Risk management risks

The risk management process, as I understand it, consists of the following processes:

• Risk identification
• Risk evaluation
• Risk response
• Risk monitoring

There are of course variations in this, but that gives the basic approach. What occurs to me is that there are risks associationed with the risk management process, what I would describe as metarisks. These consist of:

• Risk of incompleteness of risk identification (forget/don't identify a risk)
• Risk of misevaluation of risk (think its not high risk when it is, and vice versa)
• Risk of unsuitable response
• Risk that response fails
• Risk of inadequate monitoring
  

Of course, there is a risk that this list of risks regarding the risk management process is incomplete, that the evaluation of these risks is inappropriate etc. These are metametarisks; there is infinite regression and questions of "quis custodiet ipsos custodes?" (who will guard the guards).

Aside from the discussion of infinite regression, the issue of addressing metarisks is a serious one; the solution a simple one. I recently had the pleasure of seeing a piece of software called Stream, produced by a company called Acuity, in action. It mitigates the risk of incompleteness of risk identification by having a large database of risks; it mitigates the risk of an unsuitable response by having response suggestions; and it mitigates the risk of inadequate monitoring by storing monitoring data in the database. It may not be the first or best of its type, but it certainly seems to do a good job.