Setting up a successful risk assessment
At each step of the risk assessment process, it’s important to consult the right people, inside and outside of your organisation, and communicate effectively.
Consult the right people — stakeholders
If you do not have the people who understand the business and technical contexts, you might be unable to identify the risks. This would defeat the purpose of a risk assessment.
When to seek out stakeholders
Good moments to identify the stakeholders of an information system are when you’re:
- classifying its data
- establishing its business context
- finding its technical context
- monitoring and reviewing its risks on a regular basis
- aware that its stakeholders have changed.
Dialogues over monologues
It’s important for everyone to have the right attitude — communicating in the spirit of consultation. When writing or speaking with each other, make sure it’s a 2-way instead of 1-way flow of information.
Communicate effectively with stakeholders
Having stakeholders writing and speaking effectively with each other is essential to a successful risk assessment. When working together well, you’ll be able to:
- identify the risks to an information system instead of missing them
- make the appropriate decisions when evaluating and treating the risks your team has identified and analysed.
Example template for risk assessments
The Government Chief Digital Officer (GCDO) has an example template of a risk assessment in case you need some help working through the process.
Tips for communicating during risk assessments
Each stakeholder’s perception of a risk can vary significantly. People are likely to make judgements on the acceptability of the risk based on their own experience of it.
This is okay — you just need to make sure their perceptions of an information system, both its risks and benefits, are documented. The key here is to understand and address their reasons for each position instead of avoiding them.
Tips for sending information to many stakeholders
People will have different levels of experience with an information system, its risks and its benefits. To be effective in sending information to many stakeholders about the management of risks, all information should have the following traits.
Clear and concise
Take the time to edit your writing to be short and to the point. Avoid unnecessary details or repetition.
Make it relevant to the people receiving your writing. Technical information that is too detailed or sent to non-technical stakeholders will likely get in the way of seeing a clear view of risks.
This allows you and your team to make decisions and take actions at the right time in the risk assessment process.
So that people can make informed decisions, put together information:
- at the right level of detail
- without hiding the root cause of a risk
- with the audience in mind, adapting it for them.
Only people with a genuine need to know should have access to:
- risk reports
- risk management plans
- the risk register.