Read on if you expect to lead or attend a meeting to discuss risks and what
to do about them. This does not apply if the meeting is to discuss in detail
some risks that have already been defined and analysed.
The ideas here are to help you with important things like getting the meeting
finished on time, not wallowing in worries, coping with politics, and still
getting useful results. This is not general advice about running meetings.
Meetings to talk about risks and what to do about them have special
characteristics so this guide explains them and what you can do about them
What to expect
Meetings to talk about risks and what to do about them are usually done
according to some procedure laid down by your organization and the idea is to
fill in some forms including, usually, one called a risk register. Your
organization's procedures may tell you how to conduct a risk management meeting,
but the instructions are probably about how to fill in the form and what the
theoretical process of analysis is imagined to be. What you really need to
understand is how people typically behave in these meetings, so it won't
be a shock when it happens to you.
Risk management meetings typically have three characteristics that account for most of the behaviour found in them:
They are unfamiliar to most people.
The content is often about bad things that might happen and tends to stir up feelings and politics.
The paperwork process and formal procedures laid down by your organization or a regulator can make things worse instead of better.
Here's what to expect when a group tries one of these meetings for the first time:
Ask for risks and people will tell you what is wrong now.
Technically, these contributions are not risks because they are not in the
future and there's no uncertainty; they are problems now. The same thing happens
when you ask for opportunities. Instead of talking about helpful things that
might happen unexpectedly in future people will talk about opportunities that
exist now, quite possibly things they've suggested before but still think should
All the ‘risks’ will be bad things. Again, technically this is not
right, at least according to most official standards and guides on how to manage
risk. Nevertheless, most people associate the word ‘risk’ with bad things that
might happen and naturally assume you want to know only the downside.
Ongoing battles will play a powerful role in controlling the
conversation. One of the benefits of risk management meetings is that they
can create a relatively safe environment in which people can air their worries.
Often it is less senior people at the meeting who are raising current issues in
front of their more senior colleagues. There may also be inter-departmental
disagreements driving the conversation. Whatever the reason, the main players
will try to control the ‘message’ sent upwards by the points that get recorded
on the risk register or whatever forms have to be filled in.
Good ideas for dealing with risk and uncertainty will not flow
freely. Unless at least one of the participants is unusually creative and
skilled the participants will probably find it a lot easier to talk about what
is wrong and why nothing can be done than to think of worthwhile things they can
If you try to be rigorous about risks it's easy to write a very long
list of them. Some techniques demand that every risk has a trigger event, a
consequence, and an implication of that consequence. Three-step causal chains
like this quickly give you an endless supply of risks and you could easily write
them all day. Other techniques are less likely to give an endless list of risks
but this is still a danger.
People will not be open about risks and uncertainty even if they feel
the meeting is safe. There are lots of reasons why we don't mention risks we
have in mind. For example, doing so might be taken as a criticism of a feared
person or department. You might keep quiet about something that's hard to manage
because you know you would be assigned as ‘owner’ of the risk. Sometimes a
senior person has subtly but unmistakeably made it clear that they do not want
to know about certain risks. Their motive for this may be that the feel they are
less liable if they haven't been told of something than if they have been told
but nevertheless did nothing. This is just a small sample of the reasons for
suppression of uncertainty!
People with different backgrounds tend to have different
fixations. Certain professions have a perspective on risk that is all their
own. Certain risks they will regard as very important and it could be that one
or two people suggest a lot of risks in a particular area just because they know
a lot about it.
The ‘risks’ suggested may be a jumble. The things we call ‘risks’
are not like physical objects, able to define themselves. Two people will rarely
see the same ‘risks’ in the same situation. What happens in your meeting depends
in part on the procedure defined for it, but also reflects your influence in
ordering the various ideas that people put forward, each coming from a different
way of seeing the world.
By now you're probably thinking ‘AAAAAAAAARGH! I don't want to have anything
to do with one of these meetings.’ Fortunately, over time the meetings improve
and there are things you can do right from the start to get through to a good
result. Best of all, people normally say risk management meetings are worthwhile
and want to do more, almost regardless of the technical quality of the
conversations. It is so rare that people are given a chance to air their
concerns or encouraged to take their blinkers off for just a few hours.
How to succeed
Hold on to the thought that most people like risk management meetings (at first anyway). Stay
positive and enthusiastic throughout the meeting to set the tone for everyone
else. Conversations about risks and what to do about them can be encouraged to
flow along productive lines. Here are some suggestions:
Always ‘define’; never ‘identify’. The things that go on risk
registers and that most people call ‘risks’ are really sets of elementary outcomes (or risks if you prefer). Consider
something very specific sounding like ‘Contravention of the Copyright, Designs
& Patents Act leading to prosecution and/or adverse publicity resulting in
loss of public confidence in the company.’ Even this is a set of elementary outcomes because
of the many different ways you could contravene the Act, and the different
extents of impact contraventions might have.
