In this blog post
Risk Management - How Not To Do It
Risk management has been in most cases an overlooked activity and its potential has never been fully realized. As a member of Quality Assurance team, it is not out of the ordinary to identify risks in business related to projects/services in an engagement carried out as a tick-box exercise. We have seen risk registers and assessments carried out, but the concerning fact was the risk description and details.
For instance, one risk description just simply said “There may not be sufficient resources to complete the project”, another risk statement read “The project might not deliver the correct quality products”. It does not concretely convey the degree of risk and the uncertainty associated with the business.
There are umpteen articles on how to do risk management as a practice, but they fail to mention the ways NOT do in the risk management process. Here is a list of not to do actives that might de-rail the risk management benefits and outcomes.
Generic Risk Descriptions
A common mistake that everyone makes in describing a risk is keeping it very generic and vague. The principle of “keeping it short” may not work here. There is a famous saying by Charles Kettering of General Motors, “a problem well stated is half solved”. When a risk is well defined and detailed with necessary information (only), it becomes easy to manage.
The primary objective of a good risk statement should be to enable its reviewers understand the degree of uncertainty and its impact on the quality of deliverables, services, products or people.
Take the example of a poorly written risk statement “There may not be sufficient resources to complete the project.” It’s a generic statement and does not really explain the consequences of not having enough resources to complete the project. Surprisingly this type of statement is far too common in risks registers.
If this statement has to be detailed to bring in the real impact the risk may have on the project, it should be written like this – “There may not be sufficient java developers for the project xyz , to complete the development of the website interface, between October and November 2021.” This statement makes it clear on how the risk will impact the deliverable.
Looking beyond ‘Negative’ Risks
As defined by Oxford dictionary, risk is “A situation involving exposure to danger”, or “The possibility that something unpleasant or unwelcome will happen.” The dictionary definition is so engrained in our minds, that we fail to look at risks beyond its negative connotations.
Risks may not always be negative, throwing in uncertain events and putting projects at stake. For good reasons when we drop the Oxford definition, risks can also be indicators for opportunity for an organization, which falls under the category of positive risks. Failure to act on opportunities can become a risk.
Using risk management approaches to also identify opportunities can often lead to the creation of value for organizations. For instance, a new product or service is “too successful.” It generates drastically more demand than expected and overwhelms the resources. This excess demand compromises the ability to fulfil and meet the demand/requirement in a timely manner. This eventually disappoints and frustrates the customer, weakens, or destroys brand reputation, increases your cost of doing business and reduces or potentially eliminates profitability.
This risk has a positive impact when analyzed methodologically and can bring in opportunity for the organization to elevate or augment the business.
Lack of Risk Analysis and Prioritization
An elaborate description of a risk gives us only a broad idea of what could happen and we get carried away with the misconception that a risk detailed will be mitigated and eliminated. Without an appropriate analysis and prioritization of the risks, we may be overwhelmed with the number of possible risks and fail to derive at the right risk mitigation/elimination steps.
Assigning priorities to risks is crucial and that is where the RPN (Risk Priority Number) plays a key role. Stakeholders from all parties must be involved in contributing to the Risk Matrix early and regularly, which can be accomplished by following the three simple steps of analysing, prioritizing, and controlling. Risk management should never be carried out as an isolated exercise, but as a collaborative one.
Risk prioritization is important because it also makes it easy for the leadership group to make decisions about where to invest resources to increase the certainty around each risk (whether threat or opportunity).
Passive Risk Management
Risks are commonly associated with some actions, but it can also occur from inaction. In most cases, risks may be identified but they are largely ignored in the planning and execution process until some undesired events occur, at which time solutions are sought.
In order to become active managers of risk there are some important steps to take once a threat or opportunity has been identified, described, analyzed, and prioritized. Analysis and prioritization are key in preventing a risk from becoming a passive one.
The key step is to consider what options are available to us so that we can respond appropriately. There are a range of responses which can be used to alter the cause of the risk, perhaps avoid the event, or possibly reduce the effect.
Lack of Accountability and Responsibility
After the risk has been recorded successfully, we must think of who is going to act on our recorded risk. When a risk is not assigned an owner for action, it is very much a potential candidate of passive risk. Risk accountability and responsibility has an essential role to play in the strengthening of risk management practice. This is a vital information which is ignored in many risk registers.
These are some important roles we can identify to associate with each risk at a project level or engagement level-
- Risk Author – the person who identified the risk, as they will be a key source of information
- Risk Owner – the person responsible for managing the risk, ensuring that its status is monitored
- Risk Actioner – the person who is going to implement one or more responses to a risk.
Risk management and risk registers are used in many projects, but it should not become a mere bureaucratic piece of artefact. Project managers need to ensure that they are managing risks and not simply contributing to a bloated risk register that has detailed risk data and that no one is bothering to manage. Again, the point is not to be a mere chronicler of risks for the project post-mortem, but to take actions and keep the eyes and ears open for opportunities to mitigate risks.
It is time that we take fresh look on our organizational practices, change our attitude of looking at risk as “something that might go wrong” and advance towards adopting better approaches to this extremely vital area of project management.