ROB QUAIL, BASc
Principal, Robert Quail Consulting
The guidelines and advice in this chapter are based on the author's experience facilitating more than 250 risk workshops of various forms, with the number of participants ranging from 8 to 800. It is not intended to be a comprehensive guide to facilitation techniques, but assumes the reader has some basic understanding of how to facilitate a management meeting.
A risk workshop is a structured, large-group conversation about future uncertainties.
It is tempting to think of workshops as merely a data-gathering exercise; after all, from the risk manager's perspective, the workshop provides access to a whole roomful of experts and decision makers for a specified period of time. It gets results much more quickly than data mining of similar scope, and certainly is much quicker than surveys or individual interviews. However, the benefits of risk management workshops go far beyond the convenience for the risk manager:
The following sections provide a general approach for planning and executing a typical risk workshop. The entire process is depicted in Exhibit 19.1.
A smoothly run and successful workshop that results in usable outcomes depends on adequate preparation; an effective workshop on risks is never the result of “winging it.” Regardless of the objectives and nature of the workshop, the greater the extent of preparation, the greater the likelihood there will be of a successful outcome.
Given the use of tools such as “anonymous” voting and facilitated discussion, a risk workshop has the appearance of being a democratic process. It is not. It is a consultation, conducted in the context of an organizational hierarchy, and should be conducted under the leadership of a specific decision maker. Therefore, all risk workshops must have an executive sponsor who is functionally accountable for the scope of the objectives and risks under discussion; someone who is “in charge”; someone who ultimately “owns” the risks. This person is not normally the risk manager. The role of the sponsor for a risk workshop is to set the context for the workshop, provide a view of their tolerance for risk taking, pass ultimate judgment on behalf of the broader organization and on the tolerability of risk exposures, and ultimately be able to present the results to those to whom the sponsor is accountable.
Exhibit 19.1 How to Conduct a Risk Workshop
Step | |
---|---|
Workshop Preparation | Identify the sponsor |
Set the workshop objectives | |
Set the scope:
| |
Assemble risk criteria:
| |
Set the agenda | |
Decide on attendees | |
Assemble reference materials | |
Arrange venue | |
Workshop Execution | Facilitate the workshop For each risk:
|
Record the results |
As described throughout the following sections, the sponsor will make decisions concerning the planning and design of the workshop, will play a critical role in setting the context and tone of the workshop itself, and will ultimately assume responsibility for the outputs of the workshop and ensuring that agreed-to actions are completed. Although the risk manager will do all the “heavy lifting” in terms of planning and executing the workshop, the sponsor will need to make key decisions before, during, and after the workshop, and together these decisions will be the ultimate determinant of the workshop's success.
It is imperative, in designing a risk workshop, that the facilitator gets a clear understanding of the sponsor's objectives for the workshop, as this will have implications for most other aspects of workshop design. A useful model for understanding these objectives is illustrated in Exhibit 19.2.
The vertical axis of this figure represents the desired discipline of the workshop. Learning Discipline workshops, at the bottom of this scale, place the emphasis on discussion and casual discourse on the subject risk areas, to enhance individual and collective understanding of the risks, rather than driving toward decision making. The process is loosely defined, there is a lot of scheduled “slack” time in the agenda, and the facilitator is relatively hands-off in allowing the discussion to follow the apparent interest of the participants. Learning workshops are well suited to new problems and new risk areas, with relatively cohesive management teams and no real imperative for immediate decision making. Because workshops can be excellent team-building forums, they can also be well-suited to new teams, so long as the goals of the workshop do not include driving to immediate decision making on a specified list of risks and issues.
At the opposite extreme of the vertical axis, Decision-Making Discipline workshops are results-oriented. Decision-making workshops are, as the name implies, called for when a management team must make a decision immediately on the significance of risks and the adequacy of controls. A high degree of trust in the facilitator is required, because the facilitator will play a highly intrusive role in managing the discussions. The agenda is highly prescriptive right down to the minute, the process is highly scripted, and the facilitator keeps the process strictly on-topic and on-schedule.
