Among the seven habits of highly successful people, personal and organizational development expert Stephen Covey always emphasized “putting first things first.” In his best-selling book, he asked two powerful clarifying questions:
“Question 1: What one thing could you do (you aren’t doing now) that if you did on a regular basis, would make a tremendous positive difference in your personal life?
Question 2: What one thing in your business or professional life would bring similar results?”
Stephen R. Covey, The 7 Habits of Highly Effective People at 146 (1989).
Those two questions frame our blog’s theme for this month: prioritizing among risks for better risk management. For the next few weeks, we will provide resources about how to prioritize the different challenges you face in order to be most effective with your time, talent, and treasure.
Covey maintained that one should distinguish projects in terms of importance and urgency. As explained elsewhere, one should ignore or delegate unimportant, non-pressing issues, as well as delegating or ignoring urgent issues that really aren’t important. One should deal with urgent and important issues, but seek to minimize those activities over time by focusing as much as possible on issues that are important, but not urgent. By dealing with important issues before they become crises, one maximizes effectiveness.
That sound advice, but how do you determine what are the most important risks you face? Over the last two months on this blog, we focused readers on identifying risks, both across the organization (November) and particularly with respect to cyber issues (December). We described how an organization can (and should periodically) conduct a risk inventory across its functions to identify potential issues. But once you have done so, have you determine the big rocks?
We advise using three criteria: likelihood, magnitude of impact, and speed of onset. In other words, for a particular problem area, how likely is the problem to manifest itself, how much impact (financial, reputational, operational) would likely occur, and how much lead time will the organization have to address the issue as it unfolds? Similarly, for a potential opportunity (positive risk), how likely is the possibility, for how big of a gain, and how quickly is the payoff? The criteria are multiplicative. A threat that is very likely to happen, would impose moderate cost, and would strike quickly is more important than a low-likelihood event that could wipe the organization out but would be slow to manifest.
Those criteria are not mathematically precise. Different people, from different vantage points within the organization and outside it, may well have different opinions. Ultimately, senior management must determine which risks are most important, and why. But as we will focus this month, there are ways senior management can structure input from within the team and among stakeholders to make sound decisions about priorities.