Pretty soon I am publishing a book of my blogs of the last three years (click here to secure an invitation to the book launch) and one of my team (my wife Jacquie) pointed out that out of all the blogs, only one of them focuses on risk assessment. A bit bizarre when you think about it, given that this is where the rubber hits the road for the risk management process. It’s where a heap of value from your risk framework is delivered.
Funnily enough, there are only three questions you need to ask in a risk assessment. The first one is obvious:“What could go wrong?” The second one, is equally, if not more crucial: “What must go right?” And lastly, the third question: “What are we currently doing about all of this?” While I have been doing this with clients for more than 20 years, I had not encountered such concise expression of these questions until I heard it expressed so simply from an Australian Tax Office attendee, at the RMIA ERM Course which I run, who explained how simple they make it for their staff. And you probably know I preach simplicity when it comes to risk. Making things too complex has been the biggest failing of the risk profession and an earlier version of me is guilty of it.
I’m sure you get the essence of “What could go wrong?” and “What are we currently doing about all of this?” (current controls). However, you might be pondering a little about the second question “What must go right?”
In virtually every strategic plan I come across from various clients, there are strategic initiatives outlined to achieve strategic objectives. This is what I am talking about. What are they and what measures are in play to ensure these initiatives are delivered. These questions posed to an executive team often stir a bit of discomfort, especially after the current controls are rated as well as the risk level of failing on an initiative. This same principle also applies to projects, change initiatives and a multitude of other business activities.
If you are not asking “What must go right?” you are missing out on one key aspect of the principles of risk management, and that is, to create value and not just protect it.