Absolutely everything in life carries a risk. Whether
you walk or drive, get married or stay single, go to college or go to work, you’re
taking a risk. You can’t even avoid risk by doing nothing! After all, couch potatoes run the risk of
obesity, diabetes, and high blood pressure.
Given the reality that no action or even inaction is risk free, how do you decide whether a project or change in your business is worth the risk?
There are really several different parts to risk analysis. One is a simple analysis of risks, their likelihood, and their impact should they come to pass. The second is the construction of a risk matrix to help your team visualize the relative significance of various risks. The third is a risk management plan—a review of what it would take to mitigate the unavoidable risks inherent in your plan.
To make this a little clearer, imagine that you are planning a corporate social event. You’ve put together a basic plan for a picnic, outdoor games, and an evening bonfire. It should be a lot of fun, but—as with everything in life—there are risks involved.
A risk analysis will tell you that it might rain…team members might choose not to take part in the games…and the evening bonfire could become an evening wildfire if not properly managed. This type of analysis will also tell you that rain is very unlikely, as you happen to live in a desert area, but very dry conditions mean that bonfires are quite dangerous.
A risk matrix will help you to visualize the significance of these risks, so that you can better determine which are important enough to manage—and which can simply be avoided.
A risk management plan would almost certainly include the selection of venue alternatives in case of rain, spirit-building activities to raise the level of interest in games, and fun, evening alternative activities that don’t require actual flame.
Of course, none of these analyses can be 100% accurate: no one can judge risk with 100% certainty. Which explains, among other things, why gambling and insurance continue to be such popular industries! But the process of acknowledging, identifying, and planning for risk can help you and your business to ensure that you are hedging your bets, and planning for the long term.
Conducting a Risk Analysis
Once you’ve identified your project, its goals, and a group of team members with the expertise to undertake the work, you’re ready to move forward with risk analysis. Of course, it’s great to have the funds and time to hire an outside risk analysis expert—but, like most of us, you may have to become that expert yourself! If that’s the case, not to worry: the process is not terribly complex.
Step 1: Identify the Risks
No one understands risk like the people who live with it every day. Your sales force understands the risks inherent in over or under-bidding; your marketing team understands the risks of trying out a new and edgy type of messaging. So you’ll need to turn to your team as you begin making your list of risks. To do this, you can interview individual team members, run brainstorming meetings, review evaluations of past, similar projects, or (ideally) do all three.
Step 2: Evaluate the Risks
Evaluating risks involves coming up with scored answers for two related questions:
- How great is the probability that this problem will occur?
- If this problem should occur, how great would the impact be on our project?
You’ll give each risk a score from 1 to 9, with 1 being the slightest risk or the slightest impact, and 9 being the greatest. So, for example, going back to the corporate picnic, the risk of Margaret in Marketing forgetting to bring the potato salad is quite high (perhaps an 8), but the impact it would have on the event is very slight (perhaps a 2). Conversely, the risk of a major storm may be quite low, but it would have a devastating impact.
The process of evaluating risks can be quite complex, involving mathematical models. At the very least, it will almost certainly involve some level of research. For your picnic, you might not want to actually model the probable outcome of having certain events occur—but at the very least, you’ll want to look at weather trends to see how likely it is that you’ll experience severe storms during the afternoon.
When you’re done with your analysis, you should have a list of risks with two numbers next to each one. It’s handy to assign each risk a letter, so as to make it easier to chart them on the risk analysis matrix.
Step 3: Build a Risk Analysis Matrix
A risk analysis matrix is a square chart or graph divided into four boxes, representing severe, high, elevated, and guarded risk. Along one axis of the graph are the numbers 1 – 9 representing frequency of likelihood; along the other axis are the number 1 – 9 representing severity or significance. If you like, you can color code your chart as shown. When you’ve graphed your threats, it will become visually obvious which are the most significant and the most likely (and vice versa).
Chart your risks as you would any other information by placing the letter representing the risk on the chart where it belongs. A risk with a likelihood of 8 and a significance of 7 would be plotted in the red zone, meaning it is a major threat, while a risk with a likelihood of 4 and a significance of 3 would be plotted in the blue zone meaning it is a minor risk.
Preparing the Ground for a Risk Management Plan
With your matrix in hand, you can now clearly see and easily share information about risks related to your planned project. This means you’re ready to start thinking about how to manage those risks based on their likelihood and severity.
There are really only a few basic ways to manage risk, no matter what your business or the risks you’re envisioning. You’ll choose the style of risk management based on the type of risk you’re facing. Here, according to the Association for Project Management , are your options:
- Remove: Any risk that can be easily removed from your project should be removed from your project. In the case of the corporate picnic, it makes sense to just say no to a bonfire.
- Reduce: Many risks can be reduced by taking relative low cost, simple actions before getting started. For example, if one of your risks involved negative responses from upper management, an easy way to reduce the risk might be to involve upper management in early brainstorming and decision-making.
- Avoid: What will you do if this problem arises? What is your “Plan B?” In the case of the picnic, a great option for avoiding a weather-related risk is to have an indoor venue available.
- Transfer: Can someone else take responsibility for your risk? For example, if you hired an outside firm to set up your picnic, you can also ask them to think through and offer acceptable options given the risk of rain.
- Accept: Some risks are worth taking. Would you risk being embarrassed if offered the opportunity to make the graduation speech at your alma mater? Chances are you’d say “yes,” and accept the possibility that your mind might go blank at the microphone. Some risks, on the other hand, are so slight that you can easily adjust to managing them. Having no potato salad is such a risk. Sure, Margaret might forget to bring it, but—so what?
Understanding your options, you can now—with or without the help of counsel or your team members—go through your risk matrix and assign appropriate responses to each item.
Creating Your Risk Management Plan
Your risk management plan is a document based on all the work you’ve done so far, which includes your matrix and your assignment of strategies for each risk. Where the strategy involves more than simple acceptance, you’ll need to work with stakeholders to determine the best course of action should the risk become a reality.
This document should be read, revised, and approved by your team members and any other stakeholders, so that you are all on the same page regarding the best course of action in each situation. With your risk management plan approved, you’ll be ready to mitigate or avoid many risks. Perhaps more importantly, you’ll have a “Plan B” in hand in the event that significant risks become real problems.
A risk management plan becomes, in essence, insurance against a wide range of possibilities. How useful is it? According to NASA, a well-designed risk management strategy has been a major tool for ensuring the success of many high profile missions such as the repair of the Hubble Telescope. According to a Case Study document describing risk management at NASA , the matrix created for space-related projects was more complex than most, as some projects involve multi-billion dollar budgets and international scrutiny while others are almost invisible to the public. The outcome, however, was well worth the work:
The establishment of the risk level early in the program/project provides the basis for program and project managers to develop and implement appropriate mission assurance and risk management strategies and requirements and to effectively communicate the acceptable level of risk. The document sets the stage for the project execution addressing a myriad of requirements governing parts, material design –single point failures, analysis, software, verification testing, quality assurance, reviews, and risk acceptance level.
Of course, unless you’re working for SpaceX, it’s unlikely that your risks will include the loss of a major satellite or the failure to rescue a multi-billion dollar space telescope. But the type of risk you incur is really beside the point. Your business is as important to you and your co-workers as a rocket to Mars maybe for NASA. The loss of a major product, client, or project could be fatal to your corporation. A risk management analysis and plan has the power to ensure that you’re never risking more than you can afford to lose.