Google has announced it is retiring Google Reader on July 1st. An outcry has been heard across the internet. First they take over an ecosystem, then they destroy it ... the Borg could not have done a better job. Assimilation, then destruction.

I was among those who cried out over the loss of a good and accessible RSS feed aggregator. I'm not on the side of those who argue RSS is dead. Being able to read my articles at my leisure, usually on the train to and from work, is something I would be difficult to wean off of.

So I looked around at other alternatives. Feedly was one of the first, and honestly, the service is excellent, and even pleasurable. The iOS and the Mac in-browser apps are very accessible. So I almost did not give it a second thought ... until I started to consider the redundancy and inefficiency in my workflow.

My past RSS workflow

Consider my past RSS related workflow. I would have a Google Reader client, either Reeder (on my Mac) or Mr. Reader (on my iOS devices) which I used to "scan" articles. Rather than reading everything that had come in, these applications allowed me to easily discard 80% of the articles that had come in overnight or during the day and push the other ones to my reading apps, either Pocket or Instapaper.

Whenever I had time to read a couple of articles at ease, usually on the train or during the weekend, I would open up my reading app and go through the articles, reading some and deleting, reference filing in Evernote or pushing to OmniFocus those that needed to be dealt with.

Let's review that again ... I touch every piece of relevant information at least twice, sometimes three times. Google Reader app to trash can or reading app. Reading app to trash can, reference filing app or to do app. Was there no possibility to cut out at least one step?

Turns out there is. Let me tell you what I did.

My current RSS workflow

Enter a wonderful website called IFTTT, which you can find here. IFTTT, for IF This Than That, is a web solution that automatically pipes content from one place to another. That another place can easily be an application, especially a combined web app and iOS app.
I set up IFTTT scenarios for my most popular RSS feeds, which I "liberated" from the Borg, oops, Google, through their Takeout tool. The following is a step-by-step guide to setting up IFTTT for this.

My IFTTT scenario

Step 1 - Selecting the first trigger

IFTTT has a lot of so-called channels. A channel is an entry or an exit point for an IFTTT scenario, or recipe as they aptly call it. If you look at my screen, you can see that there is an RSS feed channel, which we will set up as an entry point.

Step 2 - Choosing a trigger

Each channel needs to have a trigger identified. What will cause IFTTT to act? What does it need to monitor. For the sake of this example, we will select "New Feed Item" as a trigger. Anytime a new item is added to the feed we will be monitoring, the recipe triggers.

Step 3 - Completing the trigger fields

The system now asks to identify a feed. I choose MacTuts+, an excellent website on all things Mac related. I got the exact feed from my Takeout xml which contains all my Google Reader feeds, and copied it to this feed url field.

Step 4 - Choosing an action channel

Once we have defined what needs to trigger the action, we need to define what we want done with the information. This is where our action channel comes in. There are an enormous amount of different things you can do with IFTTT. We will now copy the information the trigger provides to a reading application. For the example I use Pocket, but this can be configured with Instapaper, Pinboard or whatever channels are on the IFTTT list.

Step 5 - Choosing an action

In Pocket, I can actually only choose to save the trigger information for later. It pushes the information captured by the trigger to my destination web application, which is pocket.

Step 6 - Complete the action fields

The "Save for later" action allows me to defined the entry URL, which is pre-populated, and the tags, which I adapted so I can see when which feed provided me with which post. It also makes it easier to search Pocket for a specific date and feed.

Step 7 - Create and activate

And I end up with a recipe that will ensure that my RSS feeds go straight to my Pocket reading app, instead of making a detour through a feed reader app. While it may clutter my reading app, it is just another inbox where I decide what needs to be done with that information. I've effectively cut out the middle man.

The investment pays off

OmniFocus is my particular GTD tool. While it has a significant and steep learning curve, I like what the tool can do for you once you get it configured right. Granted, it does take a while to figure out how it best functions for you. On the other hand, there is quite a lot of support available nowadays, from the blogs of Sven Fechner and David Sparks to the book of Kourosh Dini. So even if you feel apprehensive, you should not. You just need to be willing to invest the time in the appropriate configuration.

