‘Lean’ is a buzzword in software development describing an approach where you conduct lots of short, fast experiments and iterate depending on the outcome.
‘Lean’ also conjure up images of a racehorse or athlete. Fit, powerful and ready for peak performance.
‘Lean’ can also means stripped of anything superfluous and free of frills.
Your risk assessment process needs to include elements of all of these.
Your need a lean risk assessment process.
A lean process is going to be faster to implement, should require less time to get from data collection to understanding to decision-making and allow you to react to changes more quickly.
A lean process is also efficient and requires less in the way of resources and support. A smaller team, shorter interviews, more simple collection, collation and processing of the results and faster reporting: a lean assessment has a relatively small footprint and is something you can run no matter how busy the organization is.
Moreover, it lets you run more assessments in a similar timeframe so going back to reassess the situation once mitigation is in place is much easier.
This speed lets you react quickly to become needs-led, rather than calendar-led. Instead of just conducting quarterly or annual assessments, you can quickly develop an assessment to support decision-makers for a specific project or discussion.
I’m going to return to this theme several times over the next few weeks and months as I rebuild a lot of the older material on the blog (the RMBC for any Riskademy any veterans out there). However, here are a couple of quick ideas to help adopt a lean approach to your risk assessments.
- Stay focused on the task in hand and don’t allow the project to creep into other areas. (But don’t forget to look in the corners.)
- Get comfortable with a no frills approach. Tight, lean and clutter-free reports will prioritize function over form so you will end up delivering simple written documents instead of fancy presentations. However, you are now delivering quality at speed which carries a premium.
- Don’t be afraid to take a second pass. Accept that you might find an information gap or a piece of data that seems out of context later. Leave yourself the option to follow up with interviewees and to revisit the assessment at a later date to close any gaps or correct any misconceptions.
- Standardize the macro, customize the micro. Have a standard, one-size-fits-all top-level process that can be applied in all situations. Build compatible sector- / functional- / scenario-specific tools too but ensure that all assessments use the same basic approach and methodology.
- Work in orders of magnitude. Sometimes, you may need to express a loss to the nearest dollar but for a mid-sized business, there’s no probably meaningful difference between a loss of $3,500 versus $5,100. However, being able to differentiate a $5,000 loss from a $50,000 loss is important. Use the largest units of measure you can while still giving enough detail for the decision-makers.
- Classify, don’t measure. Have a system where you are trying to prioritize risks for action, not calculate a hard value. Use ratings to differentiate between the ‘now’ problems and ‘next month’ problems which is invaluable for decision-makers.
- Rig the system. Instead of a linear system, use something that gives you an exponential output to clearly separate middle-of-the-pack risks from those that need urgent attention. This avoids spongy, messy clusters where it is difficult to differentiate between risks of different severity. (This is kind of dorky but read more about metrics here.)
- Accept uncertainty. Risk assessments are discussions of what might happen: there will always be unknowns or unexpected situations that crop up, no matter how detailed your assessment. However, with a lean approach, you can quickly incorporate a change in the situation – when an unknown becomes a known – to update the assessment and to keep it current.
This isn’t a definitive list nor a playbook for lean risk assessment system but hopefully there are a few ideas above that you can put into practice to get your risk assessment into better shape.
I’m looking forward to sharing the updated material with you over the next few weeks so join in and help make 2019 the year of the lean risk assessment.