As every project manager will tell you, all projects carry an element of risk, particularly as projects become more complex, extend across departments and functions, and involve multiple stakeholders. How, then, do you identify and account for these risks to ensure your project’s success?
You start with an outline that details your risk response strategy and use that to build an executable plan to address risks before they happen.
Sounds simple, right? Like all elements of any effective project plan, the key to doing this correctly and well lies in the details. By spending time upfront to identify as many details as possible that can impact your project’s success and formulating it into your risk response strategy, you’ll save countless manhours – and better mitigate risks – throughout the lifecycle of your project.
“Risk analysis and management is a process that allows individual risk events and overall risk to be understood and managed proactively, optimizing success by minimizing threats and maximizing opportunities and outcomes.” The Association for Project Management (APM).
There are five key project management risk areas to consider:
- Risk event: What might happen that will impact your project?
- Risk timeframe: When is it likely to happen?
- Probability: What are the chances of it happening?
- Impact: What’s the expected outcome?
- Factors: What events might warn you about or trigger the risk event?
What is a risk response strategy?
An essential part of a project plan, a risk response strategy helps you maintain control and more accurately manage your project’s progress if risk arises. The intent of developing this strategy is to help you minimize or eliminate the potential impact risks may impose to the project throughout its lifecycle. By developing this risk response, you create a strategy, in advance of the project execution, to reduce or eliminate any threat to the project that can create risks.
Is all risk created equal?
Simply put, no. Though it is easy to focus on negative risk avoidance, there is more to be discovered with an effective risk response plan. So don’t confuse negative risk avoidance like typical tactical risks inherent in most projects with those risks that create an opportunity to improve a project’s outcome (i.e., staff vacations or staffing issue that may impact a project timeline vs a functional issue that creates a serious risk — or opportunity — for the business, such as a potential cashflow issue that could be mitigated with cash-flow forecasting software). By creating a well thought out risk plan, it can also help you identify areas of opportunities that can help you gain as much advantage as possible in your project from risks you identify.
Here are some examples of “positive risks” (opportunities created by risk identification) in project management:
- An upcoming change in policy that could benefit your project.
- Technology currently available in the market that will save you time if adopted.
- A request for additional resources, tools, or training that will make your project more efficient if provided.
Why is risk response planning important?
Even the most meticulously planned projects face uncertain events, aka risks. How your company will respond to these risks is critical to a project’s success and to your team’s ability to effectively manage a project to the plan. There are two main reasons why a risk strategy is important in project management:
- To identify and mitigate predictable project risks. Using a risk response plan, project managers can forecast and eliminate anticipated threats and uncertainties.
- To identify opportunities within your project scope. Using a risk response plan, project managers can find new approaches to the project by creating alternative ways to tackle risks and project limitations.
Overall, a risk response plan helps project managers by:
- Socializing the anticipated risks and the strategy to be applied with all stakeholders to the project, prior to the execution of the project.
- Enabling the project team to proactively respond to the identified and prioritized risks, according to the agreed strategy.
- Identifying areas of opportunities that may be generated by risk identification
- Increasing the likelihood of project success, by reducing the threats to the project
Getting your risk response strategy ready
Project managers typically rely on their professional judgement and historical information from past projects to determine the probability of a particular risk occurring. This probability matters for risk assessment and management because if there is a low probability of a risk, resources may need to be directed towards those risks with a high probability of occurrence. This will help you better focus your risk assessment and overall project.
Where you need to start
Prior to formulating a risk response strategy, the following activities need to take place:
- Risk Identification
- Create a list of every possible risk and opportunity you can think of. Look not only at perceived threats but also opportunities where a potential risk could bring an opportunity to do something different or better to your project.
- This is an important step in the process since the outcomes serve as inputs to the rest of the process i.e., risk assessment, response planning and risk monitoring / controlling
- You should spend a significant amount of time on this step, to ensure significant risks which have a negative impact are outlined and documented.
- Risk Assessment
- What is the probability the risk will occur? Rate each risk with a high, medium or low probability.
- Create a Risk Prioritization Matrix (x axis = likelihood, y axis = impact)
- Outline likelihood levels on a scale, e.g. Low = improbable to High = almost certain
- Outline impact levels on this scale, e.g. Low = minimal to High = large
- A contingency plan needs to be formulated for those risks identified as highly likely and the highest impact. The plan should be executed if the risk event occurs to minimize the impact.
