What is an acceptable level and/or amount of risk?
Risk can be scored and quantified but it is quite hard to measure.
Risk is comparative and/or relative, not absolute.
Failure Modes and Effects Analysis (FMEA) can be a handy tool for looking at the dark side of situations and understanding potential impacts.
Risk Priority Number (RPN) is used, commonly in the automotive industry, as a measure of assessed risk and helps identify critical failure modes associated with a design or process. RPN values range from 1 (absolute best) to 1000 (absolute worst). RPN is somewhat similar to the criticality.
Quite a bit of conversation was had about differences between risk (perceived negative impact) and opportunity (perceived negative impact). Weighing both of these sides is critical for decision making. Both live within the context of uncertainty. Information gathering, research and assessment are good tools to reduce uncertainty and increase the ability to predict outcomes.
David Slight brought up the point about the cost to mitigate. Just because a risk could be mitigated, the question is raised "is it worth mitigating?"
Risk reduction is indeed a measurement and tool that is commonly used.
Paul, a first-time attendee and new Seattleite (welcome to the group, Paul), shared about the tool of Potential Problem Analysis. PPA is a way that can help analysts anticipate problems before they happen and to identify the actions needed to be taken to prevent them from happening, or to minimize the effect.
David said that many people assume that there is a 1:1 relationship between the problem and its solution, which is a fallacy. And that risk is oftentimes hierarchically decomposed, which presents issues since things are multi-dimensional and multi-faceted (do not fall into simple hierarchies). NIST (National Institute of Standards and Technology) provides a Risk Management Framework that is common in industry.
Fred said that a lack of a Business Continuity plan is one of the biggest risks that companies face. Without this plan, they have no plan and are therefore at risk.
There are many types of risk: financial, reputation, technological, infrastructural, contractual, relational, global, service, project, corporate, enterprise, operational. This page has many of the risk types explained and differentiated.
Controls and compliance are big parts of the risk management process and plan.
Eric shared about extremely significant cultural differences about risk between companies in, say, healthcare, and those in, say, fashion. Stark differences in language and behavior can be seen between these two cultures.
Jean, who was at the group for the first time and is currently taking a Building your Own Theology class at BCC, shared about a big difference between the occurrence of the risk and the actual harm that results from it. The risk event and the following harm or actions are two different areas, each requiring management, caution and care.
There are many situations and scenarios where we as humans choose to "look the other way" from a risk or issue so we maintain focus on our current projects and mission. We "accept" (by ignoring) the other risk and therefore are at risk to its potential harm. Risk and strategy are closely related.
We spoke quite a bit about authorization and systems including roles. The BART system (Boundary, Authority, Role and Task) is a good way to clearly define roles.
We moved onto the topic of resiliency. We agreed that scalability was related, as is the idea of "foreverness". A clear plan that is aware of various thresholds, steps and milestones can help with communications about foreverness, a commitment to permanence and resiliency.
Many organizational and management-level issues can crop up in the topic of risk, authority and resiliency. For example, there are many scenarios when people have a lot of responsibility but no authority. Legitimate power delegated is a key to organizational success and growth. (Managing down the chain).
Reba and others commented on individual-level requirements such as "if I found it, then I fix it". Leadership and care at the individual level are required for organizations to survive and grow optimally. Tableau has a core cultural value of "We Work as a Team" and that works well but it can also get into a blaming situation where no one (only the team) is accountable. I felt that a similar cultural value of "I either hand-off well or I win." was a good one.
"I either hand off or we win."
Bruce, an always great contributor at the meetings, shared the phrase "you can't manage a secret". And Leland, also new to the meeting, shared about the need for positive handoff.
Ultimately culture and individual attitudes, aggregated, play into the ability of an organization to identify and effectively manage risk, be compliant and be resilient. Next month, we will talk about Managing External Relationships that plays into this topic very well. Keep your eyes and ears peeled for our podcast on these and other topics coming soon.
We are considering naming the AppsJack Share Podcast "WonkTalk", "Community", "Communities of Purpose", "Practical Organizational Theory", "Building Communities of Purpose". Do you have a preference in the name? Plan is to have a podcast about the topic preceding the month's meetup. The reason for it to be before the meetup is to prepare some, get a high level framework and understanding of the topic, get feedback from our audience on the most interesting areas.
We talked for over two hours.
At the meeting were Eric, Paul, Dominic Wong, David Slight, Fred de Boer, Chris Ingrao, Jean, Reba and Leland, Andrew Sengul.