Defining "perspectives"

One of OmniFocus' key functionalities is its ability to define so-called "perspectives". A perspective is a set of selected contexts with defined conditions in several dimensions (only available actions, or all remaining actions for example) which allow you to focus on what you want to focus on.

To be a bit more concrete, if I want to focus on only work-related stuff and not be distracted by other things I need to do, I can define a perspective that shows me only work related "things". I purposely refer to "things" as it could be an action to be defined, a next action, an element with respect to which I am waiting for input from someone ... it could be anything, because that's how flexible a perspective is.

While a bit intimidating at first, perspectives are actually quite easy to define. One very important remark: you will need OmniFocus for Mac in order to define perspectives. Once you have defined a new perspective and synced your database, you can use defined perspectives on any OmniFocus application, be it on your Mac, your iPad or your iPhone. The definition, however, is only possible on the Mac.

On the shoulders of giants

As I said before, you cannot read this without referring to the work done by Kourosh Dini, who by my standards is a demi-god, or David Sparks or Sven Fechner. These guys have published a lot on OmniFocus and how to use it. You can find these interesting approaches back on their blogs, and on the Omni Group website. Do visit these sites, as they will give you a lot of background information on how to configure OmniFocus to your particular liking. Pretty much all of my ideas on using OmniFocus can be traced back to them, or even further back, to Merlin Mann. They are the giants that are standing there, I just got on their shoulders to reach the cookie jar. That being said, and without further ado, let's look at my perspectives for work.

My work perspective structure

I actually use three distinct work perspectives, as follows:

• to do @work
• today @work
• next actions @work

Let's examine each of them in more detail

My daily planning perspective: "to do @work"

This perspective is the last one I open every work day, and I try to open it only once every work day, and once each weekend. This perspective is the core of my daily planning, as it should contain everything that needs to be done in all my work related contexts. All remaining actions, whether are next actions, available actions and blocked actions, but not closed actions, are visible in this perspective which is organized by project.

Once every day, usually in the evening on my way back from work, when I have about an hour of downtime on the train, usually after I cleaned out my OmniFocus Inbox, I go through this perspective and work through the remaining actions per project. It is pretty much a daily review* activity. I review whether all my actions I expect to find per project are there, I validate, assign or reassign start dates, which pushes forward my actions to a realistic time to start executing, and I review and assign due dates. My due dates are hard due dates. These do not reflect intents rather than obligations. If a task is not done by that date, I'm in big trouble. For more on that, I refer to David sparks excellent article.

This review really clears my head of all the stuff I have built up over the course of the day. It's a cleansing ritual, almost. It gives me reasonable assurance that when I open my today at work perspective the following morning, it will be an accurate reflection of commitments and obligations I have to deal with that specific day.

The morning perspective: today @work

When I wake up, I usually take the time to go through the RSS feeds I try to follow. These give rise to a number of to do's which find their way into my OmniFocus Inbox. I've written about that approach [here] [1]. Once I get on the train, I usually reserve about 5 to 10 minutes to go through my today @work context in conjunction with my agenda. Long live the iPad for that.

This is more a sanity check than anything else. Any meetings which I need to attend have been planned in my agenda. Anything I have engaged myself to doing during the day that is not a meeting I find back on my today @work perspective. Like to do @work, this perspective is organized by project. In combination with my calendar, the perspective shows me whether I have been overly ambitious.

However, and this is an important step in my process, I also define two big rocks which I will flag in addition to possible due dates. Depending on their nature, I may even plan them into my agenda for execution, but that really depends on the nature of the actions. These so-called big rocks are the two (usually significant) tasks that I want to get done today. These are the tasks I commit to doing once I get to the office and right after lunch. This is why I avoid meetings before 10 AM if I can help it. It allows me 90 minutes of focus time before I get into activities such as meetings which usually lead to task collection, not task execution.

The focus perspective: next action @work

This is my true pedal to the metal perspective. In this perspective, which is organized by due date and context, I only see the next actions across all of my work.

