Wait! That Happened Here? Leveraging a Risk Rating Activity to See What's Coming

Here's normal: wait for a crisis to arrive before starting to manage it. Do you want to be normal? Or do you want to win? To win, you should start managing a crisis long before it arrives.

Organization continuity involves developing the best understanding you can of the challenges that may be coming and then doing the work to prepare for and meet those challenges. In the organization continuity framework, these are the foresight and formation activities.

Today, I’m going to share one of my favorite activities. It’s simple. It’s effective. It breaks down organization silos. It helps you prioritize your efforts. It’s called a Risk Rating Activity – you get the best group of people you can into a room, discuss risk topics in detail, and assess your findings. It’s simple but not always easy, so let’s go into some detail…

There are countless risks, but time is precious – so which should you focus on? 

For most organizations, I explore ten risks with a few sub-topics. Examples include:

• Theft
• Violence
• Medical emergencies
• Cyber-attacks

These should be tailored to your organization. For violence:

• A school may consider sub-topics like student-on-student, student-on-teacher, parent-on-teacher, and maybe teacher-on-student incidents.
• While a retailer may look at customer-on-employee, employee-on-employee, and employee-on-customer incidents.

You can see that some of these risks are more likely than others. And that’s okay. You want the participants to think about what’s possible, not just respond with experience.

Once you have your list of risk topics, who should you include in the activity?

In short, identify those people in the organization who will give you the best information and the most insight into the organization.

• Executives and department heads can have a broad organizational view.
• Frontline employees can understand day-to-day operations.
• Long-tenured employees can have historical knowledge of past incidents.

But how many? Too few, and you miss perspectives. Too many, and discussions become unwieldy. There’s no hard and fast rule - you want the right people with a diverse range of perspectives. Generally, I’ve had my best success with 5 to 10 participants.

Now, with your risk topics identified and your team assembled, you can start the discussion. But how do you keep it on task and what are you trying to discover?

Quickly explain a risk and ask three questions about it.  

1. LIKELIHOOD - How likely are we to experience this risk? Rate this likeliness on a scale of 1-10: 1 is a negligible risk and 10 is an imminent risk.
2. IMPACT - What would be the impact on our organization if this happened? Rate this impact using a scale of 1-10: 1 indicates a negligible impact and 10 would mean grave consequences.
3. VULNERABILITY - How vulnerable is the organization to this risk? Rate the vulnerability using a scale of 1-10: 1 suggests no weakness and 10 suggests it is extremely susceptible.

As you facilitate this activity, your most pressing job is to keep the discussion moving.

• Keep the rating scale visible for constant reference.
• Remind participants what things mean as the activity progresses. They will often start to lose their perspective during the discussion.
• Prompt discussion and challenge assumptions with thoughtful questions. For example:
  • If the group assigns an “imminent risk” rating to the risk of an active shooter, ask, “Is there a specific threat leading you to believe this will happen soon?”
  • If the group dismisses the risk saying, “That would never happen here”, say, “They may be rare but what are you doing differently that leads you to believe it will never happen here?”

After discussing and rating each risk topic, you’ll have numerical data that helps quantify the risk. For instance, an active shooter scenario might score like this:

• LIKELIHOOD is a 3 which means an active shooter is on the low end of possible.
• IMPACT is a 10 which would indicate grave consequences if it happened.
• VULNERABILITY is a 7 indicating you are very susceptible – you have few measures to discover or respond to this type of event.
• Multiplying the example above gives an informal risk rating of 210 which can be compared to other ratings..

With all risk ratings calculated, review your ratings and adjust them as needed; this activity is subjective, and your rating standards tend to vary during the discussion. Then, compare the ratings to each other, identify your highest-rated risk topics, and prioritize your next steps based on your highest numbers. It’s not always easy, but this activity is that simple.

Imagine hearing the response that is both concerning and kind of funny at the same time… “Wait! That happened here? Where was I?” Or imagine being able to put fears into proper perspective - finding your biggest fears may be unfounded or that your confidence in safety may be misguided.

What's it worth to discover what’s going on in your organization, to break down silos, and to be able to prioritize your next steps? Would you give up a few hours?

Avoiding a crisis and then managing one that can’t be avoided gets easier when you spend a little time upfront asking the best people the right questions. 

Are you looking to better understand the challenges your organization faces? We offer training and consulting services for individuals and organizations of all types and sizes.

Strong & Resilient | Apple Podcasts 

Strong & Resilient | On Spotify