Assessing the Risk
Andy Bell | August 19th, 2020
In today’s world risk has become a prevalent aspect everywhere you turn. The COVID19 Pandemic has made risk a household term and nearly every aspect of our lives is touched by some type of risk management. There are financial risks, health risks, and business risks just to name a few. In the insurance business, actuaries make a living by defining risk through probability and statistics. Using calculated data from multiple sources, they try to determine the probabilities of death, injury, or damages based on potential risk. These calculations are so accurate that major insurance and government entities rely on them to set rates for insurance policies and even securities offerings. What if we applied stronger risk management principles and methodologies to project management? How much better could our projects be by identifying and mitigating the risks as early as possible? What if we could predict the likely issues a project may incur at the outset of the program?
For project managers, risk management becomes a significant aspect of planning and daily life. Identifying, assessing, and mitigating the risks for projects can often define whether the entire project will succeed, struggle or fail. The level of risk varies from project to project and company to company. For example, a local radar company was willing to start multi-million dollar construction of new products for international export even though the actual hardware export license allowing its export had not been completed yet. Although, a multi-million-dollar risk, and one that could bankrupt the company if the license were not approved, the management team felt they could proceed with that risk. Let’s look at why that was the case.
The lead time risk for components for the system and risk of component failure during initial testing simply outweighed the risk of getting the license approved by the government. This was because the scheduled deadline for an international government to be able to test the radar was more significant than the risk of starting the radar construction after license approval and being late on final product delivery. It sounds simple, but there were a number of mitigating factors that allowed the company to accept that level of risk.
- The company had exported numerous copies of the radar worldwide so government approvals for export had been previously approved.
- Each export client already had a baseline technical approval in place that allowed for the documentation and requirements capture which laid the groundwork for government hardware approval.
- If an export license could not be obtained, the system could usually be sold to domestic user within a few months.
The comfort level to proceed came from identifying the risk at the outset of the project, understanding the potential impacts of that risk to the project and the company, and then working on and monitoring the resolution of the risk until it was removed.
The situation of accepting risk is very different for small companies and startups. The risk of losing several thousand dollars on a project can mean delay of major company objectives, layoff, or even company closure. For smaller companies and projects, it is more critical to identify and mitigate risk as early as possible to prevent possible impact to the company. It is also important to note that risk can also take many forms. A company’s existence could be equally jeopardized by a disruption in funding sources or a change in the technology they use to support their livelihood. Look at Kodak film as an example. When the world changed to digital photography Kodak nearly went out of business. Although still around, the company is a shadow of what it once was because it did not identify and react quickly enough to the risk of an industry changing technology.
The first step in risk mitigation strategy is to identify the risks that impact your project. In order to record and identify the risks, assess their impact, and then to track an measure progress of the risks as the project progresses a risk log is created. A spreadsheet program is a good way to start. Listing the risk, what is known about it, the source of the risk, possible impact to the project, and a mitigation plan for the risk make up the columns of the risk log. Another possible risk log tool to use is a Kanban board where each card is an identified risk. The card contains the details around the risk where it can be dragged up and down the priority list as needed and then the swim lanes represent the steps in monitoring the progress of the risk through the project.
To begin, identify the risks by listing them in the risk log. Next, meet with stakeholders to brainstorm solutions to those risks that may impact schedule, scope, or cost of the project. This meeting may also reveal additional risks to the project which can be added to the log. Meetings with the technical team can also uncover gaps in knowledge, tools, or approach to the project. Trying to discover and identify places in the project where it has potential to go astray is helpful and relies on a lot of communication. We can’t always predict what problems will occur over the course of a project, but by identifying as many issues as possible at the outset, we can minimize the impact of an issues if it comes to light.
Other common methodologies to initially identify risks include:
- Learning from similar project history, mistakes made, and lessons learned.
- Industry trends and updates.
- Roadmap planning with possible failure points.
- SWOT (Strength, Weakness, Opportunity, Threat) of the project.
Assessing the risk
Once the likely risks to a project have been identified, we need to understand what is the likely hood that each risk will occur and what impact could it have to the project? While a project may have an entire list of possible risks, some will be more likely to occur or are more impactful to the project. Those are the risks we want to identify and prioritize with mitigation plans. Each risk needs to be evaluated for what is known about it, how it was identified, and if there is existing documentation around it. Based on those factors, the Project Manager works with his team and stakeholders to determine the impact to the project if the identified risk occurs and then drafts a mitigation plan for if it does. In most cases we will put high priority issues at the top of the list and color code them red, yellow, or green depending on the nature of the potential impact to the project.
Examples of risk assessment
- Client deadline to have all work complete - May need adjustment to scope or more budget for additional resources to complete on time
- Limited or fixed budgets - May need adjustments to scope or additional time to work at a slower rate with fewer resources
- Undefined scope and deliverable features of the project - May impact time, scope and budget as resources are allocated to define and develop the feature
- Technological challenges – May have a new technology that needs to be learned to put in place
- Resource availability - May impact timeline for availability or budget to obtain additional resources to maintain timeline
- Hardware availability - Hardware may have long lead times which impact ability to work on tasks related to its availability
- Outside team dependencies – May impact timeline with availability and quality of dependency
- Technology obsolescence - Product may have limited life and need a replacement plan for continued use
Managing and monitoring the risk
Once the risks are identified and assessed for impact, they must be monitored continually throughout the project. Regular review of the risks with the team and client should take place so that indicators of a possible problem can be identified early enough for a mitigation plan to take place with minimal impact to the project or company. By using a spreadsheet or Kanban board, all the team members can contribute the status of the risk management. Weekly review during status calls or even focus meetings to review the risks can be undertaken. New items can be added while those that are resolved or are no longer a risk can be removed. If a team member believes that a risk may be occurring, the team should review the concern and the mitigation plan immediately to take steps to correct the issue. By doing this on a regular basis small issues will not be able to grow into larger more impactful problems. With these continual reviews, the risk log becomes a living document through the course of the project until its completion.
As Project managers, shifting to a mindful monitoring and assessment of project risks can lead to more consistent and higher performing projects. Used in conjunction with Agile planning and regular project reviews, the understanding and control of risk becomes an asset to any company. Here at AWH, we lean on over 25 years of experience to get your project done on time and under budget.