How to formulate risks well for risk analysis?



  • If I have to formulate goals for a project there's the well established S.M.A.R.T. paradigm. It helps to have goals at the end, from which necessary actions can be easily deduced. It prevents from having goals which can be interpreted differently thus causing a lot of problems with stakeholders and sponsors.

    I wonder if there are similar paradigms for formulating risks when doing a risk analysis. I often find myself searching for risks by just mindmapping them over every topic which comes to my mind or doing that together with a team. The amount of theoretical situations and constellations posing risks is often overwhelming. Within an hour of a meeting we wrote down and counted 60 terminal nodes on a mindmap representing some sort of risk in different areas and points of view. I think we are not bad in "risk identification".

    The thing is, those "risks" found by mindmapping tend to overlap and are often formulated in a way that they describe sometimes the risk itself, sometimes the cause and sometimes a failed mitigation and mixed cases from all that.

    e.g. if I try to assess the risks of cleaning my bathroom (of course so I can skip that this week to reduce overall risk) I find a lot of opportunities where i can stumble on slippery surfaces. I can use inapproriate detergents which are corrosive to my bathtub as well as to my skin, eyes and aspiratory system and even exacerbated by inadvertedly mixing them together. But if I want to break down the "inappropriate detergent" which is maybe more a cause for a risk than a risk itself I get a lot of overlapping risks, because i can harm my skin with different chemicals but those might or might not ruin my bathtub's enamel. That's what I want to name "overlapping risks".

    I hope you get my point. I think you can't asses risks in a reliable way if you can't formulate them well. I'd like to have some kind of a touchstone to check, if a risk is well formulated. Same as there is for goals.



  • You are struggling with the level of abstraction when trying to capture the risk. There is no easy format to resolve this because, and I hate to write this, it depends. The level of abstraction depends on to whom you need to escalate the risk and how you intend to treat or handle it. If the level of abstraction is too high, like driving your car can cause bad things to happen, then the question becomes, how do you handle it in terms of mitigation?

    If you take it down too low, like looking at every component of the car that can go bad and then cause some adverse event to happen in your life, then your mitigation would easily overlap.

    Your risk statements can be structured like: IF-THEN; CONDITION-CONCERN; AND CONDITION-EVENT-CONSEQUENCE. These are good formats; however, it does not help your level of abstraction. Essentially, you are going to have to draft the risk you think there is, and then move to the next step to analyze it and come up with a handling strategy. I think what you will find is that, as you go through the next steps, you'll discover if you have to break the risk down and create two or more risks from the one or you could collapse two or more risks into one as you discover they have the same mitigation strategy.

    This is the art of risk management. No easy answer but I think it gets easier if you don't overthink it and make it simple. At the end of the day, risk management is about navigating rough waters, not about how cool your risk log looks.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2