After my decidedly critical and somewhat negative blog a couple of weeks ago (check this link) that was sparked by the rhetoric from a risk assessment tool vendor, I thought it might nice to follow-up with a piece with a more positive orientation.

Here are 10 Do’s for Risk Assessments, taken from the extensive experience of me and my colleagues during the past decade. In no particular order and without claiming completeness:

1: Added value

If done well risk assessments will give you added value. Keeping these ten tips in mind will help. In order to achieve this added value it’s important to start in the right way. Make sure that it’s clear for the people that are going to work on the risk assessment know why we are doing this and what objective is intended to achieve. If you are going to do a risk assessment with compliance with some regulation as the goal then chances are that you will do so, but little more. Aim higher, for example to find possibilities to improve safe production and you can steer to reach that goal.

There’s also this rule of thumb that says that the earlier you start thinking and doing risk assessment in the process, the better, more effective and cheaper possible actions will be. Including an action as integral part of the design of an operation or piece of equipment is definitely to be preferred over an add-on or paste-on solution afterwards.

2: Keep it simple!

Want to involve others? Then make things as accessible as possible for them. Some regard risk assessments as something complex and difficult; well usually there’s no need for that! For most applications the method doesn’t need to be difficult. As long as you go through things systematically and with a critical mind (e.g. thinking “what if…”) you’ve achieved a lot and kept everybody on board. In fact, they have probably done the main part of the job because they often possess the real knowledge about the job to be done or the system to be designed/build.

Basic risk assessment is not difficult… We do it all the time in our everyday lives (usually rather unconsciously and most of the time more or less successfully) when crossing the street, checking if the milk smells funny or deciding what coat to wear. If you transfer these skills to a work situation and do this structured and systematically a lot is won.

3: Competence and involvement

Another thing that affects the quality of a risk assessment is involving the right people. And do get this right: it is both about involving and about the right people. Participants in your risk assessment must have the proper knowledge about the system or activity that you are going to assess. You will want, and need, those people who know about the “job-as-done” (and not so much those who deal with “the job-as-imagined”). Don’t tell the participants about their risks: involve them and have them discuss and discover themselves. In some occasions this process has even more value than the eventual product (the risk assessment report) as this discovery and discussion will lead to greater understanding among the people involved.

And of course the one leading the risk assessment process has to be competent, but more about that below.

4: Shit in = Shit out

I tend to say that this is the First Law of Quality Management. If you put the wrong stuff into a process you shouldn’t be surprised to get substandard results. Good preparation of the assessment always pays back. Make sure you have a good description of the system, activity or change that you are going to assess, and have this ready (for at least 80 to 90%) before you start. Sometimes you can do this “on the fly”, but in most occasions this will lead to a major waste of time because people will start discussing their different views on the subject and use valuable time that was actually planned for the assessment. Bad preparation then is a source of confusion and frustration that easily can be avoided.

Part of this good description is a clear scope. What is it we are going to assess, and with what objective, where are the boundaries: how far do we go and what are the interfaces at those boundaries and what is the impact of these interfaces on risk. There’s a major difference if we are going to assess the design of a piece of machinery, the very production of this machinery in our own workshop or if we are outsourcing the production to China and then transport the machinery to our factory.

Also: don’t over-eat yourself… it’s wise to keep the assessment’s scope within a manageable size. If things are too large you will probably have a hard time. Rather split up the assessment in more practical parts - as long as you remember to check the various interfaces!

5: Rich information

Remember that risk matrix is tool (and a tricky one too, which may be the subject of a future article) and not a goal in itself. Some seem to think that risk matrices are an easy way to communicate risk (e.g. by showing that “We have x Hazards in the Red Area and y in Green”). In fact this is a very superficial, weak and poor way because this ignores essential rich information like assumptions that often determine your risk. Also it doesn’t give you a clue what to do - at best it indicates an area where action is necessary.