It is a real focus perspective. There are no distractions. There are at most three tasks on there, that's it. Anything else has been cleaned off my current to do plate. I liken it to having a clean desk before breaching a new task, a true OCD trait. I need to have a clean workspace before I can get to work on another task. I need that space as much in my physical environment as on my desktop and in my applications.

Having a to do list of concrete next actions in front of me which allows me to really only focus on what I need to focus on, based on well thought out process that gives me a reasonable assurance on the completeness and timeliness of my next actions gives me the necessary peace of mind to focus without anything yelling for my attention in the background.

In conclusion

Combining these three perspectives allows me to have the best of all worlds. I have a regular moment where I check complenetess across all my projects (to do @work), a regular time for checking feasibility and determining the big rocks (today @work) and a narrow focus perspective as well. It helps me staying focused on what needs to be done without losing track of everything around me.

Information is all around us

I've likened it to wifi or mobile network radiation. It's there, but you are not really aware of it most of the time. Most of it will be completely irrelevant to your activities of that given day, or even your life. Some of it will be indispensable. But how to know which is which?

It gets even more complicated. We live in a day and age where we have the luxury, the opportunity, to tune into the stream of consciousness of the planet at will.

Think about this for a minute: at any one time you can gain access to what's top of mind for a lot of people you admire, as long as they are online.

A Catch-22?

There is a very big risk in that it may be the only thing you do, all day long. It can be an excellent excuse not to actually do some real work. But, on the other hand, if you don't tune into the right information flows from time to time, you may miss some very interesting ideas that are being born and shared. Again, how do you know when you need to do what?

So is this a catch-22? The answer may not please you, in that it is not a resounding "no." Rather, the answer is, as those are, more complicated. Let me illustrate by going through my daily information gathering and the capture mechanisms I employ to deal with that info. Be aware that I do not have the best possible solution to these problems, but I try my best to be both in tune with the planet (right) and in charge of my life and work. A delicate balance, sometimes.

My daily morning routine

Waking up

When I get up in the morning, around 6.15 AM, I usually need about 30 minutes to really wake up. There is no better way to do it than with a cup of coffee and Reeder, which I use as my RSS feed aggregator on both my iPad and my Mac. I scan through what the blogs decided to deposit on my little stretch of mental beach.

So what now Google has announced the killing of of Google Reader, I hear you ask. I have a vivid imagination. The short of it is "Feedly", the long of it is I am waiting for Reeder to come up with a viable solutions. Tick Tock ...

Some of the information I pass without even looking, some of the information I think may be relevant but not really urgent gets pushed to either Instapaper for reading or Pocket, which I use for videos I want to look at later. Most of these are, in Steven Covey's parlance, PC or production capability related.

Some information is likely to be relevant for me during the day, either to share with colleagues (ODI articles or any blog article by Chris Blattman) or related to my own production during that day. These get pushed to Evernote. They all get pushed to my Evernote "Today" folder, which is another inbox but one that gets visited every single day.

Going through the today folder, which I do at work, mainly involves tagging in Evernote. Feasible from my laptop but also from any of my i-devices. I recently started to use a good trick which I blogged about earlier. I've set up my home iMac (online all the time) to run an AppleScript on an 15 minute basis using Python. Marking the article with a review tag in Evernote generates an Omnifocus entry with a link to the Evernote clipping. The information finds its way into my todo list with limited intervention from my side.

Overall, I achieve this initial phase of gathering stuff into inbox items with a minimum of friction and resistance. And it wakes me up.

On my way to work

I shower, kiss my wife and kids goodbye, and I'm off to work. My podcast feeds have been synchronized the prior evening using Downcast's excellent location based updates so in my commute between home and the train station I'm listening to some of the podcasts I try to stay up to date with. Depending on the nature of the podcast, the podcast information either gets pushed to Instapaper or to Evernote. I consciously switch off the podcasts on the train. The train is for reading or writing. I use Notability in a workflow I described earlier. I switch back to the podcasts once we pull into the station, as I have a 10 minute walk to the office. In case there is some interesting stuff on the podcast, I can forward it easily to my OmniFocus Maildrop and deal with it when I get to that inbox.

