Governance, Risk and Compliance

How To Run a Risk Assessment Workshop

By Resolver Modified February 7, 2021

I hope it’s safe to say that Risk Management has gained enough attention over the past few years to have become at least a consideration in most managers’ minds.

I hope that before embarking on every project a PM will conduct a project risk identification with key stakeholders and at least try to estimate which risks are the big ones.

I hope that Sr. Managers encourage risk assessments both within departments and across them, and finally I hope this information gets used to make more informed decisions. So – wearing my optimism hat – there are a lot of people out there conducting risk assessments with a wide range of topics, detail, and experience.

Consider this a layman’s guide to an effective risk assessment. First, a word of caution, I am not an accountant, auditor, or lawyer, in fact I’m a nerdy computer science guy, so this is purely a completely biased (yep, it is) but very effective way I personally have managed upwards of 20 corporate wide risk assessments. Before you dive into the risk assessment there are a couple of basics to get sorted:

  • Figure out who should be involved – make sure you have representation from all key stakeholder groups
  • Determine what format works for you – interviews, online surveys, workshops…
  • Determine what type of results you want out to get out of the session—rankings, discussions, ideas, response plans…

Preparing for the Workshop

  • Book a reasonable amount of time to cover the topics
  • Determine assessment scales that everyone will understand and get agreement from the two most senior people in the room.
  • Make sure they have a both qualitative and quantitative components and do not focus exclusively on financial risk.
  • Agree on a language for your risks that will reduce confusion (E.g. don’t put the word “or” in your risks)

Principles of the workshop

  • Ensure you get viewpoints from everyone
  • Use an effective technique for anonymous voting (i.e. Ballot by Resolver)
  • Have one person dedicated to writing everything down (not you, and not one of the participants)
  • Sample 90 min Workshop Agenda (30 risks) your group may be faster or slower depending on the # of risks and the depth of discussion.

1

2

  1. After the workshop, share the results and the corresponding actions with participants; this will dramatically improve the process the next time around. Resolver*Ballot Feature: Auto generates PowerPoint and Excel documents to share with others.
  2. Keep the voting results and use them next time to plot change over time. If you are doing a routine assessment (e.g. every quarter) which risks are changing? Which risks are increasing? Which actions did not get executed on? Resolver*Ballot Feature: Merge multiple files and plot them on a single Heatmap to understand change

By now hopefully you’ve got some ideas on how to run an effective risk assessment, and our software will improve the results with anonymous voting. We’ve helped hundreds of companies, large and small, get great results very efficiently. This includes companies like SONY, WAL-MART, PHILLIPS, HEINZ, DELOITTE, PWC, E&Y and small companies that you’ve never heard of. We’ve even helped the Canadian Government and the United Nations. Oh, and our software doesn’t cost much since it scales to the number of users that you need. So stop reading and buy our software.

If you are looking to learn more about running risk assessment workshops in your organization, feel free to contact us.

For more risk assessment related news and articles, follow us on LinkedIn, Facebook of Twitter.


[1]An online survey can reach more people but needs more structure going into the process. Requires more preparation and pre-work or the results will not represent the complete picture.
[2] The estimated risk that remains after existing controls or mitigating actions.
Resolver

About the Author

Resolver Protects What Matters®. Over 1,000 of the world’s largest organizations use Resolver's cloud software to protect their employees, customers, supply chain, brand and shareholders.