The following are agendas for risk management meetings following the methodology written here. Or, the topics to discuss in asynchronous communication.
Participants: Whoever asked for Risk Management to exist. Alternatively, whoever will sponsor the influence the program may have on the business.
The goal is to get everyone on the same page on many different subjects. Make "Risk Management" a less ambiguous term.
- Where should we focus our efforts?
- Do we have opinions about "discovery" methods? (Audits, interviews, tools, external / internal consultants, etc)
- A conversation about budget.
- How can we guarantee effective collaboration?
- IE, what introductions to outside teams must happen?
- Who are our "champions?"
- How quickly do results need to come back?
- How should risk management be prioritized over other parts of the business?
- What "check in" cadence makes sense?
A team should feel confident in discussing and planning risk activities in their next meeting. They should not feel as if they are catching other teams off guard.
Participants: Coordinators and "Tribal Leaders" in a workplace.
Our goal is to schedule efforts that will ultimately discover risks and register them for us to sort through later. This requires some internal knowledge of the workplace and where uncertainty around risk may be, and which employees or systems should be worked with. We need to decide of efforts that are cost effective and thought to be impactful on our goals to understand and prioritize risk.
- What subject matter expert interviews need to take place?
- Do we need to organize any brainstorming workshops? (IE, a tabletop exercise)
- Do we need to schedule time with any external resources?
- Are there any auditing tasks to maintain?
- How are these activities scheduled?
- Who maintains, and where do we maintain the findings of these activities?
- Who / How will we centralize these risks as "Risk Scenarios" in a single location?
- What group or individual is responsible for sorting these risks when complete?
- When should this be scheduled?
Risk discovery work should be cut out for a period of time. Efforts are captured and translated into a common form in a central place for later sorting.
Participants: Coordinators and stakeholders who are familiar with what risks we can, or cannot tolerate. Especially those who have sense of likelihood for risks.
Our goal is to obtain a prioritized set of risks and mitigations, with as much consensus and credibility as we can muster. We want these to begin flight as mitigations so we can start having impact on these risks.
- Have the group or individual sort scenarios based on risks.
- Be sure to document tough tradeoffs, disagreements, or other retrospectives on the process so far.
- Decide on tasks, OKR's, or another tracking method to manage follow up items.
- Develop tasks that reflect specific mitigations for extremely high risks, or mitigation that reduce the impact of many risks.
- Prioritize these tasks and triage these tasks to owners.
- Identify resource and budget restraints for mitigations that cannot be completed.
- Estimate when a retrospective meeting should take place.
Mitigation work should be cut out for a period of time.
Participants: Anyone who participated with informed opinion on the process.
Ask tough questions that question the overall process and reduce cognitive error when possible.
- Did we have any incidents that should change our perception of risk?
- It's impossible to know if you've discovered enough risks. What is enough? What is too little?
- While our intuition roughly sorts our risks, have we introduced bias in the process?
- Does our risk discovery process inform an investment into mitigation? Does it estimate budget?
- Is our risk mitigation outpacing our increase in risks? Are we losing the race with every cycle?
- What if we don't have the talent to fully understand a very specialized risk?
The process should be ready to restart with lessons learned well announced in the group.