Human-centric risk assessments. What does that even mean? It means assessing:
😎 Your stakeholders’ UX (user experience) of risk & compliance content.
😎 Testing understanding, access, accountability, and trust.
😎 Recognising that controls failures account for a minority of risk events; human behaviour is the biggest risk factor (pressure, fear, and poor decision-making).
How is this done? Many ways, but here’s a few ideas:
💡 Surveys that provide instant feedback. Most employee engagement surveys are underwhelming (putting it kindly). They’re poorly worded, avoid necessary self-reflection, and seldom result in any change or honest feedback to those whose time was wasted. They certainly don’t generate the instant feedback of seeing how you voted across various domains (trust, accountability, rewards & recognition, etc.). You’d be amazed at the goodwill you can create by asking simple and honest questions and sharing the results openly.
💡 Interactions (interviews to workshops) where we ask risk questions without using risk language (especially contortions around probabilities, which are quite inaccurate when using words, see the image above).
💡 Speaking to people. Kevin Withane’s genius idea of a hundred 20-30min calls with people randomly selected from across his organisation. The chats focused on their risk realities and how he could better support them.
Got any other examples?