Understanding is not the same as having information – it is the process of putting that information into context to work out what it means in a particular situation. We conduct a similar process on a larger scale during the ‘understand’ stage of the risk management process. During this time, we build on our knowledge of an organization to understand the risks it faces.
The term ‘understand’ is both an activity and a stage in our risk management process. As an activity, understanding means relating that information to a situation. Chess is often used as an illustration because I may know the names of the pieces on a chess board and what they can do, but I could still not understand chess. How the pieces interact, the set moves, strategies and how to apply these are all necessary to understand the game. Understanding can be achieved by asking the questions ‘why?’ or ‘so what?’ until you run out of questions.
The understand stage in the risk management process is this same activity but on a larger scale. Again, we differentiate between knowing things about an organization, versus assessing that information and putting it into context, allowing us to really understand the entity. As an example, during any assessment interview one of the first questions I ask is ‘what do you do?’. In the majority of cases, the person usually just gives their job title which doesn’t add much to my understanding. Then, if I then follow up with a variation on ‘So what does that role entail?’, the next set of answers will add information and context. This questioning (‘why?’, ‘So what?’) helps move from knowing to understanding.
Adding context gives us a simple process or formula for understanding. We take information and put it into context to achieve understanding so knowledge + context = understanding. We touched on this when we discussed cause versus effect in the WDYMB…Risk? article. We can know the cause of an event but we need to put this into context and determine the effects to understand the risk it poses. There are more complicated and detailed models for understanding but this knowledge + context = understanding approach is a good start.
So that’s the process for developing understanding around a single piece of information but what do we do in the ‘understand’ stage of our risk management process?
Obviously, this is much more complex but the underlying principle remains the same: knowledge + context = understanding. Here, understanding means getting to know the organization and in detail and learning about its operating environment and context. Specifically, you will be trying to understand:
- The organization’s goals and objectives
- Its structure and individual roles and responsibilities
- What ‘normal’ looks like
- The critical processes
- Risk attitudes, tolerance and appetite
- The operating environment and likely threats
- Sensitivities and potential conflicts / road blocks
- Recent or upcoming changes to ‘normal’ and how these might affect the organization
All of these elements can be examined using the knowledge + context = understanding approach outlined above. For example, you don’t just want a copy of the organization chart (org chart) to understand the structure. You should begin with the org chart but then start to ask questions – how is that org chart reflected in reality? Are there deviations? Why does department X report to manager Y (Simon) when it looks as though it should belong to manager Z (Jill)? This helps develop a deeper understanding of the organization but also identifies other considerations that might be important later.
For example, perhaps Jill was promoted instead of the manager of department X (Tom) who refuses to report to her so Tom now reports to Simon. (You might be surprised how often an anomaly in an organization can be explained by this kind thing.) That explains the deviation but also suggests that 1) the org chart might change if any of these individuals move on and, 2) comments from Tom about Jill might be biased.
Obviously, understanding an entire organization can be daunting and very time-consuming. However, some simple processes and tools can assist you.
Below, there are general suggestions that can help achieve understanding in a range of situations. We will look at activity-specific measures in the relevant sections.
First, we should define the task and set some parameters. We need a goal, key objectives, scope and to identify whatever restrictions are in place, particularly time and budget. It is worth posting a mild health warning here as there is often a gap between what someone asks for and what they expect, particularly when it comes to consulting. Any major gaps should be narrowed down during scoping but once a task is underway, you will have to determine how to deal with these on a case-by-case basis. Sometimes a task’s scope will need to be reviewed, perhaps by allocating additional time or resources to meet the requirement. At other times, particularly as a consultant, you will have to swallow hard and go the extra mile to meet the client’s expectations. The one thing that you should avoid changing is the goal or key objective. Adjusting these mid-task will often throw the whole project off.
Alongside scoping, we need to determine the purpose of the task. We know what we are doing, say a risk assessment, but we also have to understand why. Is the assessment a regular occurrence using an existing process or is it a one-off review of a single project? Is it a post-incident review or just a ‘check-the-box’ exercise for compliance reasons? Each of these situations would fundamentally change the way the assessment is conducted and influence the time and attention the organization is willing to commit.
Review the parameters and scope to ensure objectives are achievable. If we only have a day to review a whole organization, we can’t get into too much detail but if we have six-months to assess a single project, we can be much more specific. Either of these is a reasonable request if the objectives match the scope and if there are expectations of what will be delivered at the end.
Balance the amount of information needed versus the amount available, otherwise you run the risk of becoming swamped. Broadly, I would say that more is better as far as information is concerned but that statement needs refinement. To be more accurate, I would say you should have access to as much information as possible. However, be sure to use it selectively to achieve the task in the time available. You need to be able to filter efficiently and read selectively so you can pull what you need from the available information without getting swamped. Learning to speed read is of real benefit here and you will be surprised how quickly you can get a sense of a document and its contents from a quick two-minute scan.
Finally, you need a set of simple tools to help streamline the process. For example, I have a prepared list of key documents that I send to a client before an assessment and I use standard templates to record my findings during the document review. I also have a structured set of questions for interviews and use the same basic template for writing up both ‘quick and dirty’ assessments and for long, deep dive reviews. For any kind of comparative assessment, such as a risk assessment, develop objective grading-statements beforehand to avoid being influenced by the conditions during the assessment. The most useful tool of all is a set of detailed, well-kept notes. These allow you to quickly find critical information and cross-reference observations without having to wade back through everything you have already read. Make sure you keep a copy as an immediate back-up because you might need to refer to it months or even years later.
These suggestions overlap with the characteristics of good project management. They also help us achieve understanding by focusing our attention, clearly defining what it is we are trying to achieve and setting parameters.
Like the other WDYMB…? articles, this is a high-level overview of the subject. We have now established what we mean by understanding as a process, placing knowledge in context and the main activities of the understand stage of the risk management cycle. The next step will be to apply these ideas to specific activities beginning with the risk assessment itself.