By Thomas Frenehard, GRC, SAP

Businesswoman drinking coffee and talking to co-workerWhenever I talk to customers that decide to embark on a risk management project, and wherever they are in the world, one question always kick starts the conversation: So, where do I start?

As a matter of fact, when writing this post, I was kicking myself: Why didn’t I start my blog postings with this topic first? I should have indeed, and I do apologise that it comes so late. It seems that we all want to see the results of a project and invite people to the house warming party before we even lay its foundations…

For all risk management projects, but this goes for any strategic project where information is the final outcome, I believe that there are defined phases for which the order must be respected in order to be successful:

1. Assess Your Current Situation

This first step is fundamental and this quote from Abraham Lincoln sums it up well: “If I had eight hours to chop down a tree, I’d spend six sharpening my axe.”

For risk management specifically, I think this can be summed up in understanding the current maturity level of your organization. Is this process currently managed informally and, for instance, risks identified and mitigated in an ad-hoc manner, reporting rather manual? Is the process already at a basic stage where identification is formalized and accountability assigned both for risks and their mitigation strategies? Or is the process structured or even optimized, where remediation is workflow driven, losses and indicators are tracked, automations used for aggregations and reporting, and so on?

2. Formalize Your Requirements and Priorities

Once you know where you are, you can decide where you need to go. Here, I like to use the Intelligence Cycle as I find it very appropriate.

  • The first step is to define the Requirements and the Planning to ensure all stakeholders have shared their interested and the associated timeline describing the scope of the project.
  • Then you can progress to the definition of Collection of information – how will the information be gathered? By whom? And so on.
  • Once both these steps are formalized, I suggest progressing to the definition of the Analysis & Exploitation – who are the experts who will be involved in the analysis?
  • Last but not least, the Dissemination – what types of reports are required, who will receive them, and how frequently?

3. Communicate the Scope and Roadmap

Now that you know what information is required, by whom and when, and you also know how it will be collected and analysed, it’s time to design the process itself and ensure that it flows continuously.

If you’re thinking about a software solution, this is typically the stage where you define the modules and their workflows that will be used straight away and the ones that will be activated later.

4. Deliver the Expected Result and Get on the Success Highway!

If your communication is clear, and the expectations are set, then you should be on the best path to a successful project.

If I could summarize my recommendations into a few bullet points, they would be:

  • Plan, plan, and then plan some more
  • Understand what the needs are for the different stakeholders
  • Identify where you are today and where you want to be in the future
  • Define a clear roadmap with set success milestones
  • Keep an open communication with the stakeholders so they are informed and on-board all the time

Can you think of any projects that failed in your organization? What steps were missed? I’d like to hear from you about additional ways to improve project management and manage project risk.