May 6, 2020
A 6 Step Guide to Modernising Risk Reviews by Anthony Stevens
One small step for business, one giant leap for risk review success. It’s time to unleash the power of your teams from the palm of your hand.
In a world riddled with unknown unknowns, risk management at all levels and with all teams is critical. Whiteboards, sticky notes, boring workshops and administration are all issues of the past. The 6clicks mobile app, 6clicks Risk Review for Teams, changes everything for risk identification and risk assessment as a team. Here’s my guide to how it can easily work for your business or your team.
Step 1: Preparing For Your Risk Review
Your first ‘best foot forward’ to a successful risk review is to familiarise yourself with what a business risk actually is. While an obvious step, you would be surprised at how often this step is skipped or not concentrated on enough. This may be because it is difficult for many to ‘own’ a big call like this. But beware, in the traditional model, once the ball starts rolling it is tough to stop.
Kickstart this thought process by thinking about factors that will have a negative effect on your business in areas such as; staff wellbeing / revenue / survival / ability to compete / public image / product / services / targets / financial goals. Don’t feel the need to scrutinise yourself too hard, this exercise is all about placing yourself in the right mindset.
Before you get to the next step, download 6clicks Risk Review for Teams from the Apple App Store here. Then, consider a major business risk you are concerned about – this may help you to visualise or follow along as you move through the steps.
Step 2: Setup Your Risk Review
A risk review is typically completed at a point in time and with a team – perhaps the board of directors, executive team or project leadership team – so start by creating an account for your team.
Once you have created an account, you are ready to get going with creating your first risk review. It should look something like this.
Here, the first step is to define the risks relevant to your ‘universe’. This is where the 6clicks mobile app really shines. In our system, we have 1000’s of risks and relationships grouped into risk libraries including cybersecurity, environment and pandemics, but also targeted collections designed for startups and boards.
You can also add custom risks to your own risk library, perhaps related to something specific to your world, though I will help you with this later.
At this stage, just think about the audience and the nature of your risk review and what may be relevant for the entire team to consider. This is what we refer to as defining our risk universe – a range of risks that MAY be relevant to your review and your team. So, enable or disable the risk libraries that you feel may be relevant in this context.
If you wish, you can also add a due date to the review. Then, click on the ‘Risks for Review’ tab and hey presto – all your possible risks are ready to go.
If you are certain some of these risks are not applicable, feel free to toggle them off. But if there are any risks that you are on the fence about, no matter how improbable, keep them in anyway. These are exactly the risks we are about to sort out along with your team, and the ones that may just surprise you…
Step 3: Identifying Your Risks
Everyone who has participated in a risk review knows how painfully circular they can be, and the breathless pause in the room whilst the group waits for someone to put their hand up to identify risks relevant to your project – whether it be particular to business or a wider scope.
And now, let me show you where the real magic of 6clicks Risk Review for Teams is. With each of these risk cards, we are providing awareness and context surrounding the possible risks – you are given a short description, some common causes and potential impacts.
Just the same as you did earlier with Risk Libraries, it is a matter of determining the risk’s relevance and simply swiping right on the relevant risks or swiping left on the non-relevant risks. We also have an undo function… and ours is free 😉
I cannot stress this enough – start from your position and what you think is relevant. It must come from your perspective, your opinion matters! Then zoom out to a team perspective, then likewise for department, then to anything else you can think of at all from an organisational level.
I understand this sounds simple, but it is certainly not easy. Despite risks not being the nicest thing to think about, a great deal of them may be headed your way. This is undoubtedly one of the best and worst things to realise during a risk review.
Step 4: The Wisdom of The Crowd
At this point, if you are leading the risk review process, your job is to invite the rest of your team. It’s just like any other collaborative app – click on icon at the top right and invite your team and then wait for them to accept.
You will get notified when they’ve joined and notified when they’ve completed their tasks. What’s happening here relates to the wisdom of the crowd – getting input from across your team is a powerful tool and will help to facilitate better discussion and accelerate action.
Step 5: Risk Assessment – Likelihood then Impact
Quite often, we are told to assess the impact of each risk first. I think there is merit in going about this a different way.
It is much more prudent to begin with the likelihood. This is an easier position to begin with anyway, because more often than not, risks are usually identified best by those in the company closest to them. It’s also an excellent time saver when the group is looking for impact consensus later at reporting time, as some risks will either be dumped or downgraded along the way.
Here is where you and your team’s intimate subject knowledge comes into play. Combine this with what you know about your company’s ‘risk appetite’ (a calculation of the compromise your company is willing to make between risk and return) and off you go.
First, give yourself a score field to operate within for each risk (say, 1 – 5) of very unlikely, unlikely, possible, likely, very likely.
Then, take each risk and apply the controls that your company currently has in mitigating said risk. These controls can come in a tangible form (internal policies and code) or an abstract form (scenario-based simulation).
Now that you have your likelihood score, you will be able to easily go back to the sub-sections you defined in step 1 and give your own opinion on the significance (impact) of each risk. Financially, operationally, publicly etc.
You may like to repeat your score field method (again, 1 – 5) of minor, moderate, major, severe and extreme.
Then, take each risk and apply the controls that your company currently has in mitigating and (crucially) monitoring said risk. These controls may be from an insurance perspective or a procedural (e.g. crisis management) perspective.
Step 6: Review & Report
Congratulations, you and your colleagues have completed what many companies struggle with.
Not only have you identified the relevant risks to your organisation, but you have categorised them to create your library collections, identified the controls in place for mitigating each risk and given a clear indication of company-wide opinion on likelihood and impact.
What your reporting looks like is up to you. (I recommend a matrix). At the click of a button, 6clicks Risk Review For Teams sends a powerful report of your team’s consensus to your team administrator.
From there, it is simply a matter of sending this powerful data to your governance team or board, to drive the company toward the best interests of all involved. That includes you!
If you want to stay alive, do not let the risk review die there. Do this periodically and whenever notable large-scale changes occur within the company, as these changes will likely adjust the company’s risk appetite.
Thank you for taking the time to read my 6 Step Guide to Innovative Risk Reviews! If you see the how 6clicks Risk Review for Teams can elevate risk management practices for modern businesses, please consider sharing this article with your friends.