Risk management - Part 1 exploring risk
Developing Risk Management
How do we define Risk?
- Imagine the scene...
-
You are standing on the pavement waiting to cross the road. There is a car coming from the left, and a bus from the right. How would you define the risk..?
What could happen?
What would cause it to happen?
What would be the impact of it happening?
- Answers
-
What could happen?
There is a risk that... I might get knocked down
What would cause it to happen?
Due to... A lack of concentration, tripping over, a car hitting me, slipping on wet ground, not looking both ways...
What would be the impact?
Leading to... a broken bone, a lot of bruises, or worse!
Effective Risk Statements
So, we have looked at a scenario that helps to define risk and this aids our understanding of what the actual risk is in a personal situation, but how do we define it from a business perspective?
Let’s look at each component part:
-
The first part is the risk. This is the most difficult thing to get right. It’s easy to confuse the risk with either the cause of the risk or the impact of the risk. A simple way to think about it, is what is the actual event that might happen that would have an effect on your objectives?
-
The second part is the cause of the risk. This is why or how the event could happen. A single risk may have multiple causes. For example, there may be a risk that we don’t comply with regulatory conduct rules, due to having poor fit and proper verification, not properly identifying our suppliers, or failing to report data breaches (amongst others). We don’t have to list every single cause of the risk, but rather, think about what the key causes are – the ones that occur most often.
-
The last part is the consequences of the risk happening. This is why we actually care if it happens - the impact to our business.
So, an effective risk statement will have all 3 components and be a complete sentence that defines the risk, the cause and the impact.
Is it a Risk, Cause or Impact?
Let's explore what each of these is in a bit more detail.
We know the risk is something that is uncertain – so think about the words, it "may" happen, it "might" occur, and it could "possibly" materialise.
We also know that the cause of the risk is why it could happen – so think about the words, "is", "do", "has" and "not".
And we know that the impact is why we care that it happens – so think about the word this "would" result in , or this "could" mean.
Now look at each of the following statements and decide what each of them are. Are they a risk, a cause or an impact?
- A number of usability issues have been identified by the supplier
-
Cause
- The current hardware is not fast enough to support testing
-
Cause
- The architecture may not support the desired functionality
-
Risk
- There will be a delay to the processing of client information
-
Impact
- We do not have an appropriate monitoring framework in place
-
Cause
- Allocated resource may be reassigned to higher priority projects
-
Risk
Good or bad risk impacts?
Risk is not just about the bad things that can happen. There are also good risks. Having good risk management in place, helps you identify both of them.
Let's now think about the type of risk impacts that there are and which uncertainties matter?
In this scenario, what are the things that could happen to the mouse?
There are two things that could happen:
- Good (will the mouse get the cheese?)
- Bad (will the mouse get killed trying to get the cheese?)
We need to manage both of these uncertainties. For the bad impacts, think if there is there a better way to do things? How do we stop the bad things happening and get the good things out of a project?
The cheese in this scenario represents all the good stuff that we can deliver in our projects and for our clients. This is the value that we can bring to a project but if we don’t get it, we fail. So, what could happen to our mouse. If we don’t die or get injured by the mousetrap, but we don’t get the cheese – we’ve failed. We’ve managed the bad risk to the project but we’ve failed to manage the good opportunities and not achieved the value for the client.
If we get the cheese but we die – we've failed. We’ve got the value for the client but we've not managed the risks to the project. The outcome may not be what we think because we've failed to consider all the risks to the client along the way. We may have made their business worse by causing different risks to emerge as a result of the way we have delivered our projects.
So impacts can be both good and bad. The bad ones can hurt a project and the good ones can help a project. Both need to be managed. These are your opportunities and threats, both things that are uncertain, both things that matter and if done in the right way, the threats can be managed and the opportunities can drive our project forward.