Written Risk Assessments

Many organisations have irrational obsessions and unhealthy relationships with their written risk assessments. I’m not saying that you shouldn’t do written risk assessments because you should. They’re an extremely important part of a risk management framework. However, what is unhealthy about them, is the demand from management to have a written risk assessment, but once it’s done, it just gets filed and nothing else is done with it. Yet if something goes wrong, the first question is, ‘Where’s your risk assessment?’

This is a bizarre way to operate because you can write all the risk assessments in the world, but unless your staff are understanding of and actively managing risk, all your paperwork means absolutely nothing. Despite this reality, the paperwork obsession remains a top priority for many organisations, but unless every activity is being run by switched on professionals who pro-actively manage risk within the organisation, then no matter how good your paperwork is, you’re exposed.
 
The practical reality is that you can write whatever you like in a risk assessment document but often, once it’s written, it’s quickly forgotten. It soon gathers dust and like vampire in the night, it never sees the light of day again, until a pile of fanged marked corpses prompt someone into action.

You simply can’t afford to place yourself or your staff in a situation where this is the standard operating procedure. The end result, if something does go wrong, is usually expressed through head scratching and befuddled proclamations, ‘Well, we wrote a risk assessment!’ However, there can’t be a disconnect between the documentation and the implementation. They must be reflective of each other.

One organisation I previously worked for were totally and utterly obsessed with written risk assessments. I was tasked with auditing their risk assessments and methodology. However, from the moment I started reading what they had in place, it became evident there was absolutely no connection between the activity and what had been written. Subsequently, it became perfectly obvious that nobody had actually read any of the paperwork, which left me wondering what they’d been doing. Not only did their pointless documentation have to be re-written from scratch, a significant process of change management was required to refocus the culture within the organisation to be one that was proactive in its assessment and management of risk.

Often the source of this problem is that many organisations don’t have people who truly understand risk management at the top. Just because someone has reached a leadership position, doesn’t mean he actually knows anything about management, least of all, risk management. Therefore, if you put someone in the situation where he is supposed to be managing risk, yet doesn’t understand risk beyond filing a written document, it’s little wonder that he’s focussed on paper pushing nonsense and not on organisational culture.

In this situation, when something goes wrong, it becomes all about blame and retribution. It’s not about discussing what was the root cause of an incident, it’s about finding scapegoats. This sort of approach is unhealthy and totally counter-productive. What an organisation needs to be able to do is sit down and openly discuss activities that involve risk and be prepared to debrief near misses and learn from each other’s knowledge and experience.

Good risk management procedures stem from this sort of open, honest and pro-active culture of risk managers within an organisation. If everything’s about retribution and blame, you create a culture that wants to cover up anything that doesn’t go 100% to plan. With this, you get a thin veneer giving the impression everything’s fine, yet scratch the surface and you’ll find what can be a toxic mix, priming itself for a significant failure.

To avoid this, there has to be that open and honest conversation about risk, about contingency planning and about response and mitigation. It’s important to have someone at the top setting the tone and facilitating the culture within an organisation to ensure you have a team of proactive risk managers.
 
Ultimately, documentation is only a tiny part of how your organisation should be assessing and managing risk. The remainder comes down to the professionalism, experience and team work of your staff to ensure that every activity is being run safely and effectively. Once you’re operating with this cultural mindset and have a team of pro-active risk managers, the paperwork takes care of itself.