The horizontal axis of Exhibit 19.2 depicts the focus of the workshop. Broad Focus risk workshops explore arrays or groups of risks at the strategic level. The emphasis is on identifying, understanding, and measuring risks, rather than evaluating the adequacy of mitigants, as the high-level depiction of risks may not lend itself to the discrete evaluation of mitigants to the point where a judgment of adequacy is possible. The agenda of these workshops will allow for greater understanding of the risk environment and the interplay of internal and external factors on the risks. Such workshops are useful for executive teams at the start of a strategic planning exercise. They are also useful at the commencement of large projects or programs (the so-called “storming” stage).
At the opposite end of the horizontal scale in Exhibit 19.2, Narrow Focus risk workshops are targeted at risks that are defined and understood to a high degree of specificity. Such workshops will normally make use of performance or other indicator data and may require the participation of functional or technical experts. Narrow focus workshops also allow for a greater emphasis on the evaluation of controls and mitigants for each risk. These workshops are best suited for technical groups and detailed planning exercises, such as annual departmental business planning.
Note that the choice of workshop type is not an either-or decision. The facilitator must get an understanding of where among these four extremes the sponsor's requirements lie. This can be gleaned by asking questions such as:
The scope of the risk workshop will consist of three elements: (1) the organizational objectives, (2) the risk universe, and (3) the time horizon.
In order to have an efficient workshop and ensure that risks are assessed in a manner consistent with the overall risk appetite and tolerance of the broader organization, relevant risk criteria, of the type described in ISO 31000:2018, are essential.
Exhibit 19.3 Sample Impact Scale
Objective |
Attribute |
Event |
5 Catastrophic |
4 Severe |
3 Major |
2 Moderate |
1 Minor |
---|---|---|---|---|---|---|---|
Financial | Net Income | Net income shortfall (in one year, after tax) | >$100M | $50M–$100M | $25M–$50M | $5M–$25M | <$5M |
Creditworthiness | Change in financial ratios or risk | Event of default; unable to raise any capital due to credit rating | Credit rating downgrade to below “investment grade”; unable to raise required amount of capital | Credit rating downgrade | Put on credit “watch” | Credit-rating agencies and bondholders express concern | |
Reputation | Public profile | Negative media or opinion-leader attention | Negative national media attention; opinion leaders nearly unanimous in criticism | Regional negative media attention; many opinion leaders publicly critical | Significant negative local media attention; customers publicly critical | Letter to board of directors and CEO | Letter to member of management |
Employee confidence | Employee dissatisfaction | Widespread departures of key staff with scarce skills or knowledge | Sharp, sustained drop in employee survey results; departures of key staff | Sharp decline in employee survey results | Moderate decline in employee survey results | Less than planned improvement in employee survey results | |
Competitiveness | Unit-cost reduction | Failure to reduce unit costs | Unit labor costs increase by > 15% | Unit labor costs increase by 10–15% | Unit labor costs increase by 5–10% | Unit labor costs increase by 3–5% | Unit labor costs not reduced |
Work program accomplishment | Work program shortfall | > 50% of critical projects late; or <50% of total work programs completed | > 3 critical projects late; or 50–69% of total work programs completed | 2 or 3 critical projects late; or 70–84% of total work programs completed | 1 critical project late; or 85–94% of total work programs completed | No critical projects late; or >95% of total work programs completed | |
Safety and environment | Employee availability and safety | Employee injury | Employee fatality or major permanent disability | Employee critical injury | Deterioration in safety targets | No improvement in safety targets | Less than planned improvement in safety record |
Environmental performance | Adverse environmental impact | Widespread offsite impacts (e.g., regional or municipal water supply) | Multiple local offsite impacts (e.g., multiple residential properties or private water supplies) | Significant local offsite impact (e.g., a public thoroughfare) | Minor local offsite impact (e.g., a single residential property or private water supply) | Minor impact on our property only |
Once the objectives and criteria for the workshop have been set, the next task is to set the agenda. An obvious question is how much time is available and how many risks can be covered in the available time? There are no hard-and-fast rules, but as general guidelines:
The method for choosing (from the risk universe) the risks for discussion is another decision that is primarily up to the sponsor. Alternatives include:
Exhibit 19.4 Sample “Strength of Mitigants” Scale
Score | Rating | Description |
---|---|---|
5 | Full controls; prescriptive; senior management/CEO oversight | Full controls established (see “Full Controls” description), plus:
|
4 | Full controls | All elements are fully implemented and complete. |
3 | Substantial controls | Only one or two elements are missing or incomplete. |
2 | Partial controls | A significant number of elements are missing or incomplete. |
1 | Few controls | Almost no elements are in place. |
Full Controls consist of: | ||
Purpose |
| |
Commitment |
| |
Capability |
| |
Monitoring and learning |
|
Exhibit 19.5 Sample Likelihood Scale.
