This is a article on: Risk Management, Process Bridges, and User Experience

Bridging Risk to UX

1 Unlikely Bedfellows?

  • You enable business success through vigilance toward project risk and organizational risk.
  • You focus on generating value by identifying the right problem before seeking an optimal solution.
  • You provide evidence-based and collaborative response to diverse needs and unanticipated conditions.

In fact, these statements apply to both User Experience (UX) and Risk practitioners. Though these teams are typically in different organizational silos, rarely afforded opportunity to directly work together, there is strong shared focus between UX and Risk.

2 The Promise of Collaboration

Risk and UX may leverage their discipline-specific strengths to the benefit of the other:

  • Risk's fluency in dollars, the language of finance and management decision-making, provides incredible power to showcase problems and drive changes in funding and focus to solve problems.
  • UX's fluency in user need, the language of competitive advantage, is coupled with an extensive toolbox of methods for producing reliable evidence of root cause, important problem nuances, and optimal solution selection.
  • The collaboration of UX and Risk may drive genuine organizational respect for users and risk awareness throughout corporate culture. Decisions may be made faster and with less risk of later blindside by real world conditions.

3 The Risk to UX Process Bridge

A Process Bridge may allow us to understand times when teams are most aligned through shared focus. These process points are often the best opportunities for collaboration.

Risk = OODA = UX
Risk Monitoring and Risk Identification Observe Empathize and Define
Risk Analysis Orient Ideate and Prototype
Risk Response Decide Test
Risk Mitigation Act Implement

The above Process Bridge represents the process steps of the ISACA CRISC job practice ("Risk") and the NN/g variant of Design Thinking ("UX"). This Process Bridge was constructed using observed behavior process equivalence and a simple form of John Boyd's OODA Loop.

The above image shows alignment of Nielsen Norman Group's variant of Design Thinking to the ISACA CRISC job practice areas using the OODA Loop as a Process Bridge, as itemized in the table above.

4 Opportunities to Generate Value

Though execution tasks (the Act step in the OODA Loop) are typically discipline-specific or governed by rigid existing workflows, there are substantial opportunities for UX and Risk collaboration to generate value in observation, orientation and decision activities:


  • Research: UX may adjust User Research plans to collect data on user perception of risks and controls. Is the password reset mechanism hard to use? Is our privacy notice as good as our competitor's? Do our users care to read the privacy notice or that the site is SSL-protected? Control usability is a major factor in control compliance.
  • Escalation: Risk may identify problems collected passively by UX. A user reports that email opt-in or privacy controls do not align to local regulatory requirements. The relationship built between Risk and UX enables the business to reduce decision blind spots as teams escalate problems rapidly and directly to their peers, also allowing better solutions to be identified.
  • Evangelism: UX and Risk may advocate value of the other to peers, increasing organizational currency. Risk may benefit from UX's strong relationship with Product and Engineering. UX may benefit from Risk's strong relationship with Management roles and the Compliance function.


  • Risk Awareness: UX may leverage information from the Risk Matrix to produce more effective solutions. As a list of known risks with accompanying mitigation status, the Risk Matrix may provide forward-looking cues to UX which enable enduring designs that provide risk avoidance or mitigation.
  • User Empathy: Risk may benefit from User Testing and User Research data as a path to empathizing with users. Understanding a user's motivation and challenges enables Risk to identify potential pitfalls in risk response options. What does this data look like?
    • User Research data may include field study results (Ethnographic research), interview videos, clickstream analysis, survey results, and competitor product testing results.
    • User Testing data may include eye tracking heat maps, co-discovery videos, A/B testing metrics, first click testing selections and percentages, and remote testing videos.
    • UX practitioners select a mix of qualitative and quantitative methods based on their experience, the problem, and funding, so the exact data available may vary.
  • Culture Shift: UX and Risk may benefit when promotion of User-Centered and Risk-Aware culture enable other segments of the business to make better decisions. If User-Centered, Risk-Aware decisions are made by Sales, Marketing, Legal, Engineering, Operations, End-User Support, Accounting, Investor Relations, etc. the quantity of negative User Experience events and level of new Risk should diminish.


  • Progress: Risk may prevent deadlocks in Risk Response by representing user viewpoints. The words of our users, collected by UX as quotes and videos during User Testing and User Research provide memorable and hard-to-ignore representations of intangible risk.
  • Foresight: UX may enable more effective design and testing through clear understanding of Risk-based requirements. Many compliance requirements may be implemented a dozen different ways, with the optimal solution meeting both technical requirements and aligning to user expectations. The combination of the range of Risk Response options and the guidance found in User Testing helps us select the optimal solution.
  • Integration: Risk may provide UX a seat at the table by representing UX risk separately from Engineering and Product risk. UX may provide Risk a seat at the table by allowing early review as a design stakeholder. This integration increases the likelihood that a critical problem will be caught earlier, preventing rework and saving money. The escalated placement of UX Risk also allows the business to be more nimble in its response to modern UX risks in Omnichannel experiences, email campaigns, brand websites, security and privacy -- all of which may exceed the scope of just one product.

By building a bridge between UX and Risk, we enable our shared vision to more accurately identify problems, better leverage existing work products, and quantitatively drive improved organizational respect for its users.