Risky Business

What Is Risk And Why We Must Manage It Effectively

Every business is exposed to some level of risk as it strives to achieve the desired outcome or objective through the delivery of a project. The outcome may not turn out as planned and this represents the risk.

Insentra’s Risk Management follows a methodology of identifying, analysing and responding to risk factors throughout the life of a project and in the best interests of its objectives, allowing our projects to have a platform for better decision-making to manage future risk.

In this blog, I will describe our risk management processes used throughout our delivery of projects that enables us to effectively prepare for the unexpected.

So what are risks?

Risks are defined as:

  • Events that have some probability of occurring in the future
  • The event can have a positive and/or negative impact on a company’s outcome or objective
  • The event can happen from inside or outside the company

Most of our risks are known. Known risks are those risks we have identified through experience, interviews, brainstorming sessions and other techniques such as lessons learned from previous projects. Known risks are typically easy to identify – compliance issues, financial issues, people issues etc. On the other hand, unknown risks are not as easy to identify. Unknown risks are not typically identified since you lack the knowledge, insight or information to adequately identify these risks. One of the goals of risk identification is to convert these unknowns into known risks so they can be managed effectively.

Rate of change is a major driver for risk and as it is ever expanding so it is critical we develop and implement an effective risk management strategy. A change can be unexpected or the result of some unanticipated event (unknown risk). A worst-case scenario is when the unanticipated event has already produced a catastrophic consequence that severely limits the organisation’s ability to manage the issue.

In order to implement an effective risk management strategy, there are several key steps that we need to work through to manage our risks:

  1. Identify Risk
  2. Assess Risk
  3. Categorise Risk
  4. Respond to Risk
  5. Control Risk
  6. Monitor Risk

I will describe each of these steps in the sections below, but before I do it is important that we understand how much risk the organisation can tolerate before diving into risk management.

Important - Know What Our Risk Appetite Is

The level of risk that an organisation is willing to take on will define the risk response strategies they will choose for any potential project risks. We must know how much risk our organisation is willing to accept and communicate this throughout our business before we can embark on an effective risk management process. One way of communicating risk is to describe the company’s Risk Tolerance or Risk Appetite.

Risk Tolerance or Risk Appetite represents the level of risk or uncertainty that a company is willing to accept. We gain a better understanding of the risk tolerance by looking at our company’s goals or vision; especially those that are quantified in terms of financial results or reputation.

Organisations with a high-risk appetite are prepared to take on more risks, provided the potential for return is substantial. Organisations with a low risk appetite will try to avoid high probability and high impact risks.

Do you know what your company’s risk appetite is?

Identify Our Risks

The first step in our risk management process starts with identification of our risk. At Insentra, we start the process initially by identifying and capturing our project risks during our internal project kick-off process. As we then start to engage in external interactions in the project, the Insentra project team will collaborate with our partners and clients and start by asking the question: “What events can adversely impact our project or the business?” We apply “what if” type questions to our business objectives from the highest level of strategic goals/vision to the lower level of functional objectives and start the process of listing our risks for the project.

The question we need to ask ourselves as a project team – What threats exist that could prevent us from achieving our goals. We take risk seriously at Insentra and the project team are diligent in identifying the risks and managing each to ensure the objectives of the project and our clients are protected. With Insentra’s vision of being the number one channel services company on the planet, we too must have effective risk management strategies in place to allow us to realise this vision.

If we find ourselves to be “reacting” to numerous problems, then there is good chance that we have not effectively identified and managed our risk. Risk Identification is the most important step in the risk management process. All other steps in the risk management process are important as well, however they are only as effective as our ability to develop a valid and comprehensive list of risks.