Score | Rating | Probability in Planning Period (5 years) | Expectation of Event Frequency (in years) |
---|---|---|---|
5 | Very Likely | > 95% | >1 in 2 |
4 | Likely | 75% | 1 in 4 |
3 | Even Odds | 50% | 1 in 10 |
2 | Unlikely | 25% | 1 in 20 |
1 | Remote | < 5% | <1 in 100 |
For most risk workshops, as a general rule, the target number of active participants should range from about 8 to about 25. Smaller groups usually do not offer the variety of perspectives or require formalized facilitation of the type described in this chapter. Larger groups can be unwieldy and there are special challenges in controlling group dynamics and giving everyone a sense that they have had a reasonable amount of “air time.” Large groups can be accommodated but require additional detailed planning and more experienced facilitators; see the section “Tough Spots.”
The decision on who attends will ultimately be left to the sponsor. The list of attendees will depend on which risks are on the agenda for discussion, assuming these are known in advance: the attendee list should allow for full exploration of the risks on the agenda, and, if applicable, decision making on the actions to be taken. This means that the workshop should include functional or technical subject-matter experts and key management stakeholders and decision makers. Another useful rule is to ensure that any person or group that might reasonably be expected to carry an action item out of the workshop is represented.
Other considerations:
To facilitate a risk workshop, the author recommends a two-person facilitation “team.” One person, the “facilitator,” will focus on running the meeting and guiding the discussion. The other person, the “record keeper,” will ensure that what is said or decided at the meeting is recorded. Although it is possible for the facilitator to assume both roles, experience has shown that the workshop can be run more efficiently and produce better documented results if there is a separate record keeper assisting the facilitator. Note: The record keeper role is not just a “recording” function. The record keeper must have the ability to listen to and understand the discussion and boil it all down to a few key points to be recorded and simultaneously displayed to participants.
Often, especially for risk workshops with narrow focus and decision-making discipline, there may be a need to assemble background or reference materials on the risks to be discussed. This may include:
Depending on the amount of material included, it may be preferable to circulate these reference materials to workshop attendees for review beforehand.
Normally a U-shaped seating configuration is preferred as it allows for face-to-face contact, simultaneous reading of displayed materials, and a central position from which the facilitator can direct the discussion and keep everyone engaged. The ideal layout for the room will have two computers and two display screens set up at the front of the room where all participants can see them: one screen for displaying context information and/or voting results (assuming anonymous voting technology is used) and the other screen for recording the key discussion points. It is also useful to have one or more flipcharts for recording “parked items” and other “side” items that may come up but are not central to the agenda.
Often it can be helpful to hold the workshop away from the normal place of business, to avoid the temptation for people to return to their desks during breaks.
Assuming the preparation is complete and thorough, the execution of the workshop is focused mostly on maintaining or controlling the discussion, properly recording what is said and decided, and reporting the results.
The purpose of this section is to describe the basic elements common to most or all risk workshops, not to provide a detailed explanation of meeting facilitation techniques. More facilitation “tips and tricks” are provided in the next section. (Note: This section assumes the use of anonymous voting, which the author considers an essential tool for efficient risk workshop execution.)
Although the workshop will be customized based on its specific objectives and focus, each risk discussion will have the following components. For each risk:
In addition to a simple definition of the risk, an effective way to build a common understanding is to ask participants to briefly describe, as a simple “mini-scenario,” how this risk might come to pass; what triggering event or condition would signify that the risk has occurred; and what might credibly be experienced by the organization as a result. Sometimes this brainstorming technique of developing mini-scenarios is termed back-casting. Ask the group something like this question: “Imagine it is several years from now and this risk has come to pass in what you would consider to be the worst-credible way. What happened?”
