Seven Questions and Risk Process
Anyone facing a risky and important decision or project will need to answer seven basic questions. In fact we could shape the risk management process around asking and answering them. If we do then the risk process will become intuitive and natural, easy to follow, and less bureaucratic or forced. The seven basic questions are as follows, together with the related step in the risk process:
- What are we trying to achieve? (Establish Context) We cannot start any risky venture without first clearly defining its scope and clarifying the objectives that are at risk. We also need to know how much risk key stakeholders are prepared to accept, since this gives us the target threshold for risk exposure. We must address these factors as the first step of the risk process,.
- What could affect us achieving this? (Identify Risks) Once objectives and risk thresholds are agreed, we can start identifying risks, which are uncertainties that could affect achievement of objectives (including both threats and opportunities). There are a variety of risk identification techniques, each of which has strengths and weaknesses, so we should use more than one approach. In addition to considering individual risks, we should also address overall risk exposure.
- Which of those things are most important? (Assess Risks) Not all risks are equally important, so we need to filter and prioritise them, to find the worst threats and the best opportunities. This will help us decide how to respond. When prioritising risks, we could use various characteristics, such as how likely they are to happen, what they might do to our objectives, how easily we can influence them, when they might happen, etc. We should also consider the effect of overall risk exposure on the final outcome.
- What shall we do about them? (Plan Risk Responses) Now we can start to think about what actions are appropriate to deal with individual risks, as well as considering how to tackle overall risk exposure. We might consider radical action (avoid threats or exploit opportunities), or attempt to influence the level of risk exposure (reduce threats or enhance opportunities), or decide to do nothing (accept the risk). We might also involve other parties in responding appropriately to the risks (transfer threats or share opportunities).
- Having taken action, did it work? (Implement Risk Responses) We can plan to address risks, but nothing will change unless we actually do something. Planned responses must be implemented in order to tackle individual risks and change overall risk exposure, and the results of these responses should be monitored to ensure that they are having the desired effect. Our actions may also introduce new risks for us to address.
- What has changed? (Review Risk) The risk process cannot end at this point, because risk is dynamic and changing. So we have to look again at risk on a regular basis, to see whether existing risks have been managed as expected, and to discover new risks that now require our attention.
- What did we learn? (Risk Lessons Learned) There is one more important step in the risk process, which is often forgotten. As responsible professionals we should take advantage of our experience with this risky situation to benefit future similar ventures. This means we will spend time thinking about what worked well and what needs improvement, and recording our conclusions in a way that can be reused by ourselves and others.
By structuring our risk process in this way, we will make it easier for people to follow the process, as they are simply addressing a set of common-sense questions. Anything that makes risk management more simple will ensure that people are more engaged, and that our risks are better managed.