Most businesses, if not all, talk about risks. But are they actually managing them? We will discuss 5 easy steps to execute risk management.
I’ve heard people say things like “if we do that, then there a risk that…”, “what are the risks involved?”, “we don’t want to take that risk”.
But how many of these risks are properly identified, planned, and actively managed?
Risks occur in all areas throughout any project, from documentation, stakeholders, plans, budgets, quality, staffing, financials, environmental factors etc. So what should we do about this?
Let’s define the risks we are referring to in risk management. The PMI PMBOK 5th edition describes a risk as ‘an uncertain event or condition that, if it occurs, has a positive or negative effect on a project objectives’. Negative risks are known as threats, and positive ones as opportunities. Ok, now what?
Risk Management Identification
The initial step in risk management is to put some words around what the specific risk is. I learnt a good technique for this many years ago: ‘As a result of <a possible event> there is a risk that <something happens> with the effect that <something is impacted>’.
This method focuses on relating risks to specific things that could happen i.e. events. A common mistake I’ve seen before (and have done in the past myself) is to put a variation in estimation or another similar uncertainty down as a risk. For example ‘Estimates might be too low’ . This isn’t a risk, as it doesn’t relate to an event – it is estimate variation that should be dealt with elsewhere (a topic for another blog post I feel). Even something like ‘As a result of the server being low on memory, work will take longer with the effect that development is delayed’ is still an estimation uncertainty. It also doesn’t read well as a risk as it’s not a specific event, and the effect should be something more meaningful than ‘there is a delay’
Here’s a better, and real world, example: ‘As a result of the bolts on the airplane wings being made of steel there is a risk that these could sheer at high G with the effect that there is catastrophic loss of the wing’.
Risk Management Rough Sizing
Once the risk has been identified, size it for probability and impact. This is known as qualitative analysis. Probability is simply a percentage, impact can be simple as High, Medium, Low. A risk may be high probability but low impact, or low probability but high impact, or any other combination – as a rule of thumb if a risk is over 70% I like to actually plan it into the schedule instead.
This type of analysis helps us rank our risks so we know which ones we care about most, so we can focus our attention on the right place and in the right order.
Risk Management Budget and Time
Now we need to work out how much the risk will cost (or save), in time, money or performance/quality. For example, if a threat hits, it will take 2 developers 2 weeks to sort, and will delay the project by 3 weeks. This is known as quantitative analysis.
Risk Management Mitigation
This bit is key – OK, so you’ve worked out what the risk is, and how big an issue it could be. Next, what are you going to do about it?
You have a number of options here:
- Reduce/increase its impact – you might be able to do something specific to reduce how big a problem this could be or even remove it, or look at ways to maximize an opportunity. Key to this is to put it in your schedule as an activity – someone has got to spend some time doing something here, so plan for it. Of course, this needs to complete before you think the risk could occur to give you the best outcome.
- Do nothing – just accept it could happen. Not a good option for threats, but sometimes you genuinely might not be able to do anything about it.
- Transfer it – can the risk be put into a contract for a supplier or given to another team to deal with or leverage the benefits for you?
- Avoid it – change your plans so this circumstance can’t occur – if you can, this risk is gone! This really only applies to threats.
What’s left?
After you’ve mitigated, there may be no risk left at all, but there may be some residual risk – the cost and effort (or benefit) might be less, or the probability reduced, for example. That’s OK, you are just going have to keep on top of that, but at least now you know about it and you’ve done what you can about it so far!
Other Tips
Threats and positive opportunities are worth thinking about separately, as they need a different mindset applied to them to get the best results. We generally find it easier to come up with threats, but to really drive some positive thinking maybe take the team off-site to the coffee shop or the pub so they are in a good frame of mind when thinking about opportunities on the project.
I could go into more detail around some of this, but that’s for another time – things such as secondary risks, risk matrices, risk exposure, management contingency etc. In the meantime, good luck managing those risks!
Use the comment section below to share your examples of managing risks.
Want to get more helpful project management insights like this directly in your inbox? Subscribe to the Managing Projects newsletter (see subscribe in right side menu).
Rich is a Project Manager and occasional blogger
Check out the contributors page.