Guest blog of our Canadian partner: Charles McCabe
I act as a Chief Risk Officer and board member of a community food bank that services a local population of about 30,000 people within a surrounding county of about 57,000. We’re gradually implementing ISO 31000 in a manner that befits the size and nature of this organization.
Every three years, the food bank writes a new Strategic Plan. This year, I have proposed “stress testing” the draft in the form of a risk assessment. I am particularly excited because I have proposed to do this using a risk management software, called RISKID. Reasons for doing this with RISKID are:
The value of an open workshopping or brainstorming exercise can be quickly negated when:
> Experts with valuable content don’t feel comfortable expressing their views in an open forum.
> A self-proclaimed expert starts dominating the conversation, causing other contributors to remain silent.
> Employees don’t want to say things they think need to be said when their boss is in the room.
RISKID allows everyone to enter their uncertainties via laptop, tablet or smartphone, having them appear on a screen as part of a collective list.
It’s not good enough to simply ask the question – what are our risks? It’s better to go through the organization, risk category by risk category, sub-category by subcategory, reminding participants of the definitions as relevant to their organization and asking, recommendation by recommendation, if they cause any uncertainties. I use the simple Hazard, Operational, Financial, Strategic Risk Categories to represent risk sources, which can be simply created within RISKID in advance.
For each sub-category, I’m asking two questions:
This risk assessment exercise is going to identify two areas of vulnerability:
The purpose of this exercise is to stress test the strategic plan. If the strategic plan increases uncertainty in an area that doesn’t contribute to the success of the strategic plan, then it needs to be adjusted accordingly. That’s why we’re doing this.
However, the strategic plan might uncover areas of vulnerability to the organization simply because we’re examining that area from a slightly different perspective, a different point in time or we have discovered something new. That’s a good thing because you can never believe you have identified 100% of all risks that impact you. We’re not infallible and circumstances are always changing. In those cases, RISKID allows you to record action plans to resolve those vulnerabilities as part of your traditional risk assessment process, record them in a project based risk register that can be easily amalgamated with your larger organizational copy.
Provided you have the right people around the table for this workshop, you should be able to cover your risk categories against your strategic plan recommendations in a half-day session or less. What may take longer are the changes to either the strategic plan or the organization that result from this exercise. If there are a lot of changes, then hopefully your strategic plan and / or organization are improved because of it.
Absolutely, if it is done meaningfully and not just as a checkbox compliance function, which is the bane of all risk assessments. Hopefully, I have articulated a process using a valuable online risk oriented workshopping tool.
I wish you all the best success in your next strategic planning exercise.
Charles McCabe is a North American based Risk Management consultant who helps organizations raise their level of risk awareness at an enterprise level to make better decisions. You can contact Charles through LinkedIn or via his website: https://risk-management.ca .