In the office

When I get into the office, I usually try to get one big rock done before I open my email program. During my weekly review I try to assign one to two big rocks, activities that take one or two 45 minute segments, to each of my days of the week, and plan accordingly. This is not cast in stone, but I try to get something concrete done before I deal with the nitty gritty of my inboxes. It may seem trivial, but to me it is anything but. Getting at least one thing done that aligns with a higher altitude GTD goal really helps me in focusing on the doing. I keep that quote on Zuckerberg's desk, "Keep focused and keep shipping" in the back of my mind. Wish someone would build a nice wallpaper for my iPhone 4 for it ... I'll keep looking.

After the first big rock, I deal with the inboxes. Typically these are business mail (physical and email), Evernote and OmniFocus, in that order. It takes me about 45 minutes to an hour to go through that stack, on a daily basis. This is what happens, closely following David Allen's prescriptions:

• Physical mail gets thrashed or scanned and thrashed. Scans are sent to Evernote, to my Today box.
• Email gets deleted, dealt with (2 minute rule) or sent to OmniFocus. I change to subject line to a concrete next action or a PR + a title, indicating I need to create a project.
• Evernote Today files get deleted, filed for reference or sent to Omnifocus for further processing. I change the title to something appropriate, again either a concrete next action or a PR + a relevant title if I need to create a project.

Note that while I try to apply a "Touch every bit of information once" approach, this does not always work. When it interferes with my routine, I chose to not comply with the canonical GTD approach and adapt to what works for me. Once I realized I could do this (and so can you) it made my life a whole lot easier!

• OmniFocus next actions get treated last, but not least. Here I prune mercilessly. If I assign it to a project, it needs to add value by leading to the achievement of the clearly defined outcome of that project. If it does not, I kill the task. This activity also allows me to ensure appropriate phrasing of either next actions or projects. I simply built two textexpander snippets based on the correct verbs to define next actions and projects. This way, I ensure I create relevant next actions and relevant project descriptions. For your information, I check on a weekly basis whether new projects have the appropriate outcomes defined. If not, I think hard about what I want the end-state of the project to be. I also question whether or not I can realistically achieve this end-state with the means at my disposal. If I cannot, the project gets terminated.

This way, I have learned to say "no" to a lot of things. They do allow me to say yes to those things that matter, such as my family, and time with some wonderful people I have had the pleasure of encountering.

Please note this post talks about an aspect closely related to the work I do on a daily basis. The ideas below are my personal opinion on a specific opportunity in the context of development aid in general, and do not specifically relate to any organisation I am associated with or working for. These ideas are a reflection on what I see as a very important opportunity in our field of work, coming from a programme and project management background.

In a reality of reducing development aid budgets, proper due diligence becomes even more of a necessity than it was before

Western governmental aid budgets are becoming more and more tight. Traditional bilateral development aid is slowly but surely being replaced by multilateral and privately sourced aid. A well known example is the “Bill and Melinda Gates Foundation” that has means which dwarfen the development aid means of many a nation. In this changing reality, development aid agencies are transitioning from a state of monopoly to a state of competition among peers. While they are - often even by law - the sole responsible for delivering bilateral aid, they are in sometimes dire competition for access to multilateral and privately sourced aid. As this aid often goes to the “best” party, for a certain set of conditions underlying best, they compete to be the best in certain sectors and/or geographical areas, or a combination thereof.

In development aid context, “best” has most often been defined as most competent. And development aid competency is a function of the expert profiles you can attract as development agency. Certain agencies have a tradition of a presence and hence a competency in certain geographical areas and certain sectors. But now more and more, the reign of the sole, Western, embedded expert appears to be over. Not because the perceived value of the expert has gone down, but because the need for “business” management in projects is growing. Especially private sector funds, as part of foundations or as part of large Corporate Social Responsibility programs of multinationals, asks for timely, complete and accurate due diligence, and will hold the incumbent “manager” responsible, whether or not he feels responsible.

In other words, the accountability requirements regarding development aid have significantly increased in the past years. Is the development community ready, willing and able to answer this call?

Managers and experts on a collision course?