So, instead of talking about ‘identifying risks’ say instead ‘defining sets
of risks’ or ‘defining areas of uncertainty.’ Encourage people to be clear about
what is included in each one and if you are writing down the risks make
sure your wording is clear. When someone suggests a current problem is a ‘risk’
do not bother to correct them, but instead interpret their suggestion as being
‘the set of risks flowing from our current problem.’
I particularly like and recommend the phrase ‘area of uncertainty’ because it
is familiar, reduces the tendency to think too narrowly, increases the tendency
to think about how to find out more, and does not trigger people to think only
of the downside.
Don't drive for detail early on. Because you are really talking
about sets of risks you have choices about what sets of risks you define. A good
game plan is to start by defining some big sets and then sub-divide where people
feel more detail is worthwhile. In practice you won't have enough control to
make that happen in the ideal way but you can get most of the benefit by just
letting people bring up big areas of worry and not pressing them immediately to
cut them up into more specific areas.
Once you start to unpack an area you have choices about how. One good
technique is to follow causal links. You could ask ‘What could cause this?’ or
‘What could this lead to?’ Analysis in either direction will help people think
of management actions.
Trust your intelligence, not the process. Some corporate risk
management processes have impressively detailed forms with carefully defined
jargon and cunning rating and ranking systems. They seem almost scientific.
Almost, but not quite. In reality nearly all of these are technically flawed and
too far from the way people naturally think. The discipline of a sensible agenda
helps you keep control but if you push people to follow the procedure to the
letter the meeting could become less effective, not more.
Instead, think in advance about what the discussion is likely to centre on.
Think about the various ways the conversation might develop and be ready. Take
advantage of the fact that the risk areas people mention first and talk about
the longest tend to be the most important. You could list 50 risks, rate and
rank them, then work more on the highest rated ones but you will probably find
you get to the same things more quickly by just going with what people mention
Have a strategy for a hierarchical break down of the risk sets, but be prepared to be
flexible. As part of your preparation, think about how you might be able to
organise the risk sets as the meeting progresses. The key point is that you have
choices and, while there's no right answer on how to break down the risks, some
alternatives will be better than others.
If your organization's procedures and forms lay down the risk sets you have
at least part of the answer you need. What you still have to think about is how
to relate each suggestion to one or more of the prescribed risk sets and,
possibly, how to break down the prescribed sets into smaller risk sets where
that is worthwhile. For example, a participant might say ‘I think we've got a
really big risk around e-business.’ Somehow you have to develop this vague
platitude into one or more worthwhile risk sets that flesh out the overall
scheme. Perhaps the scheme established earlier in the meeting is to split risks
related to contracts and transactions with other parties from risks related to
your internal infrastructure. You will have to split the ‘e-business’ risk set
between its customer and supplier related risks and its
technological/infrastructure related risks, ask the proposer if this is ok, and
get some more details about what precisely the proposer had in mind.
If your organization's procedures do not lay down the risk sets you have more
flexibility but it can be harder to arrive at something orderly in the meeting.
Consider alternatives before you start and have a game plan that's flexible. You
might divide the risks first on the basis of organizational unit (because risk
sets usually need to be assigned an owner and this cut makes it easier), then by
association with different operational processes (if that is relevant to your
meeting), and then by type of effect, and then by cause. That's just one of many
possibilities. It's quite likely that you will not have time in the meeting to
go down to a level of detail where all the splits you have considered are
needed. It may be that you use different methods to break down different
branches. It may be that you make up your mind about which way to go during the
Sometimes people remain inward looking and all their risks are about
internally arising failures. Take action to make sure external sources of risks
are considered for at least half the time. External sources are more likely to
be a surprise and need more attention.
Develop the risk responses in parallel with the risk sets.
Official guides to risk management tend to describe a strictly linear pattern of
thinking. First you define your objectives. Only then can you define your risks.
And only when you have defined all your risks can you analyse their
characteristics. And so on. Does that sound like human thinking to you? Of
The way people think about potential events and current problems is much more
interlinked than this linear idea suggests. If they've just thought of a risk
set they will want to talk about it, including its characteristics, actions they
think will not help, and perhaps actions they think will work. Other people will
want to respond immediately. Don't stop their flow. You need people contributing
connected trains of thought, not just disembodied words thrown in to fill out a
In particular, make sure you write down important risk management actions as
soon as they arise - even if that is before all the risk sets they relate to
have been defined. This can speed up the meeting dramatically. Why break down a
load of risk sets when they're all addressed by a single, powerful action that
has already been agreed? Feel free to let emerging action plans influence the
risk sets that are defined, just make sure people try to think of risks that
would defeat the actions!
