We define risk as "the effect of uncertainty on objectives" (ISO 31000), however how often do we stop and ask if we have the right objectives in the first place? On what basis were they formed? When were they developed? Have times changed? In my experience facilitating risk workshops, often a poor or even incorrect set of objectives is the "elephant in the room" for the management team.
Here are some tips for ensuring you have the right objectives:
Stakeholder Analysis - Identify your stakeholders, group them to keep them manageable, analyse them. What are the positive elements of their views of us? What are the negative elements? How important are they? The key question here is whether your objectives align with those of your key stakeholders.
Macro Environment - There are many options for this, however, a favourite of mine is PEST which explores the Political, Economic, Social and Technology factors affecting the organisation or project. If here you identify significant threats or opportunities that are not covered by your objectives you may need to adjust them.
Industry Analysis - A powerful tool for analysis of the competitive forces in an industry is Porter's Five Forces. Although designed for industry analysis, it can be easily adapted to assess the internal competing forces within government or within an enterprise. You may find that your objectives are too ambitious or not ambitious enough.
Internal Analysis - For this analysis I prefer one of my own tools, RMP's Five Building Blocks which is the basis of RMP's risk management maturity model, the RMP Healthcheck. RMP's five building blocks are: Strategy linked to Performance, People linked to Knowledge, Processes linked to Systems, Assets linked to Liabilities and all supported by Organisational Culture. Once again, if you have key strengths or weaknesses that were not recognised when your objectives were set you may need to rethink them.