I was invited not long ago to facilitate the review and update of a risk management plan for a $120-million IT project that had been running for a number of years. One would think that such a program would be well documented and my job relatively straightforward. My first clue that this was not the case was when I reviewed the documentation and discovered that the project was currently in Year 12 of a 10-year project and had at least three more years to run. My second clue that things were not well was that I was invited to facilitate a risk management workshop with just a few days' notice.

Surprisingly for a project which had been running so long, there was a complete lack of concurrence by workshop participants regarding even basic things, such as the risk ratings that had been previously assessed for the project. Quite simply, the risk registers comprising some 300 risks were unworkable not only in quantity but in the quality of their descriptions. The project risks had been described using terms such as "procurement," "shortage of skilled labor," and "cost overruns." These terms reflected some very real risks but one simply can't address a risk like cost overruns unless one knows what might cause it and the "so what?" factor. Thus, I went back the next day to the client to negotiate a change of scope to completely revise the risk register before running the rest of the planned workshops.

The challenge faced by the project stakeholders in trying to agree on risk ratings and risk treatments was akin to someone trying to assess and manage the risk of "terrorism." Everyone has their own concept about what terrorism means, so asking a group of 10 people to rate it or treat it is likely to result in 10 different ratings and even more treatments. To achieve a degree of consistency one must at the very least be specific about what type of terrorism one is concerned about before one can hope to assess, much less mitigate, it. Consider the terrorism risks in the following examples:

As you can see from the above examples, the so-called risk of terrorism can actually be multiple different risks with correspondingly different likelihoods and consequences.     

So how do we actually record a risk in a way that everyone can reach some sort of agreement on its severity or relative priority? The most consistent way I know is to use a method that I call "CASE," from the following four characteristics discussed in analyzing a risk:

Why do you need these four items to define a risk statement? Let's look for instance at the risk of the compromise of sensitive information. It is very difficult to analyze and rate this risk if we only have the event and the asset listed. Consider the different consequences if your organization's information was compromised by, say: industrial espionage by competitors; theft by criminals seeking to sell it back to you; theft of a briefcase from a car by petty criminals; or staff inadvertently releasing sensitive information to the corporate website.

The consequences of each of these would vary quite considerably and so too would the likelihood of the risk occurring, thereby affecting the risk and the risk treatments that you would consider in order to address them.

Consider however just how much easier it is to assess the risks if they were written to include CASE:

At first glance, it may appear challenging to use CASE to define risk, but it can be done in a sentence or two. Need some more examples of other types of risk?

The same structure can be used to describe positive risks:

Another great use for CASE is to evaluate someone else's risk assessment by testing the quality of risks identified against the CASE criteria. You'll be able to spot and point out any flawed risk descriptions or shoddy analysis at a speed that will be the envy of your colleagues.

And as for the IT project I mentioned earlier? The proposed "quick risk review" took slightly longer than expected. Before running any more risk review workshops I sat down with a couple of stakeholders to rewrite the risks into about 50 succinct descriptions. Once that was done, the subsequent workshops quickly achieved consensus on priority ratings that resulted in a new treatment plan that helped get the project back on track by refocusing on key initiatives and allocating resources where they were needed most. Without re-writing the risks in CASE format, it is likely that we would have spent the time in the workshops endlessly debating the meaning and rating of each risk with little benefit to the project.

Julian Talbot is an international risk management consultant, lead author of the Security Risk Management Body of Knowledge, and Chair of SARMA's International Affairs Committee. He is a Fellow of the Risk Management Institution of Australasia and Research Associate with the Australian Homeland Security Research Centre. This article is based on excerpts from his latest book, Get the Benefits of ISO 31000:2009 Risk Management Fast!

Several years after Hurrican Katrina and almost a decade after 9/11, can we honestly say that either New Orleans or New York has "returned to normal?" 

People tend to hold on to that elusive yet persuasive belief, because "normal" is what they really want. But professionals and practitioners in crisis and emergency management know better. We understand that normal is gone forever, never to return. We accept the fact that something akin to normal will eventually be established and that major elements of our pre-disaster environment will be restored -- but that other elements will be different.

We also understand that achieving near-normalcy entails much more than conventional disaster recovery operations, and we grasp that it will require much more than extraordinary diligence in mitigation activities. We need something that allows us to boldly declare "we're knocked out but coming back stronger than ever." So how do we get there?

This is where resilience comes in, inhabiting a place in our imagination and our emergency management lexicon that proclaims a status in which society:

We cannot get there through limited, non-strategic thinking and we cannot begin to assemble the realistic and challenging elements which make this vision a concrete possibility without jumping outside our conventional comfort zones and imagining the necessary degree of effort, resources and imagination to achieve that exalted state.  

This is far beyond recovery as we crudely understand it, which entails things like debris removal, render-safe operations, resumption of power and water services, and the establishment of temporary shelters and expedient public health facilities. This is thinking on a grand scale -- on the order of the Manhattan Project and Apollo Moon landing. We are not there yet and we risk not getting there because of our inability to wrap our minds around the scope and scale of what needs to be done.

Resilience has many dimensions. First, there is the personal and psychological dimension, which tells us that we have survived and will again prosper. Then there is the familial and social group dimension that tells us that comfortable social systems are valid once again; the organizational and systems infrastructure aspect that reflects robust restoration of essential infrastructure systems; and the commercial and economic dimensions that say normal business activity is humming along. Finally, there is recognition that pubic safety and government are operating on the sound and reliable footing necessary to protect and safeguard the community.

These dimensions cannot be simply turned back on after a disaster -- like flicking a light switch -- as doing so requires the ability to plan, develop, test and deploy a set of systems, resources, assumptions and other key variables in order to produce evidence that a damaged community can be restored and become operational within seven days after a major disaster.  

Impossible? Delusional? No, it is only as difficult and daunting as trying to build an atom bomb when you've never done it before and then finishing the job in a mere 31 months of total secrecy. It's like putting a three-man team on the moon and safely returning them, after only seven years of research and testing with no prior experience. We have done things like this before -- and we are capable of doing them again.

A few words should also be said about the value of building a truly resilient society and support system in order to secure national safety. Enemies wishing to vanquish us and devastate our lives and nation in ways intended to cripple society and trigger chaos will be surprised and sorely disappointed when they discover we can rebound stronger than ever. When they discover that we cannot be eliminated or knocked down, we become as close to being indestructible as anything mankind has ever produced or achieved. The same insights also apply to devastating natural disasters, and while the time to restoration may be a bit longer, resilience can be extended to cover both man-made and natural catastrophes.

When a neighborhood or a society is committed to achieving a state of resilience, it works on the essential fabric of community and finds ways to overcome risks, vulnerabilities and shortfalls in favor of a robust and inspiring survival which is much more than a community simply emerging from the rubble. Resilience can easily transform communities because it makes a statement that all have come together and are committed to a restored community impervious to destruction. This is a massive challenge to today's generation of future leaders because it at times seems impossible to accomplish. May we always remember that there is a tradition of doing the impossible on our side. 

ABS Consulting is seeking a talented professional to provide technical and management consulting services to the federal government, specifically in the area of homeland security risk analysis for grant allocation at FEMA. Education and experience with economics or a related field is a key requirement. An active security clearance is preferred.