ISO 31000 provides a solid risk management framework for facilitating risk management plans.

Facilitation of risk management plans starts with understanding key definitions, understanding organizational context, and choosing the best risk management framework for the organization. Good facilitation of risk management plans requires incorporating patience for numerous sessions and preparing for the three most common disruptors.

The foundations of systems thinking apply to facilitating risk management plans because the analysis requires a group to establish the nature of separate and interrelated components.

Facilitation Defined

Facilitation is defined as a structured session(s) in which the meeting leader (the facilitator) guides the participants through a series of predefined steps to arrive at a result that is created, understood, and accepted by all participants." For risk management plans, establishing the context (including definitions), communication, and monitoring risk mitigation actions are three key areas where fabulous facilitation is needed.

Facilitating Risk Management Plans

According to the international risk standard, ISO-31000, a risk management plan is a scheme within the asset management framework specifying the approach, management components, and resources to be applied to the management of risk. A risk management framework is a set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing, and continually improving risk management throughout the organization.

One issue is that ISO 31000 is not the only standard. Basic definitions of foundational terms like risk and approaches to developing a risk framework vary widely. While risk management professionals have fought for nearly two decades to unify the definitions and approaches, there is still an appreciable gap in practice.

For example, most approaches will say that asset management plans apply at the organizational level; however, other organizations, such as the Institute of Asset Management, include in their definition that risk management plans can apply at the organization level, in part of all of an organization, or to specific processes or assets.

Terms, Processes, and Interrelated Parts

If a risk management plan sounds like a layered mess of terms, processes, and interrelated parts, well, it is. At least to everyone but opinionated risk managers (risk subject matter experts).

Another confounding factor is that risk management is not a management system but rather a standard. This means that the risk management standard must fit into one or more management systems within the organizations and co-exist peacefully with other corporate standards such as safety, quality, and reliability.

For the facilitator, this means there is much groundwork to do upfront. Co-existing within management systems and alongside other standards also means that the facilitator must monitor ever-changing organizations to ensure the adopted risk management plan will be implementable. Obviously, risk management plans are not developed and adopted with one or two facilitated sessions.

Use A Standard Framework

Facilitators should use a standard risk management framework to guide the plan development process. The ISO-31000 risk management framework is a solid one.

1. Context, Scope, Criteria

2. Risk Assessment (Identification, Analysis, Evaluation)

3. Risk Treatment

4. Recording and Reporting

5. Monitoring and Review

6. Communication and Consultation

ISO 31010 (Risk Management – Risk Assessment Techniques) provides commentary and recommended approaches for each step in the process. Most experienced facilitators will be familiar with the basic techniques because they are common to other applications such as quality, reliability, asset management, and project management.

Diving In Too Fast and Too Deep

In facilitating risk management plans, the most overlooked areas and the sources of most failures are establishing the context (including definitions), communication, and monitoring risk mitigation actions. The primary source of the shortfalls is diving into the risk assessment too fast and too deep. Risk assessment is the sexy part that most senior managers seek.

Establishing the organizational context and definitions is necessarily hard and thankless work. Risk communication is universally recognized as critically important, but there is little guidance in risk management references, including ISO 31000. Monitoring risk management is the least sexy of all risk management framework components and the least rewarding because you normally cite where people (or the management system) came up short.

Yet for facilitators, the context, the mitigation monitoring, and the communication provide the guardrails for what is implementable for the organization. The risk assessment – identification, analysis, and evaluation – matters little if the organization cannot make the risk management plan actionable.

Facilitation Disruptor: Definitions and Organizational Context

A breakdown in definitions or the organizational context is normally the first source of disruption. Without good alignment, the facilitator struggles to move toward consensus.