There is a tendency for people to want to rush to the exciting stuff. To get their hands dirty with extreme event scenarios and risk assessments. That is a mistake.
It is important to pack your bags for the long trip - to lean your ladder up against the right wall - to start with an awareness of issues which might ambush "the end in mind". These phrases apply to any systematic risk management process - where an initial emphasis should be on scoping context. If not, believe me, it will unravel later.
So with many "burn and learn" examples over many years, may I suggest the following three key considerations:
So with many "burn and learn" examples over many years, may I suggest the following three key considerations:
1. Develop a project plan to establish the risk management context which includes:
a. the aims and objectives for the establishment of context;
b. a matrix of stakeholders against their roles and responsibilities; and
c. a budgeted and scheduled plan for anticipated research and consultation.
2. Profile the entity for which “context” is being established (e.g. the structure of the organisation; or the demographics of a community) by mapping key networks including:
a. relationships between people and organisations to identify and evaluate existing networks; and
b. other network relationships that do not exist, but which might add value should they be developed and established through negotiation, consultation and marketing strategies to gain trust cooperation and support.
3. Apply strategies to seek and obtain stakeholders’ co-operation and ownership of the risk management context including:
a. establish and coordinate open communication structures among the networks mapped;
b. consult with stakeholders to map their issues and needs across the following aspects or “spaces” - social, legal, technical, political, environmental, and financial; and
 |
| Establishing risk appetite early is fundamental |
c. identify criteria and thresholds for “acceptable risk” across the aspects or “spaces” identified with stakeholders; and document the level of agreement and divergence between stakeholders regarding risk criteria to be applied. Two sets of criteria should be addressed. Risk assessment criteria – that is, “what do we care about - and how much do we care”; and what are agreed risk treatment selection criteria to be applied.
