When you’ve done something for a long time, you eventually get to where it becomes second nature or intuitive.
My chocolate chip cookies are a great example…at this point, I could almost make them with my eyes closed. Although I don’t particularly want to do that, I can make them without looking at a recipe.
The process for choosing the right risk assessment technique to use is much the same way.
For me, much of this process is intuitive and therefore renders any checklist obsolete. However, I was reminded of some of these basic considerations when preparing for a class I’m currently teaching for UCLA Extension’s ERM Certificate program.
Choosing the right risk assessment technique is important for ensuring you’re able to provide the information that decision-makers need, so they can determine the appropriate risk response.
These techniques can either be qualitative-based or quantitative-based. Examples can include basic approaches like brainstorming, surveys, and bow-tie analysis or more complex ones like causal mapping, scenario analysis, Monte Carlo simulation, and more.
The following seven considerations were adapted from the IEC 31010 standard developed by ANSI and RIMS in partnership with ISO and can be a good starting point, especially if you’re relatively new to ERM.
These considerations include understanding…
- The purpose of the assessment.
This is answering the question – what am I doing here?
To put it another way, it means establishing the “context.” ISO 3100 talks about “context” being a critical part of not just risk assessment, but any risk management work.
The context is simply the focus – are you assessing risk to strategy or to a project? Is this limited to one department or does it span the entire enterprise? As I discussed in a previous article on risk culture, absent this fundamental understanding, it will be impossible to know where resources should be focused and in what amount.
- The needs of stakeholders.
Stakeholders can include anyone from executive leaders to business managers, the Board, investors, regulators, and more. Are these stakeholders simply looking for thoughts or perspectives on a topic? Or are they looking for hard data to help them visualize the likelihood and impact of a risk or, better yet, the level of certainty that a particular goal will be successful?
- Any legal, regulatory, and contractual requirements.
Some types of organizations are legally required to conduct certain types of risk assessments. Insurance companies subject to ORSA regulations are required to conduct scenario analysis around top risks. Also, contracts with vendors will require risk assessments to be done, sometimes in a certain way. If your company is a supplier of raw materials or finished products to another firm, there may be contractual obligations to assess the supply chain risks.
- Any defined decision criteria and their form.
This consideration will drive what your risk assessment output will need to look like to provide the information needed to make a decision. Do decision-makers need to see how particular scenarios play out? Do they need to see, through a Monte Carlo simulation, that a particular risk will have a high chance (90+%) of falling within a pre-determined range? Or is it simpler than that?
- The time available before a decision must be made.
Some assessment methods take longer than others. Therefore, if time is of the essence and a decision must be made quickly, you may have to resort to simpler approaches like a brainstorming session or causal mapping. Conversely, if time allows, you can opt for an assessment method like scenario analysis or Monte Carlo simulation that requires multiple iterations to arrive at a final result.
- The complexity of the situation.
Similar to time available, the complexity of the risk(s) will also play a role in determining the right assessment method. For more complex strategic risks occurring in an uncertain future, a more thorough or extensive approach will be needed. On the flip side, if you’re assessing a risk that only impacts one area of the company, you may be able to get away with a more basic assessment method.
- The expertise available or obtainable.
Does the organization have the people in-house to provide insights needed to adequately assess a risk? If not, time and effort will need to be taken to find the right expertise. If this is too cumbersome, then perhaps you don’t dig so much into certain data elements, but rather talk about them from another perspective or otherwise use a different technique to obtain the information.
By the way, this is always a consideration I use as a consultant when talking with potential clients. Engagement proposals assume that the company has the required expertise readily available, but if not, then extra planning and effort will be required to get the information and/or resources we need to do the assessment.
While I wasn’t familiar with this particular standard before teaching the class for UCLA, it was developed in close partnership with the ISO 31000 risk management framework. With that said, I strongly recommend caution if you choose to purchase the IEC 31010 standard as it can easily become overwhelming. Also, some of the techniques mentioned in the standard are more for operational or health/safety risks so they won’t be helpful for understanding strategic and other enterprise risks.
Personally speaking, as I’ve grown in my career, many of these steps or considerations happen instinctually. However, regardless of your experience level, it is good to take a step back from time-to-time to understand these sorts of basic ideas to ensure you’re doing everything you can to provide a seamless experience to your organization.
Are there other considerations or factors you use for choosing the right risk assessment technique?
Please feel free to leave a comment below if you have any perspective you would like to share on this fundamental yet all-important topic.
If your company is struggling to choose the right risk assessment technique and feel like a fresh set of eyes can help break the impasse, then please don’t hesitate to contact me directly to discuss the current situation and potential paths forward.