Even since before the early 1960’s we have become aware that the ultimate goal of development aid, realizing impacts, is notoriously difficult to measure. After all, quite often a development project is only one piece of a larger puzzle that eventually will lead to a certain aimed for impact on the beneficiaries. Approaches such as the logical framework have allowed us to link effort (input) with outputs, outcomes and impacts. Practitioners however are very conscious that this effort at quantification has its inherent limitations. New initiatives at the fringes of the logical framework, such as M&E (measurement and evaluation) or the more aggressive Value for Money initiatives try to embed a more quantitative approach into the traditionally qualitative environment that development aid is. We are just barely starting to understand how such initiatives and measurements can contribute to the ultimate goal of development projects, which is creating a better situation for the beneficiaries than the initial baseline.

I am convinced development aid expertise and management need not be on a collision course. Rather, traditional concepts of project and program management can actually aid an expert in both delivering better managed results and have more time to dedicate to the project content. And this is why these experts were engaged to do in the first place.

In essence, if properly applied, rather than making life for a development expert more difficult, project management methods and tools can lighten their administrative burden to the minimum amount required, in effect freeing their hands to work on the content.

Programme and project management at the crossroads of management and expertise

But how can project management contribute to increasing the quality of a typical development project? In order to determine that, we need to first understand what project management brings to the table. After that, we can examine where it can add value in a development project.

Let’s look at Wikipedia’s definition of a project:

A project is a temporary endeavor with a defined beginning and end (usually time-constrained, and often constrained by funding or deliverables), undertaken to meet unique goals and objectives, typically to bring about beneficial change or added value.

Taken this definition, most of what we consider to be (bilateral) development aid are projects. Of course, this does not tell us anything about how you execute a project. This is where project management comes in. Again, according to Wikipedia:

Project management is the discipline of planning, organizing, motivating, and controlling resources to achieve specific goals.

This gives us a bit more information on what we need to focus on when “doing” a project. There are a number of known project management methodologies out there that each have their take on how to “do” a project. While they are not fundamentally different, the language used can become rather technical and hence confusing.

PRINCE2, one of the better known methodologies, uses themes as a description of aspects of a project that need to be taken in account throughout the project. In other words, throughout the different activities, as listed in the definition, the themes provide approaches to answering the key questions which need to be addressed by a project. The PRINCE2 themes, which I merely use as an example, answer the following questions with respect to a project.

• Key aspects or themes in PRINCE2:
  • ”Why?” do we engage in this project? This question is usually answered in the project brief which we find in pretty much all development projects;
  • ”Who?” will be executing the work? Again, a question that is traditionally answered in the project definition phase of a development project. The advantage of the project management theme is that it continuously questions the relevance of the profiles currently in play;
  • ”What?” will be achieved in the project? While the what is almost always defined in development aid, project management stresses the need for common understanding of the final end state by all parties. It also focuses on how the project manager is to aim for the delivery of those requirements. What is fundamentally about understanding and about attributing responsibilities.
  • ”How?”, “How much?” and “When?” Establishing the what will not amount to much if the concrete way forward is not clear. It’s my experience that apart from a broad budgetary assessment, this phase is often underdeveloped in development projects. This is where project management can really make a difference between a nice concept and a succesful project result. I do need to point out that even if we tend to properly define how and how much, and do a good guess at when, the when factor is a very challenging factor, as most development projects need to deal with important and very influential external factors, such as weather (in agricultural projects) and process aspects, such as appropriate management of public tender procedures in partner countries.
  • ”What if?” things are different than we anticipated them to be? Even if the how is clear, the assumptions underlying the how may not hold. Again, this is especially true in less controlled environments, such as fragile states in which development aid is being delivered. Assessing the risks in a broad, structured and timely manner as they may impact the ultimate objectives of the development project will result in a higher likelihood of projects being delivered in scope, budget and with the required quality.
  • ”What is the impact?” of any changes in underlying assumptions? If risks manifest themselves, they will impact the projects. Within a context of limited available budgets, if we need to resolve issues, other aspects will need to be adapted as well. Assessing the impact, planning for change and appropriately communicating this to the relevant stakeholders, especially the partner, is not only a sign of good project management, but of respect as well.
  • ”Where are we now?”, “Where are we going?” and “Should we carry on?” is all about using hard and soft information to assess the continued relevance of the project. Monitoring and status reporting should not only focus on the ultimate goal to be achieved, but on clearly established milestones across the different project dimensions of scope, budget and quality as well.

