I recently listened to a new video by my friend, Alex Sidorenko. In How often [should] the risk assessments be performed, he makes some solid points, including:
- Our environment is volatile and performing risk workshops that take days and result in a risk assessment on an annual basis is not very useful.
- Even risk assessments that are more frequent, from quarterly to monthly or weekly, can also be out of date when risk is changing every day.
- The consideration of risk should be integrated into every business process, and performed at the speed of those processes.
- The consideration of risk should be part of every decision made every day across (my words) the extended enterprise.
- The risk practitioner needs the tools to help decision-makers consider risk at speed, within minutes if possible.
The comment I left on his related LinkedIn post was that risk should be assessed at the combined speed of risk and of the business. Let me explain:
- If your organization operates in a very stable environment, then changes may be few and slow to appear. Therefore, the need for considering and assessing what might happen (a far better term than the 4-letter ‘r’ word, risk) arises less frequently.
- But if either the external or internal environment (context, in ISO language) changes frequently, or if significant decisions are…
