Getting risk management right is not that complicated. Only 2 steps:
- Step 1 – stop doing risk assessments on a schedule (quarterly, monthly, whatever) and start doing risk assessments as part of the important decision preparation, when and where decisions are taken. Do the risk assessments when preparing the decision proposal for the decision makers. There are plenty of decisions to choose from, pick whatever decision is most material, uncertain and understood by you.
- Step 2 – stop using risk assessment techniques, that are guaranteed to produce inaccurate and deceitful results, like likelihood x consequence assessments, qualitative blah blah heat maps and so on. Use proper math and decision theory. Present results not as risk levels or colors, present information about risks as the effect on objectives or decision (XX% chance of exceeding the budget, XX% of completing the project on time or below, XX% chance of significant extra costs between X and Y, NPV between X and Y at 95% confidence interval, etc.)
That’s it. Simple :))