It’s the risks that are NOT in our risk database or risk register that have the greatest potential to cause us damage. After all, if a risk has been identified and is important, its likely that responses to it have at least been thought about.
Risks that are not likely to be represented well (if at all) in your risk database are illustrated in the diagram below. The diagram is supported by PhD research into risk in complex projects. If you want to know more , just get in contact.
The traditional approach to finding risks, at least in many organisations, is to ask yourself and others “what risks are we facing?” It’s a good question, especially when supported by effective risk checklists, supported by experience and enhanced by diverse stakeholder perspectives.
Despite this, traditional risk approaches struggle to find complex, sensitive or systemic risks that may be obvious in hindsight. Counter-intuitively, to find those risks we need to stop asking risk-specific questions. Instead we need to inquire about anything and everything that matters, seeking-out insights and experiences about how the project or organisational system is working.
To do this, we use a risk workshop process such as the one illustrated in the diagram below.
A key point to note is that 90% of the workshop conversation with stakeholders is about what matters, what is going on, what next, why, how can we do better. Some of the steps are enhanced by specific applied systems thinking techniques – such as an essential capabilities mapping process, or a system boundaries diagram. The main requirement is to ‘let go’ of the idea of searching for risks, to make it possible to find out what matters and what is going on, more broadly.
After the workshop, risk propositions tend to jump out from what we have learned. If they don’t, they can be identified, tested and validated using practical data collation and pattern methods. This can be a rapid, evidence-based process where identified risks can be traced back to evidence supplied in the workshop, even though the workshop conversation was not specifically about risk.
During a risk workshop we never assess a ‘risk rating’ and we don’t produce heat maps. Yet inevitably, the people we are working with describe the workshop as refreshing, interesting, fast moving and highly valuable. Afterwards, a risk register or any other form of risk report emerges easily. Individual risks can be supported by risk maps, and risk responses can be optimised for best risk outcomes as a whole, rather than using the discredited approach of prioritising risks using risk ratings and heat maps.
At the end, the key difference is that many of the previously hidden, subtle, sensitive risks will have been identified, shared, understood and worked on holistically. That’s got to be good.