A minimalist risk management program.
Minimalist documentation to describe a simple risk management program. @magoo.
✒️ Organize, scope, and schedule your efforts.
Involve your leadership and sponsors. Discuss scope of risks you want to be concerned about (Physical? Financial? Technical? Natural?). Discuss budget, partner collaboration, and urgency. Discuss preferences for any methods to discover risk. Identify decision makers and stakeholders for actions on findings. Start planning follow up meetings or check in points.
The output of this effort should allow collaboration with other teams to start with confidence.
🔍 Kick off an effort to discover risks.
Begin planning and executing efforts to discover risk. These can be interviews with internal subject matter experts. These can be brainstorming workshops with employee groups. External auditors or tool produced reports can also contribute to risk discovery. Limit your costs and efforts to a reasonable value that allows resource to mitigate future findings. Avoid bias from a single individual's perception of risk.
The output of this effort creates an unsorted list of "scenarios" that are translated from these various efforts.
📋 Sort these scenarios based on their risk.
Once your known scenarios are documented, we sort them based on risks. Higher likelihood, higher impact risks at the top, and low likelihood, low impact risks at the bottom. A sort based on leadership intuition is common, but you can improve this with multiple participants using a cumulative point system vote to reduce bias and increase credibility through consensus.
The output of this effort should be an "concern" ordered set of scenarios, high to low.
☑️ Choose OKR's that represent mitigations for these risks and pursue them.
See "better OKR's" for more information.
Once your risks are prioritized, develop OKR's for the next cycle of mitigation. These should have the greatest intuitive impact on the most high priority risks as possible. A single, well crafted OKR should mitigate multiple risks at once. Choose OKRs that have a positive influences across many risks. Reduce focus on risk management until the cycle of work is complete, unless resource is abundant to operate concurrently.
The output of this effort should be a roadmap of actual impact against risks.
♻️ Start over and do it again.
Risk management is cyclical and iterative, otherwise it's a point in time assessment. Always discover new risks. You don't have to spend effort re-discovering old ones.
The "sorted" risks should be in flux, as should your OKR's. Invest in risk management in a consistent or increasing ratio that scales with the success and growth of whatever you are protecting.
Eventually aim to make this cycle of discovery, sorting, and mitigation more continuous, with ever increasing efficiency of your discovery and mitigation methods.
⁉️ This method checks the boxes, but has weaknesses.
This method is simple mainly for it's lack of measurement, which becomes the biggest problem.
- It's impossible to know if you've discovered enough risks. What is enough?
- While our intuition roughly sorts our risks, should we focus more on some, than others?
- Does our risk discovery process inform an investment into mitigation? Does it estimate budget?
- Is our risk mitigation outpacing our increase in risks? Are we losing the race with every cycle?
- What if we don't have the talent to fully understand a very specialized risk?
This is not a copy/paste document. Build more personalized documentation for your own risk management program.