Risk Management often devolves into a check-the-box, non-valued activity in an organization. While many organizations ensure they have the right processes in place, they still end up not protecting themselves against risk effectively. A lot of our organizations struggle to understand risk and apply this mindset in productive ways.
To improve a process, we first need to understand the value from the process. Risk management is the identification, evaluation, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.
The risk evaluation is the step where the knowledge base is evaluated, and a summary judgment is reached on the risks and uncertainties involved in the case under investigation. This evaluation must take the values of the decision-makers into account and a careful understanding has to be had on just what the practical burden of proof is in the particular decision.
Does Risk Management then create value for those perceived by the stakeholders? Can we apply a value stream approach and look to reduce wastes? Some common ones include:
|Waste in Risk Management||Example||Reflects|
|Defective Information||“The things that hurts you is never in a risk matrix” “You have to deliver a risk matrix, but how you got there doesn’t matter”||Missing stakeholder viewpoints, poor Risk Management process, lack of considering multiple sources of uncertainty, poor input data, lack of sharing information|
|Overproduction||“if it is just a checklist sitting somewhere, then people don’t use it, and it becomes a wasted effort”||Missing standardization, serial processing and creation of similar documents, reports are not used after creation|
|Stockpiling Information||“we’re uncertain what are the effect of the risk as this early stage, I think it would make more sense to do after”||Documented risk lay around unutilized during a project, change or operations|
|Unnecessary movement of people||“It can be time consuming walking around to get information about risk”||Lack of documentation, risks only retrievable by going around asking employees|
|Rework||“Time spend in risk identification is always little in the beginning of a project because everybody wants to start and then do the first part as quickly as possible.”||Low quality initial work, ‘tick the-box’ risk management|
|Information rot||“Risk reports are always out of date”||The documents were supposed to be updated and re-evaluated, but was not, thus becoming partially obsolete over time|
Once we understand waste in risk management we can identify when it happens and engage in improvement activities. We should do this based on the principles of decision quality and very aware of the role uncertainty applies.
- Anjum, Rani Lill, and Elena Rocca. “From Ideal to Real Risk: Philosophy of Causation Meets Risk Analysis.” Risk Analysis, vol. 39, no. 3, 19 Sept. 2018, pp. 729–740, 10.1111/risa.13187.
- Hansson, Sven Ove, and Terje Aven. “Is Risk Analysis Scientific?” Risk Analysis, vol. 34, no. 7, 11 June 2014, pp. 1173–1183, 10.1111/risa.12230
- Walker, Warren E., et al. “Deep Uncertainty.” Encyclopedia of Operations Research and Management Science, 2013, pp. 395–402, 10.1007/978-1-4419-1153-7_1140
- Willumsen, Pelle, et al. “Value Creation through Project Risk Management.” International Journal of Project Management, Feb. 2019, 10.1016/j.ijproman.2019.01.007