimes there isn't time to work out a satisfactory way to manage every risk set. Perhaps there's more research to do, or necessary information will be available later, or the team is just plain stumped. There is no point pressing people to agree risk management actions with dates and owners unless the actions are ones they believe will work. Instead of forcing people to agree to things that are half baked, accept any action that will continue progress with the risk set, including agreements to discuss certain points again, or get someone to make some detailed proposals. Write these down as action points and assigned owners and dates as usual.
This is not failure. Risk management for any kind of ongoing venture will need to be ongoing and that implies agreeing to do more risk management at each stage. The first time a risk management meeting is held for a venture several of the action points should be to do more risk management later.
Help people think of risk responses/controls. Since this is the bit people find hardest anything you can do to make it easier is likely to be welcomed. Here are some suggestions:
Ask if there's any way to find out more about the risk set, or any particular things that could be monitored. People tend to overlook this point even though it is often the most important.
Ask other questions that are suggesting a type of response, e.g. "Is there any way we could detect breakdowns here more quickly?"
Include someone in the meeting who is very good at suggesting management actions.
If you know someone has ideas or relevant experience of a similar situation elsewhere, ask them to speak.
Circulate a document beforehand that discusses risk responses commonly applicable to the area you will discuss in your meeting.
Start with a straw man of proposed actions and have it debated and amended. (You don't need to know much about the risks to do this.)
Encourage participants to prepare beforehand by considering the items that might come up and thinking about what could be done to manage them. Ask them to help make the meeting a success. At least some people will take the opportunity to be a hero.
Push people to be more open minded about future possibilities. There's ample evidence that people typically have an overly narrow view of what might happen in the future. We tend to think we can predict and control events much better than in fact we can. Psychologists have spent a lot of time looking for ways to get people to be more realistic about the future. Here are two ideas you can sometimes use:
If you think people are discounting a possibility too easily say "OK, so you don't think this is likely. But supposing at some time in the future you heard that in fact it had happened, how might that have been?" Once people have told a story of how something might happen they tend to regard it as more likely.
If you are asking people for number ranges try dividing them into groups of 3 or 4. For example, suppose you want estimates of high and low sales volume for next month such that respondents are 80% sure the actual result will be within the range. Ask an individual for estimates and they are likely to be too narrow. Instead, ask 3 or 4 people to make estimates (without consulting) and then take the highest high estimate from the group and the lowest low estimate. This is usually a better estimate of the true range than any individual's.
Concentrate on uncertainty. The key to success is getting people to be more aware of their uncertainties and come up with actions that address them. Believe it or not it is quite possible to go through a risk management process that reinforces the illusion that we know everything about the future and we are in control! Don't let that happen to you.
Sometimes people hit upon a wheeze that enables them to have a risk management meeting easily without coming up with any new ideas. They realise that almost anything can be expressed as if it is a response to some risk and start going through all the things they are already planning to do or wish the organisation would do, justifying them using this trick. For example, suppose we think it would be a good thing to increase customer satisfaction. We write:
OBJECTIVE: Increase customer satisfaction.
RISK: Failure to increase customer satisfaction.
RESPONSE: Customer Satisfaction Programme (i.e. the one we're already doing/planning) to increase customer satisfaction.
I hope you can see without me spelling it out that this is a useless sham. This example is paraphrased from the top level risk register of a leading company listed in the UK, and the other 9 risks in their top 10 were written in the same way.
(Rather than fill the risk register with actions that add nothing new, it would be much more useful to start from the fact that the Customer Satisfaction Programme is on the plan and think about what uncertainties affect its outcome, perhaps changing the programme to make feedback more rapid, include more research, make the programme more flexible, and generally make it more risk-smart.)
We need to be able to spot the "everything is about risk" dodge when it happens, and stop it. It's easy to spot the trick when the wording of the risk set and response makes it blatant by using the form:
RISK: We fail to do X.
RESPONSE: Do X.
It's harder to spot when people disguise the RESPONSE part with things like "Make a plan to do X", "Allocate adequate resources to do X", "A programme to do X" or "Ensure that X is done."
Another way to spot the trick is by considering whether the action would be needed in a world without uncertainty. For example, suppose you are talking about risks on a project and someone suggests "training users to use the new software" as a risk response. If the project was carried out in a very stable and predictable environment, in a world where all our forecasts and plans proved to be correct, would we still need to train users to use the new software? Yes. So this training is not a risk response. We would have to do it even in a world without risk. Would we still have to make a plan to do training? Yes. Would we still need to allocate adequate resources to do training? Yes.
In contrast, but still in a world without uncertainty, would we need to do early trials of the training materials to find out how long training really takes? No! Would we need to test users' knowledge in some way to check that the training has been successful? No! These are actions that our uncertain world makes necessary so they are proper risk responses.
