A well-designed risk workshop is an effective way to pinpoint, assess and devise action plans. But how can risk managers ensure that these workshops really achieve what they set out to? Sara Benwell reports.
Designing an effective risk workshop starts with good planning and defining clear objectives, says Ben Cattaneo, founder of the Decision-Making Studio and former chief risk adviser at BT.
He says that risk managers must ensure that any workshops relate to a specific decision at hand, otherwise the sessions are “pointless” and could be seen as a waste of time by participants.
Inviting the right people is also critical. Risk managers need to make sure that they involve stakeholders from various departments – finance, operations, legal and more. This ensures you get diverse viewpoints.
It often makes sense to have representation from top management to ensure alignment with organisational goals, although you do need to ensure that business leaders don’t dominate the session.
Rob Huckle, associate director QRA & risk management lead cost management, Australia and New Zealand at Turner and Townsend, says: “[A key mistake is] inviting too many people, and thus losing focus, or inviting the wrong people and not getting a fair refl ection of the risk landscape.”
Cattaneo adds: “Often, workshops suffer from those speaking the most (or the most senior) being the voices that are most heard. Senior leaders frequently poison their own decision quality by doing this, usually unknowingly.
“Often, workshops suffer from those speaking the most (or the most senior) being the voices that are most heard”
“There are so many proven techniques that can help eliminate this and reduce cognitive bias, but these are often ignored by risk professionals, who may have little training in either facilitation or decision quality.”
Danny Wong, founder and CEO of GOAT Risk Solutions, cautions that having risk owners involved is a must, as ultimately, they are the people who will take responsibility for actioning any mitigations or risk controls that are agreed. They will also have the highlevel oversight of the risks that the organisation is facing.
He explains: “One easy tip I do quite naturally as an external consultant is to position the risk owner to provide the updates. In contrast, many risk managers often fall into the trap of providing an update on all of the risks therefore reducing participant involvement and owner accountability.
“As a facilitator, I then ask the committee, and especially the chair whether they feel comfortable or confident the risk being discussed is well managed - thereby again reinforcing their role and accountability.”
TOP TECHNIQUES TO REDUCE COGNITIVE BIAS
THINK-WRITE-SHARE
Participants write down their views on index card, and then these are shared anonymously. The facilitator can get the group to vote. This way. everyone’s views are heard and the ‘best’ wins, without being coloured by who said it.
WEIGHTED ANONYMOUS FEEDBACK
Participants write down their viewpoint on something (e.g., “what is the biggest obstacle we face?”), each idea is shared anonymously and voted on, and the result is a genuine prioritisation.
THE PRE-MORTEM
This involves participants considering a disaster scenario and discussing how it may have occurred. People have permission to consider the unimaginable and this avoids the ‘that would never happen here’ dismissal.
FACILITATE NEW PERSPECTIVES
Risk managers need to design an agenda that encourages participation and creates a safe space to share concerns.
This could involve a mix of presentations, group discussions and hands-on exercises. Topics you might cover include risk identification techniques, risk assessment frameworks, and risk appetite discussions.
James Kelly, SVP treasury, risk management and insurance at Pearson, and an executive director at Airmic says: “Key to running a successful workshop is ensuring that participants face a situation that could happen to them but is different to the day-to-day risk that they face.”
“A good example for me was a disaster recovery workshop where Microsoft was down, which meant email was down, our treasury and ERP systems couldn’t be accessed, etc.
“By providing a different challenge, it forces learners to think, rather than relying on an autopilot answer.”
“So, this was a variant on the usual workshop, which assumed a physical block on access and so the answer is to work from home. By providing a different challenge, it forces learners to think, rather than relying on an autopilot answer.”
He gives another example of a cyber workshop where the group was split into two – defenders and attackers – and then reversed. He says that forcing people to act as attackers really focused their minds on vulnerabilities and was much more effective than just asking people to look out for fake emails.
Once risks have been identified, they need to be prioritised and then have tangible actions, decisions or controls set against them.
“[A key mistake is] not confirming actions or decisions. Then there’s a risk that the workshop ends up being a talk shop without tangible ways forward.”
Where possible, risk managers should use quantitative methods to identify the most important threats.
Remember, not all risks are equal, and it’s important to focus on those that could significantly impact the organisation’s objectives. Checking the list with the CEO can be a good place to start.
Wong says: “[A key mistake is] not confirming actions or decisions. Then there’s a risk that the workshop ends up being a talk shop without tangible ways forward. An easy way to overcome this is for the facilitator to confirm the outcome/ action or decision.”
He adds that it’s critical to update the risk register to include the discussion and actions at the committee or workshop, as often this is where key decisions are made. This also ensures that there is a feedback loop for those not at the meeting.
A WINNING FORMULA
Finally, the risk manager needs to continually monitor progress to ensure that actions are implemented.
Workshops are not a one-off event, and it’s important to keep momentum.
Maya Wellig, director, head of global risk management at SUNSTAR, says: “From the time we set up our risk function, we realised that in order to make risk mitigation more effective, it’s critical that management is made aware of findings and play a key role in mitigating key risks.
SUNSTAR therefore runs risk workshops regularly, with this process:
- Data gathering regarding local risks from senior management members
- A quantitative analysis of the data to determine what the biggest perceived risks are
- Discussion with the entity’s GM about which the risks can and should be addressed by their senior management team at the workshop
- A workshop (normally over two half days) to proactively discuss the top entity-specific risks and agree on concrete action items
Wellig says: “Thorough follow-up and measurement of risk size shows that on average, the risk reduction of the risks discussed is 10–20% 1.5 years after a risk workshop. This can amount to large sums of money.”
STEPS TO SUCCESS
SUNSTAR’s Wellig shares the critical success factors she employs for every risk workshop.
- Explain the background of the risk function’s activities to the management teams involved, as well as common goals (i.e., to reduce risk)
- Carefully align with the GM the topics, which will be addressed at the workshop (for example, some risks are already being worked on by an entity so there is no need for repetition)
- Clearly explain the expectations from the workshop participants (i.e., be practical, open, highly action oriented – sometimes think out of the box)
- Share with workshop participants the list of risks to be discussed upfront, to allow them to prepare
- Have a good moderator to run the workshop, time-keep and concentrate on actionability
No comments yet