You're facing skepticism from stakeholders on risk severity. How can you ensure they grasp the importance?

Start with framing the risks within the larger project or business landscape. Contextualize by relating it to strategic objectives by using case scenarios or KPIs. Moving on, highlight it by quantifying and visualizing risks on a high level. Use classic PM techniques such as risk matrix or EMV and communicate it the stakeholders. Make sure you connect with stakeholders on their respective level.

To ensure stakeholders grasp the importance of risk severity, start by contextualizing each risk within the broader scope of the project or business operations. Illustrate how these risks can impact key objectives or metrics that are vital to stakeholders, making the risks tangible rather than abstract. For instance, in a previous project, I identified a potential supply chain disruption that seemed minor at first. By mapping out its potential ripple effects on production schedules, customer satisfaction, and revenue, I was able to demonstrate its far-reaching consequences. This made it clear that addressing the risk was not just a precaution but a critical action to safeguard our strategic goals.

A good source of data for what has actually been reported is the FDA's MAUDE database along with the TPLC database are gold mines for that kind of information. They tell you what has actually happened with similar products so you can infer from them probabilities of occurrence. While it is limited devices cleared or approved into the US, it still gives enough information to be useful.

To ensure stakeholders grasp the importance of risk severity, I leverage clear, concise data by illustrating potential impacts through historical precedents and hypothetical scenarios. For instance, I often recount a time when a company, similar in size and industry to ours, faced a cyberattack due to overlooked vulnerabilities, leading to significant financial and reputational damage. By crafting a vivid narrative that highlights what could go wrong, stakeholders can better visualize the consequences, making the risks more tangible and urgent without the need for technical jargon. This approach effectively communicates the gravity of risks and underscores the necessity of proactive measures.

We like to think about risk in a rational way but "risk as a feeling" is a real thing. Even in a professional setting, where serious discussions take place about how to manage risk, everyone has their own personal view on risk. Often it works silently in the background that can affect their perception of the actual risk under discussion. It helps to be aware of this dynamic in the background. Good facilitation skills are critical. Make sure everyone has an opportunity to share their views. Be aware of your own perceptions. Don't push one view over the other, or undermine someone else's view. Seek alignment, not consensus. These discussions, where we are trying to align on the severity of potential consequences, cannot be rushed.

Emotion is powerful and can cause issues In startups, the emotional stress of a founder or executive on a short leash from investors can overpower real data brought in by practical observation. Take for example diagnostic imaging and the application of artificial intelligence to it. Very often that software sits on a network in a larger network in a clinic or a hospital. From a cybersecurity perspective, it's total zero trust as you don't control the network and therefore cannot trust it to be safe. Some recent events in my personal life this year opened my eyes to just how unsafe that can be. Therefore, it's essential to convince the stakeholders of the need to ensure their software does not allow a cyber attack to progress!

To ensure stakeholders grasp the importance of risk severity, engaging them emotionally is key. Share compelling stories or case studies where inadequate risk management led to significant human and organizational consequences. For instance, recounting a scenario where a neglected risk resulted in a major operational failure, causing financial loss and employee distress, can vividly illustrate the potential fallout. This approach not only highlights the tangible impacts but also fosters a personal connection, making the need for robust risk management more urgent and relatable.

First thing to be sure of is that your risk numbers are VARIABLE and DEFINED. Proper frequency definitions that equate to Six Sigma defects, LTPD, AQL, or whatever management is comfortable with must be established. Severity must be untied to CRITICALITY. That is a completely different function altogether. Defined severity I to the appropriate risk numbers should be enough to limit the amount of foot dragging or refusal to accept the risk identified. But in starts with definition, agreement, and establishing the rules. Little argument should result if you’ve done your due diligence.

Have some kind of a plan to mitigate the risks ahead of presenting the risks. High level is sufficient and should be to the strategic goals as you understand them. Be clear about it and come with numbers showing not just how much it could cost them if a harm actually arises, also show how much they save by fixing it now and how much more profit that will bring them and the shareholders.

Use a Collaborative Approach:** Present data with visuals and real-world examples to clarify risks. Foster open dialogue to understand their concerns. Involve stakeholders in assessing risks and planning mitigations, building consensus and ownership. Use past incidents to illustrate the consequences of underestimating risks.

Present clear, data-driven analyses illustrating potential impacts on market positions and financial outcomes. Regularly update stakeholders with evolving risk assessments and case studies of similar market scenarios. Facilitate open forums for discussion, encouraging stakeholder questions and addressing concerns transparently. Emphasize how proactive risk management aligns with market competitiveness and shareholder value. Demonstrate the opportunity cost of inaction through concrete examples. Foster a collaborative environment where stakeholders feel informed and involved in decision-making.Highlight success stories of companies that mitigated similar risks through continuous dialogue, showcasing tangible benefits.