Guest blog of our Canadian partner: Charles McCabe
I act as a Chief Risk Officer and board member of a community food bank that services a local population of about 30,000 people within a surrounding county of about 57,000. We’re gradually implementing ISO 31000 in a manner that befits the size and nature of this organization.
Every three years, the food bank writes a new Strategic Plan. This year, I have proposed “stress testing” the draft in the form of a risk assessment. I am particularly excited because I have proposed to do this using a risk management software, called RISKID. Reasons for doing this with RISKID are:
- Anonymous entry of uncertainties.
- Methodical coverage of all risk sources.
- Ability to quickly record any actions required on newly discovered vulnerabilities.
- Efficient discussions.
Anonymous entry of uncertainties
The value of an open workshopping or brainstorming exercise can be quickly negated when:
> Experts with valuable content don’t feel comfortable expressing their views in an open forum.
> A self-proclaimed expert starts dominating the conversation, causing other contributors to remain silent.
> Employees don’t want to say things they think need to be said when their boss is in the room.
RISKID allows everyone to enter their uncertainties via laptop, tablet or smartphone, having them appear on a screen as part of a collective list.
Methodical coverage of all risk sources
It’s not good enough to simply ask the question – what are our risks? It’s better to go through the organization, risk category by risk category, sub-category by subcategory, reminding participants of the definitions as relevant to their organization and asking, recommendation by recommendation, if they cause any uncertainties. I use the simple Hazard, Operational, Financial, Strategic Risk Categories to represent risk sources, which can be simply created within RISKID in advance.
For each sub-category, I’m asking two questions:
- Does anything that happens within that risk category impact the ability of the Strategic Plan to achieve its objectives?
- Does the Strategic Plan add any unintentional stress or uncertainty to that risk category?
Ability to quickly record any actions required on newly discovered vulnerabilities
This risk assessment exercise is going to identify two areas of vulnerability:
- Those that require changes to the strategic plan.
- Those that require changes to the organization.
The purpose of this exercise is to stress test the strategic plan. If the strategic plan increases uncertainty in an area that doesn’t contribute to the success of the strategic plan, then it needs to be adjusted accordingly. That’s why we’re doing this.
However, the strategic plan might uncover areas of vulnerability to the organization simply because we’re examining that area from a slightly different perspective, a different point in time or we have discovered something new. That’s a good thing because you can never believe you have identified 100% of all risks that impact you. We’re not infallible and circumstances are always changing. In those cases, RISKID allows you to record action plans to resolve those vulnerabilities as part of your traditional risk assessment process, record them in a project based risk register that can be easily amalgamated with your larger organizational copy.
Provided you have the right people around the table for this workshop, you should be able to cover your risk categories against your strategic plan recommendations in a half-day session or less. What may take longer are the changes to either the strategic plan or the organization that result from this exercise. If there are a lot of changes, then hopefully your strategic plan and / or organization are improved because of it.
Is Risk Management a valuable component to Strategic Planning?
Absolutely, if it is done meaningfully and not just as a checkbox compliance function, which is the bane of all risk assessments. Hopefully, I have articulated a process using a valuable online risk oriented workshopping tool.
I wish you all the best success in your next strategic planning exercise.
Charles McCabe is a North American based Risk Management consultant who helps organizations raise their level of risk awareness at an enterprise level to make better decisions. You can contact Charles through LinkedIn.