ISO 31000 provides a solid risk management framework for facilitating risk management plans.

Facilitation of risk management plans starts with understanding key definitions, understanding organizational context, and choosing the best risk management framework for the organization. Good facilitation of risk management plans requires incorporating patience for numerous sessions and preparing for the three most common disruptors.

The foundations of systems thinking apply to facilitating risk management plans because the analysis requires a group to establish the nature of separate and interrelated components.

Facilitation Defined

Facilitation is defined as a structured session(s) in which the meeting leader (the facilitator) guides the participants through a series of predefined steps to arrive at a result that is created, understood, and accepted by all participants." For risk management plans, establishing the context (including definitions), communication, and monitoring risk mitigation actions are three key areas where fabulous facilitation is needed.

Facilitating Risk Management Plans

According to the international risk standard, ISO-31000, a risk management plan is a scheme within the asset management framework specifying the approach, management components, and resources to be applied to the management of risk. A risk management framework is a set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing, and continually improving risk management throughout the organization.

One issue is that ISO 31000 is not the only standard. Basic definitions of foundational terms like risk and approaches to developing a risk framework vary widely. While risk management professionals have fought for nearly two decades to unify the definitions and approaches, there is still an appreciable gap in practice.

For example, most approaches will say that asset management plans apply at the organizational level; however, other organizations, such as the Institute of Asset Management, include in their definition that risk management plans can apply at the organization level, in part of all of an organization, or to specific processes or assets.

Terms, Processes, and Interrelated Parts

If a risk management plan sounds like a layered mess of terms, processes, and interrelated parts, well, it is. At least to everyone but opinionated risk managers (risk subject matter experts).

Another confounding factor is that risk management is not a management system but rather a standard. This means that the risk management standard must fit into one or more management systems within the organizations and co-exist peacefully with other corporate standards such as safety, quality, and reliability.

For the facilitator, this means there is much groundwork to do upfront. Co-existing within management systems and alongside other standards also means that the facilitator must monitor ever-changing organizations to ensure the adopted risk management plan will be implementable. Obviously, risk management plans are not developed and adopted with one or two facilitated sessions.

Use A Standard Framework

Facilitators should use a standard risk management framework to guide the plan development process. The ISO-31000 risk management framework is a solid one.

1. Context, Scope, Criteria

2. Risk Assessment (Identification, Analysis, Evaluation)

3. Risk Treatment

4. Recording and Reporting

5. Monitoring and Review

6. Communication and Consultation

ISO 31010 (Risk Management – Risk Assessment Techniques) provides commentary and recommended approaches for each step in the process. Most experienced facilitators will be familiar with the basic techniques because they are common to other applications such as quality, reliability, asset management, and project management.

Diving In Too Fast and Too Deep

In facilitating risk management plans, the most overlooked areas and the sources of most failures are establishing the context (including definitions), communication, and monitoring risk mitigation actions. The primary source of the shortfalls is diving into the risk assessment too fast and too deep. Risk assessment is the sexy part that most senior managers seek.

Establishing the organizational context and definitions is necessarily hard and thankless work. Risk communication is universally recognized as critically important, but there is little guidance in risk management references, including ISO 31000. Monitoring risk management is the least sexy of all risk management framework components and the least rewarding because you normally cite where people (or the management system) came up short.

Yet for facilitators, the context, the mitigation monitoring, and the communication provide the guardrails for what is implementable for the organization. The risk assessment – identification, analysis, and evaluation – matters little if the organization cannot make the risk management plan actionable.

Facilitation Disruptor: Definitions and Organizational Context

A breakdown in definitions or the organizational context is normally the first source of disruption. Without good alignment, the facilitator struggles to move toward consensus.

The safe bet is that basic definitions and organizational context will be under continual challenge. Facilitators should start and end each session with summaries. A synthesis document, or decision log, should be maintained to remind participants of points of past agreement.

Facilitation Disruptor: Experts and Competing Initiatives

A second form of disruption usually comes from subject matter experts or initiative sponsors who do not want to change their previous approaches. This disruption is essentially an expert bias that is best checked by consensus definitions, reminders of the organizational context, and agreements that have been previously reached.

The working definition of consensus, or “I can you live with it," versus unanimous agreement, should have been introduced in the project charter. Living with it is much more productive than completely agreeing with something. Use it to check SMEs or initiative sponsors who are entrenched.

Facilitation Disruptor: Measuring Risk

A third common form of disruption focuses on how quantified the analysis should be or how measurable the risk monitoring should be. Here the breakdown is between symbolic (numeric) thinkers and verbal (narrative) thinkers.

The conflict essentially creates noise in the communication. The solution is that both sides must tamp down their positions to create solutions that are created, understood, and accepted by all participants – and implementable. The solution for the facilitator is to use a combination of quantitative and qualitative approaches.

Moving Forward

Facilitation of risk management plans starts with understanding key definitions, understanding organizational context, and choosing the best risk management framework for the organization. Good facilitation of risk management plans requires incorporating patience for numerous sessions and preparing for the three most common disruptors.

A separate article will discuss five ways to move your facilitation of risk management plans from good to great.

Communicating with FINESSE is a not-for-profit community of technical professionals committed to being better trusted advisors. Join the community for free.