The earlier example of a Customer Satisfaction Programme is yet another way to avoid doing real risk management. The basis of the trick is that a reader cannot state definitely that the item is a sham because there might be some risk managing actions within the programme. In this case I suggest being skeptical. An honest attempt at risk management would read very differently.
Another dangerous syndrome to watch out for usually happens when people feel they are short of time and resources, though it can also be the by-product of the procedure and forms used. Stressed and under pressure our vision tends to narrow. We start asking questions like "What are the really key things we must do?" Good ideas for managing risk that seemed important earlier now seem like luxuries we don't really need, which some of them may be. Encouraged by buzz phrases like "80:20 rule", "prioritise", "focus", and "critical success factors" we eliminate things from task lists. We declare risks to be "within our risk appetite".
This kind of tunnel vision is a route to disaster.
The trouble is that although each of the many things we exclude from consideration is individually insignificant, collectively they are anything but. For example, if you exclude 20 things that each have an independent probability of occurrence of just 2% this is the same as excluding one thing that has a probability of occurrence of 33%. In other words, a third of the time at least one of those 20 very unlikely things will happen. We also tend to evaluate the impact of risks as if nothing else unexpected happens.
The importance of a risk set depends in part on how aggregated it is. By the dangerous logic of prioritisation a risk set that is big and important can be split into a collection of smaller sub-sets that are each small and not worthy of action.
Another factor is that the systematic feel of many corporate risk management processes creates the illusion that we really can identify all the possible things that might happen, and know in some sense what their probabilities are. As this illusion takes hold the fog that actually clouds the future is ignored and we begin to make plans as if what we have written down are the only things that can happen.
Mistakenly discarding risk sets can happen accidentally even when there is no pressure if the technical procedure and forms used in your organisation encourage it. The danger signs are:
The procedure confuses risks with risk sets, talks about "identifying" risks rather than defining them, and generally proceeds as if risks are physical objects with their own clearly defined boundaries that everyone will see in the same way. With this theory there is no awareness of aggregation or the value of controlling it.
The procedure encourages very narrow risk sets right from the start. This is especially true where everything has to have a cause and effect. Long causal chains lead to long lists of little risk sets.
A simple risk "appetite" line divides the significant risk sets (those that require action) from those that are not significant. (It does not matter if this is inherent or residual risk. The point is that a simple threshold is used.)
Under these circumstances the level of aggregation of risk sets is not controlled and anything can happen.
As meeting leader you need to realise when there is a risk of this happening and have a plan to deal with it. Explain the danger. Suggest aggregating the "smaller" risks and managing them with lightweight actions where possible. Make sure the risks of doing nothing are reported. Do not allow pressure or blind adherence to flawed technique to sweep uncertainty under the carpet.
Prepare carefully to anticipate the contents, the politics, and likely breakdowns of risk.
Concentrate on getting people to talk more about uncertainty.
Make a special effort to help people think of good risk responses.
Define areas of uncertainty; don't "identify risks." Watch out for risk management theory that doesn't work.
Be careful to write risk set definitions clearly and precisely.
Be ready for the conversation to jump around and expect to have to write the notes up neatly later and clarify the structure when you do.
Concentrate on uncertainty. Don't just make up sentences with the word "risk" in them to say the same things you usually say in meetings.
Think carefully beforehand about responses to uncertainties likely to come up in the meeting.
Let the chairperson be in control.
Reading the advice above I find myself depressed by the odds against a truly successful first meeting. But be bold and persistent. Over time a group can become very skillful and productive.
If you have any ideas, questions, or complaints feel free to let me know at firstname.lastname@example.org. I usually respond within a couple of days.
|Home / more articles - The author - Contact on your terms - Links - Services|
|If you found any of these points relevant to you or your organisation please feel free to contact me to talk about them, pass links or extracts on to colleagues and friends, or just let me know what you think. I can sometimes respond immediately, but usually respond within a few days. Contact details|
About the author: Matthew Leitch is an independent consultant, researcher, and author specialising in internal control and risk management. He is the author of www.workinginuncertainty.co.uk and www.internalcontrolsdesign.co.uk and has written two breakthrough books. Intelligent internal control and risk management is a powerful and original approach including 60 controls that most organizations should use more. A pocket guide to risk mathematics: Key concepts every auditor should know is the first to provide a strong conceptual understanding of mathematics to auditors who are not mathematicians, without the need to wade through mathematical symbols. Matthew is a Chartered Accountant with a degree in psychology whose past career includes software development, marketing, auditing, accounting, and consulting. He spent 7 years as a controls specialist with PricewaterhouseCoopers, where he pioneered new methods for designing internal control systems for large scale business and financial processes, through projects for internationally known clients. Today he is well known as an expert in uncertainty and how to deal with it. more
Please share: Tweet