I have been very fortunate to work with many companies over the last few decades and risk management is very familiar.  Risk management is used with much confidence. Some organisations even have risk managers and risk departments. On conducting risk audits however, risk management starts getting a little fuzzy.

Let’s look at a classic risk example that I see all too often on a risk register, resource constraints.

‘Resource constraints’ is a risk probably found in every organisation on every risk register.  The probability of the risk occurring is almost always reflected as high; as is the impact of that risk. The risk owner is the person who identified the risk and the risk strategy is generally mitigation.  We love the word mitigate.  It is stated with much aplomb, confidence and boldness.

Reviewing a classic risk such as this sets off a stream of questions.

• What resource is constrained?
• What does high mean? Your high and my high could be two different things?
• What experience does this risk owner have?
• What authority does this risk owner have? I refrain from asking the title of the said person and I will park this as a topic for another day.
• How do you know that is the risk owner, if the resource is not identified?
• How do you arrive at a strategy if the resource is unknown, the cause is unknown, the effect is unknown?
• Do your risks become issues?

I always say – if you have not defined risk correctly, then you may as well throw away your risk register. Roll it up and smoke it I recently said to some shocked students.  Executives, sponsors and senior management ignore risks.  They do not support you, nor do they lend an ear to those raising the risk.   The reason is simple.  Many are unable to articulate the risk in a way that will give them the desired result.

If you have not articulated risk correctly, then:

• You CANNOT define probability!
• You CANNOT define impact!
• You CANNOT establish the risk owner!
• You CANNOT establish the strategy!

So how should risk be articulated.   The answer is – using risk meta-language.

A risk is uncertainty.  A risk is something that may happen and therefore may impact a strategic goal, a business objective, a portfolio, program or project objective.

A resource could refer to a person, to material, to equipment, to technology, to assets of some sort, to finance.

1. What resource is constrained, first and foremost.
2. Why is that resource constrained? We need to ask why until the root cause of the constraint is identified. Use the 5 Whys if you need to.
3. What specific objective is affected by this constrained resource.

Here are 3 examples of a risk description using risk meta-language.  You will see that the risk remains the same however the risk has a different cause and a very different effect.  The 3 examples are:

1. Due to a negligent driver I may be in a car accident resulting in my death and my family being financially destitute.
2. Due to pot holes on the M55 I may be in a car accident resulting in me not being able to attend to a client query.
3. Due to a tyre blow-out  I may be in a car accident resulting in my car rolling and being written off causing me to lose my claim free bonus.

By articulating the risk description using risk meta-language (cause-risk-effect), we can now establish probability, impact and a proper strategy for each risk along with the correct risk owner.

Happy risk assessment with a little more risk confidence! Next time I will touch on defining probability and impact allowing for more effective qualitative risk assessment.