Minimalist documentation to describe a simple risk management program. @magoo.
Involve your leadership and sponsors. Discuss scope of risks you want to be concerned about (Physical? Financial? Technical? Natural?). Discuss budget, partner collaboration, and urgency. Discuss preferences for any methods to discover risk. Identify decision makers and stakeholders for actions on findings.
The output of this effort should allow collaboration with other teams to start with confidence.
Begin planning and executing efforts to discover risk. Balance your resources so your discovery efforts don't take away from mitigation.
- 🗣 Interviews
- 🤔 Scenarios
- 💼 External Auditors
- ⚒️ Tool assisted audits
- 🗺 Infrastructure diagrams
The output of this effort creates an unsorted list of "scenarios" that are translated from these various efforts.
Once your known scenarios are documented, we sort them based on risks. Higher likelihood, higher impact risks at the top, and low likelihood, low impact risks at the bottom. A sort based on leadership intuition is common, but you can improve this with multiple participants using a cumulative point system vote to reduce bias and increase credibility with consensus.
The output of this effort should be an "concern" ordered set of scenarios, high to low.
Once your risks are prioritized, develop OKR's for the next cycle of mitigation. These should have the greatest intuitive impact on the most high priority risks as possible. A single, well crafted OKR should mitigate multiple risks at once. Choose OKRs that have a positive influences across many risks. Reduce focus on risk management until the cycle of work is complete, unless resource is abundant to operate concurrently.
The output of this effort should be a roadmap of actual impact against risks.
Risk management is cyclical and iterative, otherwise it's a point in time assessment. Always discover new risks. You don't have to spend effort re-discovering old ones.
The "sorted" risks should be in flux, as should your OKR's. Invest in risk management in a consistent or increasing ratio that scales with the success and growth of whatever you are protecting.
Eventually aim to make this cycle of discovery, sorting, and mitigation more continuous, with ever increasing efficiency of your discovery and mitigation methods.
This method is simple mainly for it's lack of measurement, which becomes the biggest problem.
- It's impossible to know if you've discovered enough risks. What is enough?
- While our intuition roughly sorts our risks, should we focus more on some, than others?
- Does our risk discovery process inform an investment into mitigation? Does it estimate budget?
- Is our risk mitigation outpacing our increase in risks? Are we losing the race with every cycle?
- What if we don't have the talent to fully understand a very specialized risk?
This is not a copy/paste document. Build more personalized documentation for your own risk management program.