For many people, their first experience of a risk workshop is often in the context of internal control work. When a business is documented as a whole, the issue of risk usually crops up like an unexpected and difficult guest at an otherwise pleasant event. But what should you do to get as much out of the risk workshop as possible while making it a positive process?
To help get your organization on the right track we’ve drawn up our top tips for making your risk workshop a success!
Bring together a broad group of people
A risk workshop is a collective effort. This is why it’s a good idea to bring together a broad group of people from different teams and departments to jointly discuss different risks based on all of your different perspectives on the business. A mistake many people make is to assign the whole task of “sorting out internal control” to one individual. Another good idea is to organize groups for the risk workshop on the basis of operational responsibility:
Overall risks/External risks – Management group or board
Business-specific risks – The management group/managers’ forum
Process-specific risks – The process facilitator and a mix of managers and employees
Remember to stay focused
For the analysis to be successful, what you are basing it on needs to be clear – addressing a jumble of widely different ideas does not bode well for a good risk analysis. Limit your focus and concentrate on the areas you have chosen for the workshop.
Ask “WHAT could go wrong?”
Doing a good job of risk identification is more than simply noting THAT something could go wrong. A common mistake is to interpret, identify and express a risk as an error that might occur, rather than attempt to describe the causes of the error.
Identify the causes
Instead, try to identify the causes of WHAT could go wrong – that way you decrease the chances of the error being repeated, while building the foundation for excellent ongoing risk control!
Focus on the fact THAT something could go wrong
“There is a risk that errors can appear in the accounting statements.”
Focus on WHAT could go wrong
“Payments are made for unauthorized goods or services to fraudulent suppliers.”
This way you have given a more precise description of the risk and the whole organization has a better idea of how the risk can be managed.
Distinguish between risks and problems
One issue that often arises is the difficulty of distinguishing between risks and problems. This can result in the risk workshop becoming unfocused and distorted, but one good rule of thumb for distinguishing the two is:
Problems are things we already know about that have to be dealt with today.
Risks are uncertainties and potential problems that may need to be managed in the future.
If problems are still brought up during the risk workshop you can document them in a separate file and let the management group handle them as part of their regular work.
Hire a committed external moderator
Using a moderator gives the whole group a better overview and you avoid the classic trap of decisions being made by the person in the room with the biggest salary. The moderator is responsible for facilitating the risk workshop and documenting the results, but they do not have to be knowledgeable about the business. Detailed knowledge of the business and its risks are the participants’ responsibility; however, the moderator is welcome to question and challenge the participants!
The moderator documents the risks and their assessment (Probability and Consequence) on a whiteboard or, even better, directly in a dedicated system. If complicated discussions arise that could potentially take up a lot of the workshop’s time, the moderator can park those discussions and deal with them on a separate occasion.
Remember – the result should always be two lists!
The final result of a risk workshop should always be two separate lists. All of the risks identified during the workshop should be assigned a priority and divided into two different lists.
One list of risks that have to be managed
One list of risks that can be accepted (which are easy to forget)
It’s important to remember that risk analysis is a prioritization exercise used to establish which issues are most important to focus on. It can therefore be a smart idea to evaluate the risks in relation to other risks during the exercise.
But naturally the work doesn’t end there. What’s most important is how you proceed and manage the risks in your business, primarily through ongoing controls embedded in processes or through clear improvement measures.
Tip! Appoint someone responsible for each prioritized risk who will determine how you proceed.
Finally – Don’t forget the whole point of risk analysis
Ultimately a risk workshop is a prioritization exercise to determine which issues are most important to your business. It’s not enough to make a note of everything that could go wrong – at the end of the day, the business needs to establish a clear plan for how internal control will be strengthened and who is responsible for implementation.
No organization, except perhaps for Apple, has infinite resources, so you will have to accept many risks, which is absolutely fine.
Better a small number of realistic improvements than a long list of wishes that never materialize!