Record and display the key discussion points. Have the group brainstorm several of these brief scenarios; record them all.
Introduce the vote with an instruction like this: “Review the scenarios that have just been described, and decide in your own mind which of these represents a credible scenario that is the most harmful. Then decide which of the objectives is most threatened by this scenario and find a point on the Risk Impact Scale corresponding to that objective that most closely resembles this impact. The risk score associated with that impact will be your vote.”
The voting is followed by a conversation to explore the rationale behind responses and probe into the reasons behind diversity of opinion. To encourage a complete discussion, the facilitator should ask questions like, “Which objective did you feel was most threatened by this risk?” and “Please describe the mental journey you took in evaluating the risk and deciding how to vote.” The note taker should record the key perspectives of participants.
The primary objective of this discussion is not necessarily to force consensus on the impact of the risk (although this is of course preferable), but to ensure that all perspectives get communicated and are understood by all participants, especially the sponsor.
This portion of the workshop can involve one or more revotes and rounds of discussion. The facilitator should introduce a revote by saying something like: “Now we have heard a range of perspectives and arguments on the potential magnitude of this risk. Let's see how many of you have changed your minds as a result.” It may take multiple iterations of “vote—discuss—vote—discuss” to complete this part of the agenda. It is important to remember that the role of the facilitator is to get all views on the table and encourage constructive debate.
It is important that the discussion on actions not become too detailed, or it will derail the discussion and put the agenda at risk. The author has found it useful to categorize actions into two types:
As mentioned in an earlier section, it is best to have a dedicated record keeper, recording what gets said and displaying it for all to see. This can be most conveniently done by typing key points into a computer and simultaneously projecting them on a screen so that all participants can refer to what was said and know that the key points are being properly recorded. The intent is not to record every word that gets said, but the highlights of the discussion in point form. Also, any decisions, conclusions, or actions need to be clearly noted. It is recommended that the record keeper prepare a template in advance (see Exhibit 19.6) that follows the workshop agenda. Throughout the workshop, the facilitator must keep an eye on the note-taking screen to ensure that the record keeper is able to keep up with the discussion and capture the key aspects of what is said.
Exhibit 19.6 Sample Record-Keeping Template
Risk Title: Cyber-Breach | Risk Score: 2.80 | |
Description: The risk of a cyber-breach involving or affecting customer operations | ||
Scenarios: | ||
| ||
Magnitude Discussion: | Score: 3.8 | |
| ||
Controls Discussion: | Score: 3.5 | |
Strengths: | Gaps: | |
|
| |
Probability Discussion: | Score: 1.8 | |
| ||
Tolerability (Yes or No) : No | ||
Actions: | Champion | Due Date |
Complete privacy audit | Joe Smith | Q4 2019 |
Continue to verify compliance with OEB and internal requirements | Alf Jones | Q4 2020 |
One of the advantages of having a real-time record keeper is that a report of the workshop, showing the risk map and discussion points and actions, can be finalized and distributed to the sponsor and participants as required within a matter of hours. The report should include as a minimum:
It is best to schedule a debrief meeting with the sponsor to walk through the highlights of the report and make sure they are clear on the next steps for following up on assigned actions.
The facilitator of a risk workshop is responsible for guiding the workshop participants through the process and ensuring effective and efficient discussions on the subject risks. This section provides some useful general advice and tips for workshop facilitators.
The author has used so-called “anonymous” voting tools (wireless keypad transmitters and receivers) for more than 250 risk workshops over a 19-year period, to great effect. These systems allow the facilitator to pose a question, displayed for the group to see, along with a range of numerical responses (corresponding to the scales described in the previous section), and obtain and feed back to participants a quick, real-time poll of the views of participants. These systems have the following advantages:
Note that there are alternatives to dedicated keypads and receivers to support group voting exercises, where participants enter their responses on laptop computers, tablets, or smartphones. While these systems are convenient, they have the principal disadvantage of allowing participants to be distracted by other things on their tablets, phones, or computers. Single-purpose keypads are useful facilitation tools specifically because they can only be used for one thing: voting on questions posed by a facilitator in the workshop (and not for checking e-mail, messages, the stock market, or the latest news).
