Reporting results from a risk analysis can seem like a daunting and cumbersome task. Even after a lot of work, key stakeholders may walk away without a good understanding of what the results truly mean. If you have found yourself in this position, recovering from a convoluted message or miscommunication of results, it can be un-motivating.
Here are three simple steps to helping you deliver clear and concise results.
Build a Deliverable that Tells a Story
When conducting a risk analysis, there is always a purpose or objective behind it – use that to paint a picture for the audience. It is not about just throwing into the report a whole bunch of quantitative numbers and charts.
It’s important to create a report, presentation or deliverable that walks the audience through the problem and results. Creating the story or narrative that supports your results helps you as the analyst, inform the stakeholders.
While this may be time consuming to adjust a report specific to the narrative you want to convey, you will provide more value to your audience.
Read a blog post by my colleague Rebecca Merritt for a step-by-step example of how to turn your analysis into a story.
Be Direct and Specific
Deliverables to stakeholders should not be bloated or convoluted. Make them lean and mean, quickly and concisely highlighting the following:
- Purpose of the Analysis
Why did we assess this topic? Who is the audience for the results? What decisions can be made from these results?
Indicate any important scoping or data assumptions you may have made. Note any uncertain data you may have used, hoping it may get refined in the future. These are all important apects that should not be ignored, but directly addressed in your reporting.
Results should be analytically based but communicated in layman terms. It should not be a requirement to be certified in FAIR to understand your results. Stakeholders want to know that there is rigor in the analysis, but details should be summarized, so the report can be digested in a short amount of time.
Spell out the interpretations to the results and how they can be used. Is the reporting effectively showing the value of a control improvement or initiative? Our role as risk analysts is to inform decision-makers, but providing interpretation and recommendations is of value to our audience.
Risk isn’t Just ALE
Quantitative risk reporting is not just about the Annual Loss Exposure (ALE). While ALE is an excellent means to prioritize and compare risks, there are many more results from an analysis that help us communicate and inform. I highly recommend communicating ALE alongside per-event results, like:
- Frequency Ranges
Communicate how rare or frequent a specific loss could occur. If this is a once in a hundred-year event or a monthly event, that alone is may inform us quite differently.
- Per Event Magnitude
Understanding the impact of a single event can be of value. We may find that a single loss occurrence is outside of our stakeholder’s risk tolerance. Also, we can compare a single event impact to our insurance coverages, and other meaningful scales. Finally, we can break down the impact by type of loss (response, fines/judgments, reputation) which also provides additional insights not communicated by ALE alone.
Next time you are reporting results from an analysis, follow these tips and let us know if they are useful.
5 Habits for Highly Effective Risk Analysis
Secrets for Gathering Good Data for a Risk Analysis