An opportunity rather than an issue

Now, rather than falling into a trap of criticism and assessing development projects through a project management lens, let us consider these questions and who would be best placed to answer them. In my mind, this would best be the content expert, especially if he works closely together with his team of local and international collaborators. Hence, even if these questions are often not fully answered in a comprehensive manner at the beginning of a development project, I believe this to be more related to the need of adding on a structured project management methodology to our traditional the logical framework rather than to the lack of competence of the people being put in play.

Integrating traditional programme and project management techniques into frameworks such as the logical framework could actually enhance development projects to become best practices in any project management context, by optimally leveraging what is already present.

In conclusion

The need for a strict but efficient project and programme management framework in development aid grows. The increased accountability requirements of public money well spent is a key driver, but certainly not the only one. Both multilateral and private sector investment in development aid is on the rise, and with these investments comes a significant experience with and expectation of traditional project and programme management.

Rather than seeing this as a threat to the development aid community, I believe good project management can increase the quality and the relevance of the current development projects, especially if integrated with tried and tested concepts we know very well. The chasm that is being perceived by some is not really a chasm at all, but more of a small fissure that can easily be bridged by appropriate training and the right tools put in the right places.

And ultimately, I firmly believe that rather than increasing the administrative burden for an often already overburdened expert, it may actually reduce them, especially if aid agencies and their donors, learn to optimally use the information that is generated in traditional project and programme management systems.

Mmm ... look at that ... less than 260.000 people in front of me in the queue. At an activation rate of one per 4 seconds that amounts to about 12 days wait. Let's call it 14 days to be on the safe side ...

That's going to be one long wait for an application that is apparently very much worth it. In the mean time, I'll just reread Lex Friedman's excellent Macworld article on the app. If you want to read it, you can find it here.

14 days. What a wait ... but I am quite convinced it just might be worth it ...

This post expands on an article I wrote in 2010 for a blog called Risk 101 - Complexity risk management. The reason I got this from under the dust and decided to revisit it, was a discussion during a class I taught this week. Some of the concepts have been adapted to align with my current thinking.

The challenges of "inherent" risk

Although I have tried for years, it remains difficult to thoroughy explain inherent risk to someone who is new to risk management. The theoretical aspects are easy, but once you get into the nitty-gritty of how to actually determine "inherent" risk, most conceptual explanations leave you hanging.

The crux of the matter is whether we consider it possible or feasible to let people determine their exposure to risk without taking in account the current level of controls present in the processes they manage or are involved in. The problem? This is actually a lot harder than it seems. The assessors need to be able to ignore everything they know about the existing controls in their current process.

To illustrate, this would be equal to someone asking you to assess the safety level of your car while ignoring all the traditional, existing safety measures such as power brakes, airbags, power steering ...

The more I work in risk management, the more I teach risk management and the more I interact with people charged with implementing risk management, the more I wonder whether we should not forget about the theoretical aspect of inherent risk and focus on what our risk management responsibles know best: their actual situation. I am convinced good risk management needs to start from the actual situation in terms of risk management measures or controls, without necessarily questioning everything that has gone before.

Presenting risk in a matrix with residual risk on one axis actually makes a lot of sense, for a number of reasons. Let's consider the presentation of such a matrix with residual risk.

Visualizing risk management effort

A traditional risk control matrix visualizes the current level of inherent risk, a function of impact and probability of occurrence during a certain time interval without taking into account the existing controls, on one axis, often the vertical one. The current level of risk management (sometimes also referred to as the current level of internal control, although that ignores risk mitigation other than internal controls) is then shown on the other, most often horizontal axis. The result is a matrix where inherent risk and current level of control are two independent variables which provide a presentation of the risk profile of an organization.
However, as stated above, while theoretically enticing, in reality it is not that easy to assess inherent risk levels. Risk management, and especially qualitative risk assessments, are by nature subjective. Asking people to make abstraction of aspects that are inherent to their experience of a process may introduce a subjective bias that is likely to skew the entire exercise to the point of making it unusable or irrelevant.