What follows are some useful ideas to help ensure successful, stimulating risk workshops.
We have shown how to plan, organize, and facilitate a risk workshop. Risk workshops play a vital role in ERM by helping engage executive managers and staff in understanding the corporate objectives and the risks to achieving these within given tolerances. As such, not only do workshops help identify and address critical risks, they also provide excellent opportunities for participants to learn about organizational objectives, risks, and mitigants.
Many organizations are increasingly moving toward virtual, online meetings, using videoconferencing resources rather than meeting in person. The COVID-19 pandemic accelerated this trend. Therefore, from time to time, risk workshops need to be held virtually. The purpose of this appendix is to provide general advice for facilitating online risk workshops.
The principal challenges in facilitating a workshop online lie in the difficulty of effectively monitoring and maintaining participant engagement throughout the session. In a physical meeting room, the facilitator can watch body language and look for visual cues that show attention, engagement, frustration, and so on, among attendees, and make adjustments; call on particular individuals, or adjust the pace and focus of the discussion. This becomes much more difficult in an online setting. Therefore, the following adjustments are recommended.
Due to the difficulty in maintaining participant attention, and the tendency for the process in a virtual setting to devolve from a series of conversations among attendees to a mechanical routine, online workshops are best parsed into short meetings of one- or (at most) two-hour duration, perhaps exploring only one or two risks at a time. The facilitator should expect that the process for assessing each risk will take considerably longer than at an in-person workshop; between 50 and 100 percent longer would be a good planning assumption.
Large groups quicky become unwieldy in a virtual session. Monitoring levels of participation and effectively directing the traffic of conversation in a large group are much more difficult online. For this reason, smaller groups are preferred.
As a rough rule of thumb, the ideal range in terms of number of workshop attendees should be cut by one-third: in the body of this chapter, the ideal range is given as 8 to 25, but for online workshops, a better range is 5 to 16 participants. Note that a tighter, more narrowly focused agenda per the previous point above may allow the attendee list to be reduced without losing out on access to subject-matter experts and stakeholders who might enrich the discussion.
If possible, it is recommended that all attendees be instructed to leave their videocameras on for the duration of the discussion; the video image of each attendee is the only cue available to the facilitator on the level of engagement. Further, having all cameras on is more likely to support spontaneous participant-to-participant conversational dialogue.
As was mentioned earlier this chapter, in an in-person workshop, two screens are recommended: one screen for displaying context information and/or voting results (assuming anonymous voting technology is used) and the other for recording the key discussion points. This is not easily accomplished with most videoconferencing solutions. This necessitates frequent back-and-forth movement between context/voting screens and note taking. Some planning will be necessary to decide how to manage screen-sharing; it may be necessary for the note-taking facilitator to have full control of what is displayed, or for the two facilitators to pass control back and forth.
Some videoconferencing solutions have embedded participant-polling capability, but these normally do not include the ability to consolidate multiple votes, do calculations across results, or display tables of an entire workshop's results. However, there are browser-based audience-response tools that are suitable for risk workshops. Using these tools would normally require that participants have a separate browser window open on their computer, or use a second device such as a smartphone, in order to enter their votes.
Videoconferencing solutions often have features not available in in-person forums, such as chat capability, providing a second channel for participants to provide comments or ideas, and the ability to set up spontaneous breakout groups for subgroup exploration of topics. Many videoconferencing solutions also have whiteboard-sketch capability, which can take the place of flipcharts in the more conventional in-person workshop setting.
Most of the facilitation tips in the chapter still apply. One thing that is worth noting is the “use silence” suggestion; after asking a question that gets no immediate response, it is extremely tempting to fill the silence by talking more or restating the question. Don't. Wait through the silence. Note that this may be a longer silence than in an in-person workshop.
▪ ▪ ▪
Other than the above recommendations, virtual workshops are identical to in-person ones, including the importance of the sponsor, setting objectives, planning the agenda, the use of criteria, the recording of the discussion, and the basic process to be followed for each risk.