- Risk Prioritization
- Determine the impact if each risk occurred. Would your project scope change? Delivery date be impacted? Budget change?
- Using the Risk Prioritiation Matrix, rate each risk, high, medium, or low as to its impact on your project outcome, and focus on those that will have the greatest impact in terms of severity.
After the risks have been identified and carefully prioritized, an appropriate risk response strategy can be assigned to the risk, should the risk materialize during the project lifecycle. It is important to determine which team(s) will be responsible for execution of the risk response strategy, and to establish a clear understanding of events that trigger the response.
Risk Strategies Explained
Risk Avoidance is not engaging in an activity that is compromising or may introduce a risk, at all costs.
- Risk avoidance eliminates risks entirely and does not aim to reduce the risk.
- This strategy could be justifiable if the activity results in exposure that negatively impacts the company financially or legally.
- It is important to carefully consider the potential benefits which may result if the risk is taken. If the reward outweighs the risk, avoidance may not be the optimal strategy to apply.
This involves the transfer of the risk from one entity to another, usually via a contractual agreement.
- The liabilities generated by the risk are transferred to a 3rd party
- Should not be confused with risk sharing / distribution, which involves the sharing of risk derived gains or losses amongst two or more parties, according to an agreed pre-defined formula.
- Disadvantage: expensive and time consuming
The focus of risk mitigation is to reduce the probability of the risk from occurring.
- Although all identified risks cannot be completely eliminated, a mitigation plan can lessen the severity of the risk
- A contingency plan can be created for risks that are low probability but high impact, such as a pandemic or natural disaster.
- Example: managing project costs within budget
Risk Acceptance is when the potential loss from a risk is not great enough to warrant spending money to avoid it.
- The risk assessment matrix is used to categorize and identify the risks which are both low probability and low impact.
- If a risk falls into this category, a business or project team may decide to retain the risk.
- If a risk is retained, no effort is given to reducing or mitigate the risk, since the costs of doing so outweigh the benefits derived.
- All options should be considered before a risk is accepted, and the risk should still be noted and monitored on a risk register.
Risk Scenarios and Response Strategies
Risk Avoidance Example
- Scenario: A company’s business model involves handling sensitive customer and employee data, which is stored to its database.
- Strategy: The company may need to limit the type of customer data saved, to be in compliance with privacy and security regulatory requirements (e.g., GDPR law in the EU), thus avoiding the risk of non-compliance entirely.
Risk Transfer Example
- Scenario: A global company transacts in foreign exchange-based contracts and financial instruments pegged to floating or fixed interest rates. Market uncertainty presents the likelihood of interest rate and exchange rate risk.
- Strategy: The company’s treasury team can choose a risk transfer approach by purchasing derivatives to hedge against the financial risk.
Risk Mitigation Example
- Scenario: Poor communication between stakeholders on a project can impact the deliverables, cause missed milestones, and an overall unwanted project delay.
- Strategy: Easy to use, real-time project management tools can be introduced to facilitate better communication amongst the stakeholders to the project. Regular progress calls with the relevant stakeholders, supplemented with a reporting dashboard ensures that important milestones and action items are discussed.
Risk Acceptance Example
- Scenario: Purchasing of software required for a project has a 5% probability of being delayed, thus impacting the implementation timelines.
- Strategy: Make note of the risk on the risk register and closely monitor if any procurement delays occur, with a negative impact on the timeline. If delays occur, consider applying a risk mitigation strategy to reduce the impact.
Common risks to watch for in IT projects
There are certain risks that are highly common in any IT project, including:
- Procurement delays. The purchase of hardware and software components may be delayed by inefficiencies in the procurement process.
- Availability and scheduling of resources. Configuration and testing will need to be carried out at certain points during the implementation process, but this can be hindered if the necessary resources are unavailable.
- Poor communication. The stakeholders involved in the process will need to communicate effectively. Delays may ensue – or the outcome of the project may be adversely affected – if the relevant people are not well coordinated.
- Evolving business requirements. The needs of the business might change during the course of the project – for example due to macroeconomic developments or M&A activity. The company will need to adapt to any such changes in order to keep the project on track.
- Test environments and test data. Difficulties can arise if there are issues with the availability of the relevant test environments, or if the quality of the test data is insufficient.
- Inadequate post-implementation support. Last but not least, the project doesn’t end at go-live. Post-implementation support may be needed to iron out any wrinkles – so make sure your chosen vendor provides adequate support before, during and after the project.