As risks are identified, we capture all of them in a repository commonly termed as a Risk Log or Risk Register. The Risk Register is a listing of all risk related information captured under columns described in the example below that we use at Insentra for tracking our risks throughout the lifecycle of a project:

  • Risk ID: a unique code to the risk such as a sequential number or a combination of letters and numbers for easy retrieval and distribution of the risk information
  • Risk Description: a brief description of the risk which includes something about the current condition and the associated risk that exists
  • Risk Impact: an estimate of the potential losses associated with that risk (Catastrophic, Major, Moderate, Minor, Insignificant)
  • Likelihood: the probability of an identified risk occurring (Almost Certain, Likely, Moderate, Unlikely, Rare, Impossible)
  • Risk Rating: A rating of this risk calculated by the risk impact and risk likelihood scores. We classify these in terms of High, Significant, Moderate, Low and No Risk.
  • Ownership: record who is responsible for managing the risk
  • Controls: list of control measures put in place to help manage the risk such as monitoring processes, mitigation strategies or contingencies
  • Status: what is the status of the risk? Is this a new risk not previously identified? Is this an on-going risk that is currently managed? Has the risk materialised and now become an issue?
  • Category: categorisation of the risk so we can organise and manage all of our risk. The risk is categorised as Internal or External for distinguishing between our target reporting audience, and further categorised by types such as Scope, Technical, Resourcing, Communications, Relationship and Business
  • Date Identified: the initial date the risk was identified
  • Due Date: record the date a decision is required or an action carried out for the risk
  • Closed Date: record of the date a risk was closed as a result of change to the status. For example the risk may have materialised and is now being tracked as an issue in a separate register or the risk has been mitigated and is no longer a threat to the project. Closed items should be maintained for historical analysis purposes
  • Reported by: record who raised the risk as this person will act as the main point of contact for information relating to the origin of this risk

Assessing Our Risks

Once we have identified a risk, the next step is to analyse and assess the risk and determine two key characteristics:

What is the Probability of the risk occurring and what is the resulting Impact should it occur?

This part of the risk management process is much more analytical where we estimate the likelihood (probability) and consequences (impact) of our identified risk and use this information to establish thresholds. Once we have these thresholds, we can develop a risk response strategy on how to manage risk.

For determining probabilities or likelihood of occurrence, we look at the frequency that something is likely to take place. We may look at past events or in other cases, we conduct our own observations and studies to understand how often this event or risk is likely to take place.

The impact of a risk is an estimate of the potential losses associated with that risk. Here are some common types of risk impacts that we rate by the severity of the impact (Catastrophic, Major, Moderate, Minor and Insignificant):

  • Health and Safety
  • Quality of Life
  • Sustainability
  • Financial
  • Time
  • Reputation

Categorising Our Risks

After assessing our identified risks, we then need to categorise each of them. This assists us to identify the risk owner and formulating an appropriate set of responses. A typical set of risk categories would be Internal and External, with a further sub-categorisation similar to the examples below:

  • Financial
  • Resource
  • Schedule
  • Technical
  • Project Management
  • Communication
  • Operational
  • Political
  • Organisational

Risk Responses

After extensive risk assessment and categorisation, we move to the next step in the Insentra process which is the development of a risk response to our risks. Risk responses fall into the following categories:

  • Avoid – Risks with extremely high impacts that we want to avoid
  • Share – Risks are shared with third parties such as joint ventures, partnerships and other arrangements. This response distributes the potential loss amongst several participants
  • Accept – We are willing to accept these risks since they are so rare
  • Exploit – These types of risk events represent positive opportunities that we should consider exploiting
  • Reduce (Mitigate) – We take deliberate actions to reduce the probability and / or impact of these risks since they have a fairly good chance of taking place with some measure of impact
  • Transfer (Mitigate) – Risks that have distinct losses that a company cannot absorb if they were to occur. These types of risks are transferred over to another company such as insurance companies that insure against fire, floods, and other types of events.

Reduce and Transfer are mitigation strategies to take deliberate action to either reduce the probability or impact of the risk; or transfer the risk to another party such as an insurance company. Risk mitigation responses will require more thought and time to determine and may require a step by step action plan on how to respond. This action plan will include information such as assigning responsibilities, describing the probability and impacts involved, an understanding of the causes behind the risk, the specific responses to be used, and a brief communication plan. There may be a requirement to introduce additional project work such as creating new procedures and process or installing new controls to reduce the risk.

Controlling Our Risks

With all the heavy lifting now done in the planning steps and having defined our risk response strategies, our next step is to implement the necessary controls to manage our risks. Risk control represents a range of policies, procedures, techniques and other measures that we must implement to ensure that we have adequately met the required risk response.

