Hinson tips for risk workshops

A qualitative Risk Analysis typically involves holding one or more ‘RA workshops’, bringing together a bunch of experts in risk (including but ideally not just information risk), information security, compliance, IT, internal audit and the business (concerned managers, business continuity people) etc. with a competent facilitator (again, ideally someone outgoing with a background in information risk, possibly just a brilliant facilitator with an interest in making it happen and a successful record!) to organize and lead the session/s.  

Here are my hints on organizing and running RA workshop session/s (based on my personal experience and prejudices: your approach will vary!):

  1. Do some preparatory work before even booking or inviting people to the first event – in particular, consider the purpose. What do you expect the organization to get out of it? Why should people invest their valuable time by participating? Find out how other kinds of risks are analyzed/assessed normally, and how workshops are typically run. Speak to supportive senior managers to get them on-board with this – their support, and ideally their participation, will be invaluable. Start talking to other potential participants to sound them out, informally, and hopefully get them engaged/interested if not actually committed to participate (note: ‘participate’ not ‘attend’!). Once word gets around and others start to enquire about joining in, it’s time to press ahead to phase 2 …

  2. Based on the availability of key people, decide on the (first) session date, book a suitable meeting room or videoconference facilities, and send out invitations with a clear description of the purpose. Ideally send out background info too, such as  an outline of relevant information risks already identified and managed, plus items for discussion such as further info risks that perhaps ought to be assessed and treated too (e.g. based on recent incidents, within the organization or elsewhere). Perhaps give people some homework to do before the session – at least a few issues to consider and hopefully get them in the right frame of mind for a productive session. Work closely with the facilitator (if not you) and other key players. Think about how the session/s will be run – perhaps even rough-out the agenda.

  3. Keep promoting the event/s. [It may be possible to complete the whole thing in one session, but I suggest leaving open the possibility of further sessions, follow-ups, focus groups or whatever might be needed to explore some aspects in more depth, or simply to complete a wide-ranging analysis. It may be hard to convince people to commit to a lengthy and laborious process, so be sure to clarify the benefits: explain why this is a worthwhile and necessary investment of everyone’s time! The payoff includes awareness, understanding, collaboration, decisions, agreement, authority to proceed etc. …]. Spend time contacting and meeting people, explaining what is going on, reiterating the purpose, and generally lining things up. Send out reminders a week or so before the event. Via or in conjunction with those supportive senior managers, apply thumbscrews to any key people who are still reluctant to participate. As a last resort, persuade them to attend key parts of the session (beginning, middle or end – wherever they will gain and provide most value).

  4. Meanwhile, get things ready for the event itself. You’ll probably need whiteboards, for instance, but what else? How will the session pan out? What’s the agenda and timescale? How will things be recorded, and by whom? What outputs are to be generated? What inputs/info might be needed, or should be accessible? Order coffee and donuts! 

  5. Think about the team dynamics and personalities of those who will participate. Are there shy people who need to be supported to open up?  How? Are there assertive ones who may need to be gently restrained? How? Are there bones of contention, hot buttons to be pushed, parked or avoided? Who are the diplomats, the most powerful, well-connected and well-respected people present who can help keep things running smoothly and on-track? 

  6. There are lots of ways to run the session: my personal favourite involves first setting the background and explicitly agreeing the objectives, then getting people to write down their initial thoughts/ideas on Post-It notes (one per note), then inviting them one at a time to stick their notes on the whiteboard (ideally in related groups) while explaining briefly what concerns them. Don't dominate, facilitate! Let the discussion evolve and continue naturally from there, with gentle guidance as needed … gradually bringing things together by focusing on building, say, a PIG (Probability Impact Graph) or risk spectrum diagram or risk matrix or whatever – something, anyway, that brings sense and order to the thoughts and discussion, drawing out important themes, concerns or issues. Gradually firm up the group’s view of the information risks, relative to each other and perhaps relative to other risks to the organization. Check that you are on-track and meeting the objectives. Put extra effort into discussing and clarifying the main risks, and any issues, concerns or matters still unclear. Pick out and record any show-stopping/surprising comments, agreements, disagreements or decisions for extra emphasis. End by thinking forward to next steps: is more analysis needed e.g. another meeting? Are there already actions arising that need to be initiated and progressed? Who needs to do what, how and by when?Who else needs to be involved or agree to that? End by checking that you’ve met the objectives, sum-up what you’ve achieved, outline what happens next, and of course thank everyone for their active participation.

  7. Follow-up. At the very least, tidy up the records and outputs of the session and circulate them to participants and other interested parties (possibly a brief overview for everyone – it’s a security awareness opportunity after all!). Get going on those actions arising e.g. update your risk register, Risk Treatment Plan, budget proposals etc. Make notes on how to make these activities even better next time.
There are websites, books and probably training courses in this area if you need even more guidance, as well as standards and methods for risk analysis and management as a whole. I’ve learnt how to do it by participating in and organizing these and other similar sessions, and by trying stuff out over several decades. It’s exhausting but can be fun and very rewarding when it goes well. An effective group is greater than the sum of its parts.

...oooOOOooo...

If risk workshops don't appeal, another approach is to do the initial risk analysis yourself (perhaps with your team or someone from Risk) on the basis of your knowledge, experience, expertise and biases (!), producing a ‘straw man’ that you can then discuss with individuals or small groups, modifying it as you go according to those discussions and further information that comes to light, including incidents and near-misses plus ongoing risk treatments. Work your way systematically up to and then around the management team, plus assorted info-risk-related experts. Every time you discuss it with a new person, add them to the distribution list for periodic updates including notes about recent changes made, to keep them informed as the picture evolves. It becomes a kind of live status report on the organization’s information risks – a metric in fact - that focuses attention on the risks identified, prioritized or ranked according to the consensus opinions of their relative probabilities and severities (or whatever parameters you use). Take the opportunity to mention information security initiatives and challenges, emphasizing how your work relates to risks of concern to the business.

...oooOOOooo...

Although the process (however you do it) is clearly subjective, I believe it would be a huge improvement for many organizations that either don’t do this kind of thing all, or leave it entirely to someone buried away in the deep dark depths of IT or Risk. Stronger interaction or engagement between “information security” and “the business” is invaluable in gaining and retaining widespread support for an ISO27k ISMS, when the time is right.


PS  Chris Hall suggested that it might be worth running workshops with different groups of attendees, giving them the chance to explore their areas of concern more freely perhaps than in a mixed audience:
"You might need to hold a few workshops with different groups of attendees from different business areas. For example, it would not normally be a good idea to hold a risk workshop with both IT techies and some business function people."