In some businesses and projects, risk management is described as an exercise in ‘ticking boxes’. This phrase means that people just follow the steps in the risk process, but with no real commitment or energy, and no belief that it will actually make any difference.
The term ‘box-ticking’ is always used in this negative way, as a bad thing to be avoided. But perhaps ticking boxes could be useful if we do it differently.
The key to using box-ticking in a positive way is to make sure that you have the right boxes. We can create a set of boxes that act as checkpoints to reinforce the correct process and encourage appropriate behaviour.
The right process boxes might include some of the following:
- All objectives are clearly defined
- Risk thresholds are stated and quantified
- All key stakeholders are contributing to risk identification
- Risks are described clearly and unambiguously
- Key risk characteristics are assessed and recorded
- Each risk has a single agreed Risk Owner
- Each risk has an appropriate response strategy with specific actions
- Risk exposure is communicated appropriately to all stakeholders
- Risk reviews are held regularly—and so on.
Ticking these boxes is a way of checking the risk process, marking progress and demonstrating that the right steps have been completed successfully. It provides an audit trail for process effectiveness. Each process box is linked with specific activities or outcomes, and the box must only be ticked if these have been completed in full.
Other tick-boxes might be designed to examine behaviours, for example:
- Stakeholders and team members feel comfortable to identify risks openly and honestly.
- Risk identification explicitly takes account of sources of bias.
- People are accountable and committed to completing agreed risk response actions fully.
- Senior management demonstrates visible and consistent support for the risk process.
- Risk outputs are used to inform strategy, decisions and actions.
- Appropriate risk-taking is encouraged and rewarded.
- The risk attitudes of individuals and groups are managed openly and proactively—and so on.
Ticking these boxes might be more difficult for some less mature organisations, as it requires an understanding of the softer side of risk management. But behaviour is just as important as process, and it should be examined in the same way.
Used properly, box-ticking is a valuable discipline, offering a framework for good practice. It can ensure that everyone knows what they have to do, and it can provide assurance that things are being done properly. It can also indicate areas requiring improvement in order to make risk management as effective as possible.
So let’s not condemn ticking boxes as a useless exercise. Instead let’s tick the right boxes to make sure we do the right things well.
This post was originally published as Ticking the right boxes and has been reproduced with permission.