Almost every company has one: a moment so disastrous it’s permanently etched in corporate memory.
Not all of them precipitate global media stories – Exxon Valdez, Deepwater Horizon, the Union Carbide Bhopal gas leak – but, as well as taking a terrible human toll, these risk management disasters leave scars on the collective psyche of the board, senior management team, and shareholders.
Businesses rethink safety or environmental policies and processes. Governance measures are tightened. Risk management plans are enforced. Everything is done to make sure such disasters never, ever happen again.
And yet, most organisations fail to close one simple risk management plan control loop.
At the very beginning of their capital projects, many businesses fail to ask the ‘Red Flag Questions' that should trigger immediate (and globally consequential) alarm bells.
"These are often the questions that in hindsight, seem obvious...So obvious, no one actually thought to ask them."
Why isn't there a risk assessment early in every project?
Businesses don't ask the obvious question for three reasons:
-
The illusion of overkill
Capital projects are subjected to many risk identification processes, including HAZOP, Layer of Protection Analysis or Probabilistic Hazard Analysis studies. It's easy to imagine that any major corporate risk will leap out at this point. But not necessarily.
These processes focus exclusively on project delivery risk and many only look at one part of the project. They don't explicitly ask enterprise-level risk evaluation questions, like: “Does the project interface with an ammonia system?” or “Is this project in a new country?” which, in some organisations, should trigger an immediate escalation of oversight by a subject matter expert for further risk analysis.
-
The illusion of awareness
Corporate horror stories are kept alive at the senior management level, but eventually they stop trickling down to teams.
Over time, corporate knowledge degrades. Employee churn and the use of contractors means workforces are constantly being refreshed. Leaders imagine it's unthinkable these issues aren't top of mind daily for everyone or that risk evaluations aren't assigned the level of importance that they deserve.
This is a critical error. Unless the risk evaluation processes are codified in risk assessment, executives cannot assume they will be alerted when the business starts work on a project that bears frightening similarities to a previous disaster. Evaluating risk with risk ratings and risk scores should be mandated methods in determining project approval.
-
The illusion that size matters
Some companies do ask risk evaluation questions, but only when they're dealing with projects of large capital value. Typically, big projects make up around 20% (by number) of projects being executed in a given year.
That leaves 80% of projects running below the radar for potential risks – and some of them will be high risk. Also, small projects are often led by new or inexperienced project managers who may not know enough to ask the right questions.
What should our risk evaluation questions look like?
Risk evaluation questions are as individual as a fingerprint. They depend on what has caused your organisation (or industry) its worst moments of pain and failure in risk management history.
Professional Indemnity claims are a good place to start. Typical questions include:
-
Could this project result in a significant environmental incident?
-
Will the project interface with an ammonia system?
-
Will the project be delivered in a country where we do not currently operate?
-
Are we introducing a new manufacturing process?
-
Are we introducing a new technology?
How should risk evaluation questions be constructed?
As a general rule of thumb, risk evaluation questions should be:
Binary
These are Yes/No questions, making it easy for project managers to check through the list and ensure absolute clarity from a control perspective. Risk evaluation questions should be easy to understand and unambiguous, with supporting materials to clarify meaning where necessary.
Limited
You don't want too many. Most of our clients use around 15 questions as part of their risk evaluation process. A ceiling of 20 is a sensible limit.
Introduced early
Ask the risk evaluation questions early in the lifecycle, at the beginning of the development phase. When you identify estimated risks early on you can define solutions before moving on.
Trigger happy
A risk evaluation answer should trigger immediate contact from a subject matter expert who will help the project manager assess and treat the risk. A red flag won't necessarily kill a project. As per ISO 31000, it will simply ensure the risk criteria gets the governance it deserves.
Supported by senior management
It is vital people know leaders won't ‘shoot the messenger'. In a good risk management culture, people who trigger risk evaluation alerts should be publicly praised. There are significant benefits of any risk management process and one of them is contributing to a successful overall outcome.
Embedded
These risk evaluation questions are so critical to risk assessment, they must be systematised and embedded in the delivery processes of every project – big and small.
Predict the future with an early warning system
You need a centralised platform for risk management that drives project managers to answer risk evaluation questions early and captures their answers.
Any risk evaluation question with the answer “yes” should trigger an alert to the appropriate subject matter expert.
The management system or software you are using should also populate the risk register and log any mitigation actions developed.
This allows governance owners line of sight across risk evaluation questions, giving them confidence that the right questions have been asked, that risk assessments are being managed, and subsequently identified risks are mitigated.
Ultimately, risk evaluation questions are an early warning system, a coarse filter to make senior leaders aware of the risk factors they should be paying attention to.
Without them, there is a likelihood of organisations repeating their worst mistakes.
For further information about risk evaluation questions or to have a personalised demonstration of our product, please don’t hesitate to reach out to us.