Neither should you fall in the trap of being too brief. Yes, keep your assessment as short and concise as possible, because this will increase the chances of being read (and hopefully understood). But don’t fill an assessment form with keywords that have little meaning for people that were not involved in the assessment. And even for the people who were involved these keywords will lose meaning over time without the proper context. Rather resort to storytelling with short descriptions in prose of the scenarios, consequences, probabilities and conditions these depend upon.

6: Communicate clearly

Proper communication has everything to do with giving rich information. And make sure that you do it in a language that the decision makers (and others) understand - so try to avoid numbers that may lead to mechanical decision making or wrong conclusions and beware of jargon, abbreviations and acronyms that some readers may not relate to or even don’t understand.

Make sure to clearly discuss and communicate limitations and uncertainties with regard to the assessment including assumptions that had to be made. Assumptions are often forgotten in communication, but they are essential to the validity of the assessment because if an assumption turns to be not true, the entire assessment is suddenly built on quicksand…

Keep in mind that the Summary may be the most important part of your assessment report. Often this is the ONLY part a decision maker has time to read, so you have to make sure that all the important elements are there. 

A good summary includes at least a brief and concise description of the assessment’s scope, objective, boundaries and the most relevant assumptions and hazards, a conclusion with regard to the assessment as well as suggested/recommended actions. It’s essential that neither the summary, nor a conclusion can bring something new that is not discussed elsewhere in the report. In the past we’ve encountered regularly assessment report where out of the blue something appeared in the summary or conclusion that had no apparent relation to what was discussed in the assessment. Doing so will seriously weaken your advice.

7: It’s not all about safety

Risk assessments are often initiated from a safety point of view, but no need to look at them with this limited view. With a variety of competence gathered to do the assessment, why not use the opportunity to find good solutions across specializations and fields. While often seen as being in conflict, safety and production can and should go hand in hand. Risk assessments can be an opportunity to improve both if you keep an eye on the big picture and avoid tunnel vision on just one of the two.

8: Fresh eyes

Experience is good, but I’ve witnessed assessments where the participants had been in similar sessions many times before and went through the moves, doing what they always did. This may seem very efficient to some, but it may also very easily lead to groupthink, unfortunate conformity and that important elements are overlooked. Fresh eyes can be valuable in these cases: someone who isn’t tricked into jumping to conclusions because he or she hasn’t been through this many times before, someone who has the ability to be genuinely surprised and curious and someone who can ask the crucial critical questions.

This doesn’t only apply to participants, but also to the process leader. One must consider the advantages and disadvantages of going for an internal or external process leader. An internal leader will have the advantage of knowing people (and how to approach/deal with them) and may know of challenges, but an external process leader will have fewer problems resisting the temptation to hop over some elements that are assumed to be known.

9: Leading the process

The main weapons for the process leader or facilitator are preparation and competence, both of which we discussed above. In the case of the process leader this competence shouldn’t necessarily be about the subject of the assessment (this may help in some cases, but it also can be counterproductive e.g. as we saw above if it causes the process leader to jump to conclusions). The process leader’s competence should be about the risk assessment process and leading, coaching and facilitating this process.

During the assessment a process leader should have good improvisational skills so that he can switch between methods if necessary. He (or she) must also be able to switch between subjects and levels - a risk assessment often needs a good level of detail, and often also that helicopter view. And it’s so easy for participants to derail into pet-subjects or private agendas; the process leader must be able to draw them back on track in order to get to the wanted result: a risk assessment with added value.

10: Right tool for the right job

Finally one should ask oneself if risk assessment actually is the right tool to use for the job at hand. Thinking about risks is hardly ever a wrong thing to do, but a risk assessment isn’t some kind of magic wand that makes go away all your problems. Neither is it a good instrument for the identification of everything, like to check if routines are implemented or to see how certain activities are perceived. I’ve been in situations where I’ve suggested a manager to go and talk to some of his people instead of doing yet another risk assessment.

 Also published on Linkedin.