Risk assessment is already a vast subject and the pitfalls of risk assessment alone would probably fill a good-sized book.
Between cognitive biases, errors in processes, and poor enterprise alignment, there’s lots to get wrong!
We can’t claim to be encyclopaedic on the subject, but if you’re a risk manager, a business continuity manager or just a manager trying to avoid accidents, here are three categories of pitfalls to watch out for.
- Cognitive biases. The first one is to believe you’re a natural born risk assessor. This is highly unlikely: good risk assessors are made rather than born. Following the herd, wrongly establishing cause and effect relations, overstating risk to prove we’ve understood it (maybe), and understating risk because we don’t understand it (be honest!) are also high on the list of problems. So is a tendency to stick to known risks alone, and to leave other stones unturned – After all, who knows what unpleasant risks might be lurking beneath them?
- Process pitfalls. Having big risk decisions made by people in the wrong place in an organisation is a typical process aberration: for example, where a product manager compromises on quality assurance to get a software product released, a risk decision that should be made instead by QA and possibly security officers. More generally, the lack of an appropriate risk assessment structure and a common standard for scoring or assessing risk will also lead to confusion and bad decisions.
- Poor enterprise alignment. Lack of openness about the existence of risk and a culture of fear of being blamed for drawing attention to risks will make sound risk assessment difficult. This may be an endemic problem in an enterprise, with top management refusing to admit to or discuss the risks being run.
How should you fix or avoid these pitfalls? A risk-aware culture with the example set by C-level managers downwards is one factor, and basic risk assessment education is another.
Like taking medicine, the initial taste may be disagreeable, but the after-effects should be positive.