In his landmark 2007 book The Black Swan: The Impact of the Highly Improbable, Nassim Nicholas Taleb introduced the concept of the black swan. Simply put, a black swan is an event that is extreme in terms of its impact, seemed highly unlikely before its occurrence, but is often rationalized as foreseeable in hindsight. The book argues that extreme events such as these have had disproportionately high, sometimes transformational, impacts on history, society, and industry. Examples of black swan events include World War I, the terrorist attacks on the World Trade Center in New York on September 11, 2001, the emergence of the Internet, the fall of the Soviet Union, and the 2008 financial crisis.
One of the challenges for the risk manager in dealing with black swan events is that, because they are by definition individually unpredictable and unforeseen, they usually do not find their way onto traditional risk profiles, and do not lend themselves to impact-controls-likelihood evaluations in conventional risk workshops. However, black swans do occur and can and do have a huge impact on the ability for an organization to achieve its business objectives. Therefore, much can be learned by examining them, and the ability of the organization to detect and cope with them should they occur.
One way to deal with this challenge is to approach black swan workshops as a thought experiment. The objective of a black swan workshop is not to anticipate the most impactful, most likely events and plan for the mitigation of those occurrences, as is the case in a conventional risk workshop. Instead, it is to postulate examples or classifications of black swans, and then ask the following questions:
To aid in brainstorming imagined black swan events, it may be helpful to identify categories of black swan sources or types, using a taxonomy like the following:
Ahead of the workshop, compile a list of possible black swan events, and obtain executive input as to which they wish to discuss. Then, in a workshop setting, the management team can explore each chosen black swan by following the following steps:
Exhibit 19.7 Velocity Criteria
5 | Instantaneous | Less than 1 day |
4 | Immediate | 1 day to 1 month |
3 | Rapid | 1 month to 1 year |
2 | Gradual | 1 to 5 years |
1 | Slow | More than 5 years |
Just as was the case in conventional risk workshops, anonymous voting technology is recommended to elicit answers to steps 2 and 3 in the list above, using the same vote/discuss/revote process as described in the chapter. The results can be displayed on a velocity-versus-resilience graph for easy reference and comparison.
Black swan workshops do not replace conventional risk workshops. What they do is look at the risk-event-response capability of the organization with a different lens.
Note: At the time of writing of this chapter, the world is in the midst of responding to the COVID-19 pandemic. Whether this event is truly a black swan could be debatable, since pandemics do occur from time to time. But certainly, the impact on many countries, industries, and organizations has been extreme, and has tested their ability to understand the extent of the threat and be agile and responsive as events have unfolded. It would be prudent for many organizations to conduct a “lessons learned” exercise once these events, and other similar future major transformative occurrences, have concluded, to examine their resiliency in terms of dealing not just with pandemics, but with other such extreme events. A series of black swan workshops is an ideal process for this.
Exhibit 19.8 Resilience Criteria
5 | Immediate | Appropriate resources and plans are accessible or in place, are regularly tested, and could be deployed immediately. |
4 | Full | Resources are accessible or in place, and could be deployed with some effort. Responsibility for development of plans is clear. |
3 | Substantial | Resources are accessible for large aspects of the risk and its impact, but there are significant gaps, where we would have to organize ourselves, procure resources, and develop and deploy plans on the fly. |
2 | Partial | No resources exist for significant aspects of the risk or its impact; coping with the risk would take years of planning and resource redeployment. |
1 | Minimal | Plans and resources are unavailable. |
Rob Quail, BASc (Industrial Engineering, University of Toronto) was part of the team that established the enterprise risk management processes, tools, and methodologies at Hydro One Networks Inc. that are widely regarded as best practice. He has successfully applied ERM methodologies to a broad range of business problems and challenges, including acquisitions, outsourcing, downsizing, large-scale IT projects, labor disruption, regulatory compliance management, major construction project management, strategic planning, and capital investment.
Rob has lectured on ERM techniques at the York University Schulich School of Business since 2010. In addition to his ERM roles, Rob has held key executive leadership roles in the areas of business technology, outsourcing, and customer service.
Today, Rob provides independent consulting services in enterprise risk management, business process and technology outsourcing, and customer care to clients in a variety of industry sectors, including energy, health care, technology, financial services, and government agencies.
3.147.54.6