Gather as much information as time allows and the assessment will almost write itself but you’ll be surprised at how much information you need.

Before you can tackle the actual analysis, you need to develop a deep understanding of the organization, its operations, operating environment and the challenges it faces. This understanding will be based on reviews of the organization’s own documents, staff interviews and open-source research. The existing knowledge of the project team will also be useful but care should be taken not to bring preconceived ideas or biases into the risk assessment process. At this stage, the focus is on gathering facts and data. Note opinions and presumptions but make sure these are kept separate from the data.

Information Requirements

The specific information requirements you have will depend on the purpose of the assessment. In general, you are trying to understand:

• The organization’s goals and objectives
• Its structure and individual roles and responsibilities
• What ‘normal’ looks like
• The critical processes
• Risk attitudes, tolerance and appetite
• The operating environment and likely threats
• Sensitivities and potential conflicts or roadblocks
• Any upcoming changes to ‘normal’ and how these might affect the organization.

This level of understanding is probably enough to begin to populate the assessment itself but you will find that as you dig into one area, additional questions will arise. You should keep asking ‘why?’ and ‘so what?’ to ensure that you really understand the organization before you start the Assessment phase.

Remember, even someone like Bobbie who is conducting an internal assessment won’t know everything about their organization. Moreover, they will also have some biases and perhaps misconceptions they need to correct in order to develop an effective, objective assessment.

The bad news I need to share is that there’s no easy way to develop understanding and this is the most time consuming part of the whole process. However, the good news is that if you plan this stage out and execute it effectively, the rest of your assessment is a breeze.

The document review

How you go about gathering information is largely down to personal choice but it can also be based on availability. Sometimes you just have to begin with what is available.

Personally, I prefer to start with a top-level document review of the whole organization. Even if I’m focused on one activity or a single project, I find that this helps put everything into context. This includes looking at the organization’s overall structure, where it operates, reviewing top level policies and procedures, reading recent annual reports and conducting open source searches for news about the organization.

Once I feel that I have a general understanding of the overall organization, I then start to draw up the specific information requirements that I think I need to meet the assessment’s objective. Throughout this research, I try to keep detailed notes and list key observations or additional information requirements that I identify. This will be a great help later but I try to avoid drawing any conclusions at this stage.

Interviews

Once you have completed the basic document review, you can move on to the interview phase. As Bobbie found out, these need to be planned out in advance and there’s a high degree of repetition but the results are worth it.

I recommend researching before interviews wherever possible, otherwise you might find that you have too many knowledge gaps to be able to conduct an effective interview. Interviews are an opportunity for you to help fill in gaps you have after the document review. You will then get a better idea of what issues and concerns people have and be able to put these into context.

Care should be taken here, as simply cataloging people’s concerns will give you a fear registry, so make sure you dig deeper. Nevertheless, understanding people’s concerns can often explain why a seemingly disproportionate amount of time or effort has been focused on one area instead of another.

During interviews, keep detailed notes because you will want to refer to them later. Quotes can be used anonymously in reports to allow people greater freedom to be forthright. I also recommend that you have a basic script for each interview and ensure that you cover the same core questions each time. I have found that this kind of repetition can generate interesting results. The exchange between Fred and Bobbie happened to me but involved a much more serious situation.

Be skeptical

Throughout the understanding phase and the whole risk assessment process itself, it is important to remain curious and somewhat skeptical so ask yourself, ‘so what?’ and ‘why?’. This isn’t suggesting that people are misleading you – although that can happen – rather, you are trying to identify gaps, discrepancies and matters that might be overlooked otherwise. Unless you ask ‘why?’ or dig a little deeper, you will end up with a superficial perspective on the organization’s risks and more complex, less obvious, but critical risks may be overlooked.