Key message: Failure to get the context right sets up a failure for the risk assessment process.
I feel that as part of the risk management process this is the one step that is often overlooked either deliberately or mistakenly. By mistakenly it may also mean those who are going to complete the risk assessment do not see this process as adding any value. Those with that thinking are making the biggest mistake of their professional lives. At times I can understand why they may mistakenly miss this step as many individuals are asked to undertake a risk assessment for a project/ decision/activity. If you look in the standards (old and new) the process steps within the risk assessment start with the risk identification and finish with the evaluation. However, the risk management process steps commence with Establish the Context.
There is also a tendency for risk assessors and teams to jump straight in and start completing a risk register, in order to complete their risk assessment task. This leads them to start identifying risk events without completing the Establish Context step. Additionally, my research has found that most risk registers do not have any space to record the data developed during the Establish Context step but maybe recorded in a Risk Management Plan at the end of the Risk Treatment step.
The Context step is valuable as I have found that, if treated with the respect it is due, it can add significant value to the subsequent risk assessment. I would go as far as to say without it the risk assessment itself has no validity. I liken the overlooking of this context step as equivalent to implementing a project without any sort of planning. In the project world it has been stated that “a failure to plan means you plan to fail”.
Not what I would call reassuring when you are seeking to use risk management as a mechanism to predict events that could both have a negative and/or positive impact on the project/activity/decision.
Completing the Context step, in my view, has a number of advantages including:
· It provides the risk assessor/team with the necessary starting data of the project/activity/decision including objective, scope, targets, constraints and assumptions. Thus enabling the risk assessment team to clarify the internal and external environments in which the risk assessment will be completed and the factors that will impact upon the risk assessment.
· It enables the risk assessment team to undertake an initial stakeholder analysis. Stakeholders can be a significant source or several risk events.
· It assists the team to construct a robust Risk Breakdown Structure (RBS) – the start point for any risk identification process. The creation of an RBS will be the topic of a later article. However, suffice to say at this stage that it looks very similar to an organisational structure where a hierarchy is depicted. In the RBS case. The top level refers to broad “areas” of risk which are then broken down into more specific “categories” of risk.
· The final advantage is that it provides an opportunity to the risk assessment team to evaluate/review/develop risk criteria tables.
These tables will be used in the subsequent risk assessment but it will be too late to develop/review/change the tables once the initial risk assessment has commenced. Tables can change but should be established and agreed upfront. These tables including what they are used for, and how they help define risk appetite, will be covered in a later article.
I encourage risk practitioners to gain a better understanding of the Establish Context step to ensure valid risk assessments are completed.