As I discussed in prior posts,
Unreasonable — Risk management is a one-time analysis
Everyone recognizes the need to continually update
First, the information in the very first risk assessment is, essentially, an unvalidated model of your organization’s risk environment. It’s often unwise to place confidence in an unvalidated model. Instead, this risk model must be revisited from time-to-time and adjusted until the model reflects an ongoing representation of the real world. If a risk management model, 12 months later, indicates that a particular risk is the greatest risk to the organization does that still make practical sense? If not, what assumptions need to be tweaked?
Second, any organization’s real world environment is not static. It changes daily. The greatest benefit of risk management is to capture changing conditions and help identify where and when certain strategies may no longer be optimal and should be revisited. This capability focuses management’s attention on either mitigating a new emerging risk or taking advantage of a new emerging opportunity. This value is lost if risk management is viewed as a static project.
Unreasonable — Risk management will deliver hard and objective answers about risk
Sorry. Risk management is inherently subjective. The foundation for risk management relies on people’s opinions of how different activities and risks might impact your organization. Occasionally, in very specific risk areas, there may be sufficient data such that analytical risk models can be created. But even these apparently objective models are based on historical experience and assumptions about future probability. It’s important to recognize that risk management always relies on opinions and assumptions. The goal is to remove the superficial subjectivity surrounding assumptions, definitions, and personal self-interest. When this superficial subjectivity is removed, it is far easier to discuss, rank, and monitor the impact and likelihood of risks.
Perhaps most important is to simply avoid the illusion of objectivity and openly recognize that periodic ongoing updates to your risk management system fulfill two purposes – i) to capture changing inputs to your risk management model and ii) to provide ongoing validation to your organization’s risk management model, itself.
Unreasonable — Management can fully outsource the implementation project
Senior management must remain involved to some level. No one outside of the senior management team can know all of the important strategic and tactical issues within your organization. This means that, except in broad general terms, no single individual can effectively:
- Design the ultimate risk management deliverable,
- Identify all of the risks,
- Determine which risks might be more potentially harmful to the organization,
- Determine the likelihood that those risks might actually occur.
Of course, the more time that someone spends inside the organization doing research and interviews they can become more familiar with the organization. But that’s still no substitute to directly involving the right people at all levels of the organization. It’s the only option if the foundation is to be built on solid, informed opinions rather than uninformed generalities.
Recap: This post addresses some of the unreasonable expectations. You may have additional ones in mind and I would love to hear from you. The next post will flip this over and discuss some very reasonable expectations that management should have.