Making risk management work (1): Roles and definitions

This post is part of the Content Is The Web risk management series.

So you already know that your sign-off process slows things down and makes it difficult to work with others. But you still need some way to hear everyone who should have a say, and to make sure that your web content is fit for purpose before you publish it.

Here’s something I picked up from an employer that could never guarantee 100% safety to everyone – the armed forces. It’s a risk management system, and it lets you gather more detailed information than you get from a typical sign-off process, while keeping you in control of your content.

In short:

It’s a risk if it might cause something bad. Risks are expressed in a short risk statements. Every risk has its own likelihood and consequence, which both contribute to its severity. More severe risks need to be mitigated, but you can accept less severe ones. And you’re going to record all this in a risk register.

It’s going to take a couple of posts to explain this properly. This one defines a few keys terms and explains the roles that people play in managing risks. Once that’s all set up, part 2 explains how to talk about risks.

Terminology

It’s a risk if it might cause something bad

Two things define a “risk”. Firstly, a risk is the possibility that something might go wrong. Not putting a big bunch of small print on a landing page? There’s a risk you’ll get done for hiding important details. Trying on a new tone of voice? There’s a risk that you’ll create confusion around your brand. Giving the work experience kid the password to your company’s Twitter account for the weekend? You get the idea…

On the upside, risks carry rewards. There’s no point taking a risk if there’s nothing to be gained. Less small print gives you shorter, more appealing landing pages. A new voice might carry more appeal than your current one. You need to take a proper break for a couple of days, without angry customers’ tweets rattling your phone every 10 minutes. These are all rewards.

Risks are expressed in a short risk statements

A risk statement quickly and clearly describes exactly what might go wrong. It’s always about people, and it always includes the word “might”.

To take the examples above:

  • Readers might not see everything that’s important about our products
  • People might not recognise which company they’re dealing with, or might not connect with us in the same way as before.

If something is going wrong right now it’s an issue, not a risk

If a problem is already happening, it’s too late for risk management. In the calm parlance of the military, you have an “issue”. Just clarifying that before I don’t mention again.

Every risk has its own likelihood

Since a risk is the possibility the something might happen, it follows that some risks are more likely to actually play out than others. You need to quantify this likelihood for every risk. More on gathering the right information in part 2, and what to do with it in part 3.

…and consequence

If a risk does occur, something goes wrong. This is the consequence, and again it’s something you have to quantify. You’ll need broad categories to sort consequences into. For this introduction I’m going to look at financial, reputational, and legal consequences, but this is nowhere near a full list.

…which both contribute to its severity

The severity of each risk is determined by both its likelihood and consequence. The more likely it is, the more severe. The worse its consequences are, the more severe it is as well.
likelihood-consequence-severity

More severe risks need to be mitigated

Mitigation can make a risk less likely, or make its consequence less serious, or both. By mitigating risks, you make them more acceptable.

…but you can accept less severe ones

A acceptable risk is one that you’re willing to take. Ideally, risks you accept are a mix of:

  • quite unlikely
  • low-consequence
  • relatively rewarding.

Or they might just be unavoidable.

And you’re going to record all this in a risk register

Yes, we love documentation. A simple risk register does two things: it lets everyone see full details about each risk (whether you’re still working on it or have accepted it), and it’s also how you’ll be able to see all the risks that apply to a given piece of content. This doesn’t need to be complex. A spreadsheet ought to do the trick.

People and roles

Risk reporters tell you what might go wrong

The good news is that you don’t have to work out all of this likelihood and consequence stuff for yourself. Remember those stakeholders who used to sign your content off, or maybe just get an FYI when you were working on their stuff? In most cases you can recast them as risk reporters.

Just like their name says, risk reporters report risks. You need a range of risk reporters with different skills, much like your old sign-off tube. Each risk reporter has the job of pointing out problems that your content might cause. But they’re not just doomsayers: they also have to give you the information you need to properly define the risk’s likelihood and consequence. Ideally they’ll have a few mitigation ideas as well.

This job only goes as far as pointing things out. There’s no decision-making involved. That’s an important difference to the old sign-off way of doing things, which gave a series of people a genuine “yes/no” decision about your content.

Even though this can feel like a loss of power, you’ll probably find the most people quite like being asked to explain things from their point of view. And that’s another difference – as you cover each risk, you’re going to learn a lot more about how, say, legal think when they review content. All you empathy junkies out there in content-land are gonna love this.

A single risk owner has the final say

Remember how risk reporters don’t make any actual decisions? That’s because a single, central person does. The risk owner decides what mitigation work you do, and which risks you accept as they are. Whether the risk is financial, reputational or legal, the risk owner doesn’t change.

The risk owner has a full understanding of what the content you’re looking at is doing – who it’s for, why it’s important, and what it needs to achieve. Their view is wider than a standard legal or marketing stakeholder. Seniority helps, too, because accepting risks is a lot like approving costs.

Do everything you can to keep risk ownership close to content production. Since the risk owner has to balance risk and reward, make it someone for whom the rewards of high-quality content matter.

Putting this all together

How risk management works (2): Holding conversations explains how to ask the right questions of your risk reporters. Part 3: The Framework explains the tools you’ll use as you manage risks.