Agree a ‘next action’ for everything, even if you don't yet know how
to manage the risk set adequately. Sometimes there isn't time to work out a
satisfactory way to manage every risk set. Perhaps there's more research to do,
or necessary information will be available later, or the team is just plain
stumped. There is no point pressing people to agree risk management actions with
dates and owners unless the actions are ones they believe will work. Instead of
forcing people to agree to things that are half baked, accept any action that
will continue progress with the risk set, including agreements to discuss
certain points again, or get someone to make some detailed proposals. Write
these down as action points and assigned owners and dates as usual.
This is not failure. Risk management for any kind of ongoing venture will
need to be ongoing and that implies agreeing to do more risk management at each
stage. The first time a risk management meeting is held for a venture several of
the action points should be to do more risk management later.
Help people think of risk responses/controls. Since this is the
bit people find hardest anything you can do to make it easier is likely to be
welcomed. Here are some suggestions:
Ask if there's any way to find out more about the risk set, or any
particular things that could be monitored. People tend to overlook this point
even though it is often the most important.
Ask other questions that are suggesting a type of response, e.g. ‘Is
there any way we could detect breakdowns here more quickly?’
Include someone in the meeting who is very good at suggesting management
If you know someone has ideas or relevant experience of a similar
situation elsewhere, ask them to speak.
Circulate a document beforehand that discusses risk responses commonly
applicable to the area you will discuss in your meeting.
Start with a straw man of proposed actions and have it debated and
amended. (You don't need to know much about the risks to do this.)
Encourage participants to prepare beforehand by considering the items
that might come up and thinking about what could be done to manage them. Ask
them to help make the meeting a success. At least some people will take the
opportunity to be a hero.
Push people to be more open minded about future possibilities.
There's ample evidence that people typically have an overly narrow view of what
might happen in the future. We tend to think we can predict and control events
much better than in fact we can. Psychologists have spent a lot of time looking
for ways to get people to be more realistic about the future. Here are two ideas
you can sometimes use:
If you think people are discounting a possibility too easily say ‘OK, so
you don't think this is likely. But supposing at some time in the future you
heard that in fact it had happened, how might that have been?’ Once people have
told a story of how something might happen they tend to regard it as more
If you are asking people for number ranges try dividing them into groups
of 3 or 4. For example, suppose you want estimates of high and low sales volume
for next month such that respondents are 80% sure the actual result will be
within the range. Ask an individual for estimates and they are likely to be too
narrow. Instead, ask 3 or 4 people to make estimates (without consulting) and
then take the highest high estimate from the group and the lowest low estimate.
This is usually a better estimate of the true range than any
Concentrate on uncertainty. The key to success is getting people
to be more aware of their uncertainties and come up with actions that address
them. Believe it or not it is quite possible to go through a risk management
process that reinforces the illusion that we know everything about the future
and we are in control! Don't let that happen to you.
Two dangerous syndromes to watch out for
The ‘everything is about risk’ ploy
Sometimes people hit upon a wheeze that enables them to have a risk
management meeting easily without coming up with any new ideas. They realise
that almost anything can be expressed as if it is a response to some risk and
start going through all the things they are already planning to do or wish the
organization would do, justifying them using this trick. For example, suppose we
think it would be a good thing to increase customer satisfaction. We write:
OBJECTIVE: Increase customer satisfaction.
RISK: Failure to increase customer satisfaction.
RESPONSE: Customer Satisfaction Programme (i.e. the one we're already doing/planning) to increase customer satisfaction.
I hope you can see without me spelling it out that this is a useless sham.
This example is paraphrased from the top level risk register of a leading
company listed in the UK, and the other 9 risks in their top 10 were written in
the same way.
(Rather than fill the risk register with actions that add nothing new, it
would be much more useful to start from the fact that the Customer Satisfaction
Programme is on the plan and think about what uncertainties affect its outcome,
perhaps changing the programme to make feedback more rapid, include more
research, make the programme more flexible, and generally make it more
We need to be able to spot the ‘everything is about risk’ dodge when it
happens, and stop it. It's easy to spot the trick when the wording of the risk
set and response makes it blatant by using the form:
RISK: We fail to do X.
RESPONSE: Do X.
It's harder to spot when people disguise the RESPONSE part with things like
‘Make a plan to do X’, ‘Allocate adequate resources to do X’, ‘A programme to do
X’ or ‘Ensure that X is done.’
