How to Assess, Plan, Monitor and Respond to Risks
What is risk management?
Risk management is the process of anticipating unwelcome events and mitigating their effects as much as possible. It includes anticipating and assessing risks, planning around them, monitoring them, and responding to them when appropriate.
Risk management applies to many fields, from Finance to Healthcare, and to many processes, from new product development to IT projects. Product development projects in particular are exercises in reducing risk to an acceptably low level.
Risk Management Checklist
And yet many companies have no formal process for risk mitigation. Other companies have an overly complex process that sits on the shelf because it doesn’t work.
Below we describe an innovative process for risk management that is both simple and effective.
How does risk management apply to projects?
Development risks can occur over the length and depth of a project. A team’s ability to anticipate and mitigate risks can significantly protect a product development project’s schedule and budget, and reduce organizational chaos.
Common risks in projects include:
- Internal risks
- New-to-the-company technologies
- Weak project management
- Understaffed project teams
- Third party risks
- New-to-the-company suppliers or partners
- Insufficient assessment, requirements, communications and/or monitoring of external suppliers or partners
- Dependence on a sole supplier that leaves teams vulnerable if they do not deliver
Risks are often categorized by type. For example, technical risk, market risk, or risks related to competitors, regulations, or resources. Here’s an alternative way to categorize risks based on when and how they’re likely to occur:
- Beginner’s risks – We stumbled over the basics or were not prepared because the situation was new to the company.
- Self-Inflicted risks – We did not do the initial planning correctly; we did not reach consensus up front.
- Unanticipated risks – Risk came out-of-the-blue and may have been utterly unpredictable.
- Denying/Avoiding risks – The risk occurred and we hoped it would go away.
- Communication – The risk became a reality; it got worse and we told management only when forced to do so.
- Solution – Our backup plan did not work and we had to go back to ‘square one.’
What are the benefits of Risk Management?
The main benefit of having a formal risk management process is avoiding the risk from becoming real, and having an adverse impact on your project. If you cannot avoid many risks, with planning you can mitigate or minimize their negative effects.
Risk management processes and tools also enable your company to have a quick reaction time. The exercise of anticipating and categorizing risks makes you aware of them so that you can see them coming and respond to them before they occur. Risk management also supports evidence-based decision-making that enables a company to respond effectively to project risks.
To realize these benefits, companies should think of risk management as a part of the learning organization, where cycles of learning are a part of the culture. Managing risk also implies an appropriate level of trust and transparency. Retrospectives in agile, or post-mortems at the end of a project serve this purpose.
As organizations go through several cycles of risk management planning and execution, they often see that a common set of project characteristics are responsible for most project risks. Many project risks are self-inflicted and stem from deficiencies in the project planning process; managing risks is what project management is all about
What is the risk management process?
There are three major steps in a risk management process:
- Identify risks – Brainstorm potential risks for the project and capture them. Leverage your project retrospectives to learn from prior experience. Perform root cause analysis to uncover why any unanticipated outcomes occurred.
- Determine the probability and impact of risks – For each risk factor you have identified, determine the likelihood that the risk event will occur and rate the potential impact if the risk happens.
- Plan and Prioritize risks – Now that you have a probability and an impact level, tabulate a final ranking for each risk factor by combining these two values. Use a table format (see Risk Management Matrix below) and share it with the team.
- Don’t stop paying attention to risks. Nothing stays the same for long.
- Track your progress using the Risk Management Matrix.
- Communicate with management frequently, not just when something goes wrong.
- When you have an indication that a risk may turn into an issue, avoid the instinct to hide from management. Be open about it.
- When the risk turns into a negative event, continue to communicate with management.
- Use the Risk Management Matrix and its proposed solutions to formulate your response.
- When the event is under control, document the issues and root causes for the next project.
What tools can you use to operationalize the risk management process?
Risk Management Matrix
The Risk Management Matrix helps teams execute the six-step process described above. It improves project execution by helping the team to anticipate, prevent, and mitigate risks.
The Risk Management Matrix provides quantitative metrics to clarify when to act on a risk. This includes:
- Assessing the probability and impact of a risk.
- Tracking them with appropriate metrics.
- Creating thresholds for these metrics that accelerate action and speed decision making.
The risk management matrix is a table that records risks, allowing teams to assess them, plan for their mitigation, and monitor them (see sample matrix below). The first step is to identify the risks. Then rate the potential impact of the risk, and its probability on a scale of 1-10 (1 = lowest impact/lowest probability; 10 = highest impact/highest probability). Next, create a quantitative measure that will help the team monitor the risk.
