Making risk management work (4): The tools you need

This post is part of the Content Is The Web risk management series.

This post explains the tools and tables you’ll use to manage risks properly. It follows on from earlier posts about the framework and conversations that risk management uses.

The short version:

Each risk is documented in a separate report, and each piece of content you work on needs a register of all its risks. So long as you’re having the right conversations and following the framework, this is basic admin.
Continue reading

Making risk management work (3): The framework

This post is part of the Content Is The Web risk management series.

Update, 13 Sept 2014: I finally got around to adding in the five steps a risk goes through.

Risk management replaces your old sign-off process. As part 2 explained, it changes what you ask as you work though content with other people. Once you have a big pile of information from these risk reporters, this post explains how to sort through it all. The next post introduces some of the tools you’ll use.

The risk management framework makes the entire process as objective as it can be. It rates each risk’s likelihood and consequence on separate scales, then produces a severity measurement. This determines how acceptable the risk is (or isn’t), and shows you what risks are most important.

The short version:

This needs managerial buy-in, so work with higher-ups. Classify risk consequences, then set objective grades for each type of consequence, and for likelihood. Put those grades on a grid, overlay severity ratings, then track each risks through five stages from ‘reported’ to ‘accepted’. Hey presto, you have a risk management framework.

Continue reading

Making risk management work (2): Holding conversations

This post is part of the Content Is The Web risk management series.

You know the roles and definitions that risk management is based on, so now we turn to how to talk about risks with your risk reporters. After that, the next post introduces the tools you need to manage them.

(Risk reporters used to be stakeholders and points of sign-off. If that’s news to you, let me repeat the link to How risk management works (1) – Roles and definitions.)

It’s your decision to talk to risk reporters one-by-one, or all together as a group. It’s most important, especially at first, that you do actually talk. The old days of sending drafts and receiving tracked changes or free-form comments are over. Continue reading

Making risk management work (1): Roles and definitions

This post is part of the Content Is The Web risk management series.

So you already know that your sign-off process slows things down and makes it difficult to work with others. But you still need some way to hear everyone who should have a say, and to make sure that your web content is fit for purpose before you publish it.

Here’s something I picked up from an employer that could never guarantee 100% safety to everyone – the armed forces. It’s a risk management system, and it lets you gather more detailed information than you get from a typical sign-off process, while keeping you in control of your content.

In short:

It’s a risk if it might cause something bad. Risks are expressed in a short risk statements. Every risk has its own likelihood and consequence, which both contribute to its severity. More severe risks need to be mitigated, but you can accept less severe ones. And you’re going to record all this in a risk register.

It’s going to take a couple of posts to explain this properly. This one defines a few keys terms and explains the roles that people play in managing risks. Once that’s all set up, part 2 explains how to talk about risks.

Terminology

It’s a risk if it might cause something bad

Two things define a “risk”. Firstly, a risk is the possibility that something might go wrong. Not putting a big bunch of small print on a landing page? There’s a risk you’ll get done for hiding important details. Trying on a new tone of voice? There’s a risk that you’ll create confusion around your brand. Giving the work experience kid the password to your company’s Twitter account for the weekend? You get the idea…

On the upside, risks carry rewards. There’s no point taking a risk if there’s nothing to be gained. Less small print gives you shorter, more appealing landing pages. A new voice might carry more appeal than your current one. You need to take a proper break for a couple of days, without angry customers’ tweets rattling your phone every 10 minutes. These are all rewards.

Risks are expressed in a short risk statements

A risk statement quickly and clearly describes exactly what might go wrong. It’s always about people, and it always includes the word “might”.

To take the examples above:

  • Readers might not see everything that’s important about our products
  • People might not recognise which company they’re dealing with, or might not connect with us in the same way as before.

If something is going wrong right now it’s an issue, not a risk

If a problem is already happening, it’s too late for risk management. In the calm parlance of the military, you have an “issue”. Just clarifying that before I don’t mention again.

Every risk has its own likelihood

Since a risk is the possibility the something might happen, it follows that some risks are more likely to actually play out than others. You need to quantify this likelihood for every risk. More on gathering the right information in part 2, and what to do with it in part 3.

…and consequence

If a risk does occur, something goes wrong. This is the consequence, and again it’s something you have to quantify. You’ll need broad categories to sort consequences into. For this introduction I’m going to look at financial, reputational, and legal consequences, but this is nowhere near a full list.

…which both contribute to its severity

The severity of each risk is determined by both its likelihood and consequence. The more likely it is, the more severe. The worse its consequences are, the more severe it is as well.
likelihood-consequence-severity

More severe risks need to be mitigated

Mitigation can make a risk less likely, or make its consequence less serious, or both. By mitigating risks, you make them more acceptable.

…but you can accept less severe ones

A acceptable risk is one that you’re willing to take. Ideally, risks you accept are a mix of:

  • quite unlikely
  • low-consequence
  • relatively rewarding.

Or they might just be unavoidable.

And you’re going to record all this in a risk register

Yes, we love documentation. A simple risk register does two things: it lets everyone see full details about each risk (whether you’re still working on it or have accepted it), and it’s also how you’ll be able to see all the risks that apply to a given piece of content. This doesn’t need to be complex. A spreadsheet ought to do the trick.

People and roles

Risk reporters tell you what might go wrong

The good news is that you don’t have to work out all of this likelihood and consequence stuff for yourself. Remember those stakeholders who used to sign your content off, or maybe just get an FYI when you were working on their stuff? In most cases you can recast them as risk reporters.

Just like their name says, risk reporters report risks. You need a range of risk reporters with different skills, much like your old sign-off tube. Each risk reporter has the job of pointing out problems that your content might cause. But they’re not just doomsayers: they also have to give you the information you need to properly define the risk’s likelihood and consequence. Ideally they’ll have a few mitigation ideas as well.

This job only goes as far as pointing things out. There’s no decision-making involved. That’s an important difference to the old sign-off way of doing things, which gave a series of people a genuine “yes/no” decision about your content.

Even though this can feel like a loss of power, you’ll probably find the most people quite like being asked to explain things from their point of view. And that’s another difference – as you cover each risk, you’re going to learn a lot more about how, say, legal think when they review content. All you empathy junkies out there in content-land are gonna love this.

A single risk owner has the final say

Remember how risk reporters don’t make any actual decisions? That’s because a single, central person does. The risk owner decides what mitigation work you do, and which risks you accept as they are. Whether the risk is financial, reputational or legal, the risk owner doesn’t change.

The risk owner has a full understanding of what the content you’re looking at is doing – who it’s for, why it’s important, and what it needs to achieve. Their view is wider than a standard legal or marketing stakeholder. Seniority helps, too, because accepting risks is a lot like approving costs.

Do everything you can to keep risk ownership close to content production. Since the risk owner has to balance risk and reward, make it someone for whom the rewards of high-quality content matter.

Putting this all together

How risk management works (2): Holding conversations explains how to ask the right questions of your risk reporters. Part 3: The Framework explains the tools you’ll use as you manage risks.

Sign-off is like road works

This post is part of the Content Is The Web risk management series.

I’ve already written about how sign-off processes make it hard to collaborate properly. Now we turn to another reason sign-off sucks: It’s slow and frustrating, like roadworks.

You might typically have 3-6 people sitting between your work and publication. They’re called things like ‘legal’ and ‘marketing’, but they’re better depicted like this:

Stop/go signs

Continue reading