Another way to spot the trick is by considering whether the action would be
needed in a world without uncertainty. For example, suppose you are talking
about risks on a project and someone suggests ‘training users to use the new
software’ as a risk response. If the project was carried out in a very stable
and predictable environment, in a world where all our forecasts and plans proved
to be correct, would we still need to train users to use the new software? Yes.
So this training is not a risk response. We would have to do it even in a world
without risk. Would we still have to make a plan to do training? Yes. Would we
still need to allocate adequate resources to do training? Yes.
In contrast, but still in a world without uncertainty, would we need to do
early trials of the training materials to find out how long training really
takes? No! Would we need to test users' knowledge in some way to check that the
training has been successful? No! These are actions that our uncertain world
makes necessary so they are proper risk responses.
The earlier example of a Customer Satisfaction Programme is yet another way
to avoid doing real risk management. The basis of the trick is that a reader
cannot state definitely that the item is a sham because there might be
some risk managing actions within the programme. In this case I suggest being
skeptical. An honest attempt at risk management would read very differently.
Death by prioritization and analysis
Another dangerous syndrome to watch out for usually happens when people feel
they are short of time and resources, though it can also be the by-product of
the procedure and forms used. Stressed and under pressure our vision tends to
narrow. We start asking questions like ‘What are the really key things we
must do?’ Good ideas for managing risk that seemed important earlier now seem
like luxuries we don't really need, which some of them may be. Encouraged by
buzz phrases like ‘80:20 rule’, ‘prioritize’, ‘focus’, and ‘critical success
factors’ we eliminate things from task lists. We declare risks to be ‘within our
This kind of tunnel vision is a route to disaster.
The trouble is that although each of the many things we exclude from
consideration is individually insignificant, collectively they are anything but.
For example, if you exclude 20 things that each have an independent probability
of occurrence of just 2% this is the same as excluding one thing that has a
probability of occurrence of 33%. In other words, a third of the time at least
one of those 20 very unlikely things will happen. We also tend to evaluate the
impact of risks as if nothing else unexpected happens.
The importance of a risk set depends in part on how aggregated it is. By the
dangerous logic of prioritization a risk set that is big and important can be
split into a collection of smaller sub-sets that are each small and not worthy
Another factor is that the systematic feel of many corporate risk management
processes creates the illusion that we really can identify all the possible
things that might happen, and know in some sense what their probabilities are.
As this illusion takes hold the fog that actually clouds the future is ignored
and we begin to make plans as if what we have written down are the only
things that can happen.
Mistakenly discarding risk sets can happen accidentally even when there is no
pressure if the technical procedure and forms used in your organization
encourage it. The danger signs are:
The procedure confuses risks with risk sets, talks about
‘identifying" risks rather than defining them, and generally proceeds as if
risks are physical objects with their own clearly defined boundaries that
everyone will see in the same way. With this theory there is no awareness of
aggregation or the value of controlling it.
The procedure encourages very narrow risk sets right from the
start. This is especially true where everything has to have a cause and
effect. Long causal chains lead to long lists of little risk sets.
A simple risk ‘appetite’ line divides the significant risk sets
(those that require action) from those that are not significant. (It does not
matter if this is inherent or residual risk. The point is that a simple
threshold is used.)
Under these circumstances the level of aggregation of risk sets is not controlled and anything can happen.
As meeting leader you need to realise when there is a risk of this happening
and have a plan to deal with it. Explain the danger. Suggest aggregating the
‘smaller’ risks and managing them with lightweight actions where possible. Make
sure the risks of doing nothing are reported. Do not allow pressure or blind
adherence to flawed technique to sweep uncertainty under the carpet.
Summary by role
Prepare carefully to anticipate the contents, the politics, and likely breakdowns of risk.
Concentrate on getting people to talk more about uncertainty.
Make a special effort to help people think of good risk responses.
Define areas of uncertainty; don't ‘identify risks.’ Watch out for risk management theory that doesn't work.
Be careful to write risk set definitions clearly and precisely.
Be ready for the conversation to jump around and expect to have to write the notes up neatly later and clarify the structure when you do.
Concentrate on uncertainty. Don't just make up sentences with the word ‘risk’ in them to say the same things you usually say in meetings.
Think carefully beforehand about responses to uncertainties likely to come up in the meeting.
Let the chairperson be in control.
Reading the advice above I find myself depressed by the odds against a
truly successful first meeting. But be bold and persistent. Over time a group
can become very skillful and productive.
Hundreds of people receive notification of new publications every month. They include company directors, heads of finance, of internal audit, of risk management, and of internal control, professors, and other influential authors and researchers.