After that, create a threshold value for the metric, a figure above or below which will trigger corrective action to mitigate the risk. Also, calculate the current value of the metric in question. As you monitor the program going forward, capture the date when the last assessment of the risk occurred, and the current status of the risk.
Finally, and perhaps most importantly, create a brief action plan for what your team will do if it looks as though the anticipated risk will occur. These plans need not be in any great detail, since the associated risk may not occur. Create this matrix early in the project during the first 10% to 15% of its duration. Modify it as needed, on an on-going basis.
Risk Assessment Checklist
The Risk Assessment Checklist is a self-assessment conducted by the project team. It allows a team to quickly categorize and brainstorm potential risks across known aspects of a product development process such as project definition or schedule (see example checklist below).
This tool operates at a lower level of complexity and granularity than the Risk Management Matrix, but it also ensures a comprehensive, commonsense review of project risks. It minimizes the possibility of missing an important risk.
Start with a list of typical risks from your industry and then supplement your list of risks drawing on your team’s experience and learning from similar projects. Organize risks by category. Create this checklist early in the development process and update it as the team moves forward with the project. Create Risk Risk Assessment Checklists for each project.
Sometimes called post-mortems or project histories, Project Retrospectives are an important part of organizational risk management. They make teams aware of what might happen, because it has happened in the past. The risks you identify by looking at past projects feed into future efforts to mitigate risk.
The benefits of Project Retrospectives include:
- Uncovering systemic problems and risks that span many programs.The preponderance of evidence across many retrospectives can compel management to make changes.
- They also identify specific problems in a given project, so that the team does not carry them to the next one. Retrospectives are a way of formalizing improvement.
- They offer an opportunity for the team to isolate problems and get them ‘out of their system.’ Good retrospectives are not sessions to vent and complain per se, but the process is often healthy.
- If the results are documented and shared, they provide a foundation for further analysis and risk remediation.
To yield the best insights, that will help your team to mitigate risks, it is essential that retrospectives are fact based and data driven, and not merely fault-finding missions. Involve cross-functional team members and leave the senior managers out.
The most effective retrospectives include understanding…
- How unplanned events in your project occurred
- The root causes of these events
- Why these events were unanticipated
- How this project can inform risk management in your next program
To conduct a best in class retrospective, first organize the event around a question. For example, ask why a certain project goal was not achieved: “What are the key drivers that prevented the team from delivering on schedule, as planned?”
Next comes the event analysis. Write down the unplanned events that led to the team’s ineffective performance, for example its inability to deliver on schedule. Write down the most important unplanned events on Post-it Notes. Check for any omissions. Then the team votes on which unplanned events had the most impact.
Then, conduct a root cause analysis. Ask “why” each of the unplanned events on the Post-its occurred. Ask “why?” five times. Dig deep. Capture these root causes on Post-Its.
Finally, conduct a synthesis of the root causes. This means grouping and prioritizing these causes to reveal the broader trends that led to the unplanned event or allowed it to occur. Group the Post-Its according to their type and importance.
Finally, take the learnings from your project retrospective and use them as inputs in your next project, as you assess and predict possible risks.
Do you have any tips for managing risk more effectively?
Avoid risks by anticipating them!
Management and mitigation of risks is job #1. Avoiding, denying, and hoping they will just go away almost never works. Think through the risks and plan before they occur.
Learn from the past
Think broadly and understand the issues your organization has seen in the past. Classify the risk according to the type – beginner, self-inflicted, or other types. Understand what remediations worked in prior projects.
Tackle high risk tasks first
Maximize resources on high-risk tasks. Postpone low-risk tasks. Project management is the art of minimizing risk to acceptable levels so begin by reducing the areas that have the greatest degree of uncertainty.
Use iterative, phased approaches to minimizing risk
Frequent, smaller deliverables reduce overall risk. Divide larger tasks into smaller segments. The risks associated with a small segment of a project are much lower than those looming over the process as a whole.
QC the planning process
A great deal of risk comes from poor project planning processes. If you plan the project well, you will reduce risks. Check your project planning process carefully and follow best practices. You will cut off the root of many risks!
Product Development Expert
John Carter is a widely respected expert on product development. He is an inventor of Bose’s Noise Cancelling Headphones and designer of Apple’s New Product Process. As Founder of TCGen Inc., he has consulted for Abbott, Amazon, Apple, Cisco, HP, IBM, Mozilla, Roche, and 3M.