Assessing Risk

When it comes to sensitive content, we’re responsible for how we affect our users and how we respond when things don’t go as planned.

Digital risks

In person, social cues are often enough to determine whats appropriate, too personal, or offensive for any given person. But behind the digital wall, it’s not always obvious where the risk lies or what’s at stake.

Here are a few best practices

Keep in mind, these are subjective guidelines that serve as a flexible framework, not universal rules.

Step 1: What constitutes high-risk?

Severity Description
Very High Content matter is in regard to a user's health, finances, identify, or personally indentifiable information
High Violates existing regulatory best practices, but does not involve critical user info (above)
Moderate It is not a high or very high risk, but it is difficult to reverse and/or a user may need to repeat an entire process
Mild It isn't an ideal situation, but it's easily-reversible and doesn't include very high/high risk factors in content

Step 2: What users are at risk?

Users affected Description
Marginalized groups If marginalized users will be affected disproportionately, relative to the majority of users
New/potential users Users that are new to a product are likely to be less forgiving. They, they in the process of assessing whether the product is something they like and want to stick with. are actively judging and discerning if the product will be a good long-term fit for them.
Existing/active users Those that are already active users are less likely to be easily deterred
Inactive users Least offended and least likely to be deterred

Step 3: How likely are they to occur?

Likelihood Description
Likely + frequent Most users will encounter this issue AND issue will happen repeatedly
Likely + one-time Most users will encounter this issue BUT Issue is a one-time occurrence
Probable It's expected to happen to some users BUT Issue will happen repeatedly
Possible It's expected to happen to some users but it's only a one-time event OR It's not likely to happen, though it's possible (one-time or repeated issue)

Propose next steps

When an issue is identified, how do you want your team to proceed? A numerical system like this could help, but the important part is that you have a method that works for your team.

Rating Course of action
Any reds Rewrite copy (see suggestions below)
7–9 Defer to leadership - Document tradeoffs and possible benefits to risks, defer to PMs, managers, or leadership to make final say
5–7 Proceed with caution - Consider the circumstances of the content and the tradeoffs and the possible benefits of the risks. Document the possible risks & provide the mitigation recommendations for a V2.
3–4 Safe to proceed - Document possible risks and mitigation recommendations in case anything changes down the road

Things to remember

  • You can always mitigate a risk - If you’re forced forward, what can you do to make things less harmful?
  • Document rationale - Even if you can’t change the design, documenting decisions, hypotheses, and future recommendations can only help.

More on risk