Many organizations seek to use risk management to create added value, but their risk processes often have weaknesses or faults which affect the outcome. Some of them are not aware of these weaknesses, while others know very well what they are.

A Persian proverb says, “The person who doesn’t know, and doesn’t know that he doesn’t know, will be ignorant forever.” It is clearly better to know our process weaknesses than not to know them, but how can we tackle our lack of knowledge? Here are three steps:

1. Where is our process weak?

The first step in tackling hidden faults is to find them. How can we find unknowns? French philosopher René Descartes recommended being skeptical about everything, which involves the following actions:

Analyze outcomes.Findareas in which expected targets have not been met, then explore whether there are root causes hiding in our processes that are leading to problems in performance. We may also find hidden opportunities in our processes that could improve outcomes.

Revalidate infrastructures.Take a fresh look at processes, resourcing, software tools, reporting and other elements of supporting infrastructure, seeking bottlenecks or areas where improvements are possible.

2. Can we tackle the weakness?

When we find a fault, we need to know whether our organization has the necessary resources to deal with it. The following questions can help us decide whether we can effectively respond to process weaknesses that we’ve discovered:

Reliable inputs. Are we currently providing reliable and precise inputs to the risk process? Can we significantly improve the quality of these inputs? Invalid inputs won’t help and might even hinder performance.

For instance, if we want to move from qualitative risk assessment to using quantitative schedule risk analysis, we will need a reliable baseline project schedule. Without a suitable schedule, introducing quantitative risk analysis won’t improve the process and might even reduce the level of accuracy available from qualitative assessment.

Level of precision. Can precision be improved cost-effectively? Is it worth it? How much precision do we need in order to make good risk-based decisions? For example, if we can predict risk exposure to the nearest $1,000 but our decision processes are working with precision levels of $100,000, the additional precision is not helpful.

Personnel competence. Upgrading risk processes may introduce new tools and techniques for our staff to use. For example, using quantitative risk analysis requires specialist expertise with simulation tools. Do personnel have the required knowledge, skills and competence? If not, can we provide the necessary training to equip them?

3. Should we tackle the weakness?

Once we find a hidden fault in our risk processes that we can address, we shouldn’t always rush to fix it. Sometimes we make things worse by acting without fully considering the outcome of our actions. At other times, the cost of fixing a process weakness can be excessively high. We need to determine whether we need to remove the hidden fault, or whether we should simply protect against its effects:

Fix it. Sometimes it is appropriate to tackle weaknesses in the risk process and decrease the number of unwelcome outcomes.

Leave it. However, sometimes we can decide to continue as we are, consciously accepting a known weakness, but focusing instead on improving and upgrading infrastructures needed to cope with its effects in future.

If we’re serious about creating and protecting value through risk management, we have to seek out hidden faults that cause problems in our risk processes. Then we must work out if we have what it takes to address weaknesses, and finally decide which ones to tackle and which to accept. Only then can we take action to improve our approach to risk management.

It’s always better to know than not to know. The harder question is what to do (if anything) when we find a weakness!