A key risk control strategy is the use of Disaster Recovery Plans to protect against sudden loss from a process or system. A disaster recovery plan helps a business continue to operate should a disabling event take place.

One of the more common controls to mitigation is to have a Contingency Plan in place. Contingency Plans outline the steps we take in the event the risk takes place. It may involve the rapid deployment of a team to respond to the event.

Monitoring Our Risks

The other half of Risk Control is to monitor and track our risk to see how effective the controls we implemented are working. So, once we have established the risk control, Insentra will follow-up and track the risk by asking:

  • How has the risk changed?
  • How should the risk response plan change?
  • Who needs to be informed about the status of this risk?
  • Who should be alerted if the risk is about to occur or has occurred?

Risk monitoring requires the evaluation of performance against the risk response strategies – How are things going? Depending upon the risk, our monitoring may need to take place at different intervals such as continuously for system down times, or daily such as Value at Risk (measures the probability of losses over a very short time) or monthly such as changes with key financial indicators. All key risk should be assigned a monitoring time frame, such as weekly, monthly or another defined period.

Monitoring risks effectively requires an indicator or measurement to alert us to what is happening. This may involve a wide range of activities such as inspections, audits, observations, testing, surveys, verifications and validations. These activities may be performed by the Insentra project team or conducted by the client themselves, with updates recorded for the risk in the risk register.

Communicating Our Risks

At the heart of Insentra’s risk management process is communication, which feeds the continuous actions and updates required for an effective process. In order to be effective with risk communication, we consider the following:

  1. Internal and external stakeholder identification related to the risk
  2. Honest communication about what is going on. Risk communication can often involve bad news for the client and almost all risk communication should speak to the uncertainty involved with the risk
  3. Sensitive words such as “major impact” or “highly likely to occur” are often used in Risk communication which can sometimes lead to overreaction by recipients of this message. Depending upon our target audience in our communications, we may have to choose less dramatic words
  4. We need to stick to the facts and opinions of subject matter experts until such time as we have consensus on how the risk should be managed and have certainty about the risk response strategies required
  5. Risk communication should include sources and information that support the nature of the risk such as expert opinions, past risk events, who did the risk analysis, and who is the point of contact regarding additional questions
  6. Risk communication sometimes must be balanced between being timely but also being accurate. In some cases, it is necessary to quickly inform management about a new risk before we have all the facts while other risk events can be deferred until we have more information
  7. As risk is typically described in terms of probability and impact, we need to include this type of information in our communication
  8. Technical information in our communication can be useful information to the audience, however we still need to keep the message understandable and include visuals where possible such as trend charts and diagrams to explain the risk

A Final Word On Risk

There are a lot of challenges to getting it right when it comes to risk management and we must be willing and capable of managing our projects in a world full of risk and uncertainty. This uncertainty has become significant given black swan type events (unexpected events that have enormous impacts across various organisations) and we now live in a world where sizeable risks are the norm and traditional risk management strategies may no longer be sufficient. All projects carry risk but we must keep up with the rate of change and adapt accordingly, finding our comfort level in how we deal with the unexpected.

It is important to remember that risk is a shared responsibility and Insentra is just one party of a larger project team involved in the management of project risk. Our partners and clients are as equally important to the process to ensure we collaboratively manage our risk throughout the life of the project.

At Insentra, when it comes to managing risks, we believe preparation is the key and one of the main determining factors that will define whether a project will be delivered successfully or not.

Join the Insentra Community with the Insentragram Newsletter

Hungry for more?

[Modern Workplace]

MapOne – Part 3 – Customer Case Study

By [Lee Foster]

Quick recap – What is #MapOne? – In its most basic form, #MapOne is a fixed price engagement targeting senior stakeholders in the business (often executives CIO, CTO, CISO, CDO) delivered through a series of workshops, meetings, interviews and interactive sessions.

[Modern Workplace]

MapOne Part 2 – The Roadmap

By [Lee Foster]

If you have read my Architect as a Service (#MapOne ) Blog and are back here to understand more about the deliverable roadmap provided at the end of an #MapOne engagement, welcome to part 2.

[Modern Workplace]

MapOne Part 1 – Gain the clarity required to make inspired decisions

By [Lee Foster]