But what happens if we were to assess not inherent, but residual risk. What if we ask the participants to assess the level of risk (as a function of impact and probability) as they currently see and experience it.

Mapping the current level of risk management or the current level of internal control becomes irrelevant, because it's already been taken into account. That is exactly where the difference between inherent and residual risk lies. What can we do next? I believe there are a number of possibilities, of which two are irrelevant or not feasible, and one is interesting to examine further. Let me take you through the first two first.

Back to the traditional risk matrix

Given we don't really 'need' the current level of control axis, we could consider going back to the traditional risk matrix, presenting impact and probability of occurrence on two axes. However, if we were to do that, we would again get caught in all the problems that pushed us to leaving this traditional presentation in the first place. Longitudinal presentation of risk profile evolutions would become a mess very fast. We would create the illusion that impact and probability are equally important in all circumstances, and we would fail to show that tolerances are individual to each risk (or, more correctly, to each objective and hence to each risk influencing this objective.)

'Calculating' inherent risk

We could try to calculate the inherent risk level based on the information about residual risk and the current level of risk management. The problem there is that you are performing calculations with figures determined in assessments which are not equally calibrated. You will use 'quantitative' data, such as numbers representing a level of impact, likelihood and current risk level which are based on differently calibrated scales, which therefore cannot be used in calculations together. In essence, you are comparing apples and pears.

Risk management effort as a relevant metric

We could determine, even in a rather objective manner, the 'investment' done in dealing with a risk. I like to refer to this as risk management effort or internal control effort.

It is a function of the means, in terms people, processes and technology which an organization has invested in order to bring a risk under control. Now, we will not assess the effect of this investment, which is pretty much what we did when mapping current level of risk management. We map the actual or perceived effort, either based on hard, tangible information as provided by the organization under assessment, or as assessed by the people performing the assessment. Of course I have a marked preference for the first method. If completeness of the direct cost information can be assured and a reasonable approximation of indirect cost elements can be agreed upon, this is a reasonably objective measure.

Introducing the Risk Effort Matrix (REM)

And what does the REM look like? It looks like the matrix below.

Let's examine this matrix in a bit more detail:

Just like the risk control matrix (RCM), we still retain the quadrants, but the content and thus the roles and responsibilities have fundamentally changed.

Quadrant I – What has gone wrong?

Quadrant I shows a high residual risk despite a high level of effort. What does that tell us? We invested a lot in order to reduce a risk exposure, but apparently it's not making much difference. This is an area where the existing management plans which gave rise to the investment need to be thoroughly examined. Internal audit can contribute by executing effectiveness audits, in order to determine whether the effectiveness issue is an external one or an internal one. In the former situation, no matter what would be done, the residual risk would remain high. In the latter, the investment in risk reduction was likely not the most optimal, and money was lost in suboptimal developments. This could for example be the case if the analysis lacked the necessary cost/benefit analyses?

Quadrant II – The future effort area

Quadrant II is the area where the residual risk is high, but in which to date little effort has been made to manage this risk. This is an area where new management action plans need to be developed, based on a good cost/benefit analyses, in order to determine and ideally implement the most optimal manner of managing the risk.

Quadrant III – Assurance and potential cost savings

Quadrant III is the area where the residual risk is low, aided by a significant effort in people, processes and technology. Management has invested, and it appears to pay off. The question remains whether it truly has. In this area, internal audit needs to execute its assurance task, giving comfort to management that the risk has indeed been reduced to its optimal level. In a number of cases, internal audit may decide too much effort was put into the risk management, and that a reduction of that effort will not significantly influence the risk in a negative way. This area of potential risk management overkill may become an area of significant cost savings for the organization.

Quadrant IV – Monitoring required

Low residual risk in an area of low effort requires watching and monitoring. It may well be no problems will occur here … but it is entirely possible there are risks waiting to explode on the risk scene of quadrant II here. Management needs to ensure monitoring, and internal audit can provide assessment of monitoring quality and relevance.