Managing Risk

(A Project Managers 'idiot' guide!)

This article describes how a better understanding of risk can support good business through informed decision making. That sentence may sound like "management speak", but bear with me, this is going somewhere.

Let's start by asking what we already know about risks? Risks have an association with chance; there is an element of uncertainty about them. Risks are in the future. Risks are usually considered as negative.

One definition of risk is uncertainty of outcome, whether positive opportunity or negative threat. This seems to suggest a link between opportunity and risk? When you think about it, negative or downside risk is not only "bad things happening" it's also "good things not happening". So what can be done to minimise the chances and consequences of risks and improve the chances for opportunities? It's called "risk management".

Risk management is about responding to our vulnerability or exposure to downside risk. Risk management is also about trying to maximise our opportunities and improve our chances for doing good.

There are three types of people: those who take risks, those who avoid risks and those who wouldn't know a risk even it came up and bit them on the nose.

For a balanced approach to business we need a mix of the first two types. The third type is going to get eaten. Successful risk takers and risk avoiders understand the amount of risk they are prepared to accept, this is called their risk appetite. They also understand their vulnerability in the face of risks or their risk exposure. They operate from a position of power to make informed decisions. Their source of power is knowledge. This knowledge comes in the form of answers to these types of questions:

• What is at risk?
• Why is it at risk?
• What are the risks?

• Where does the risk come from?
• What does the risks look like?
• How likely is it to happen?
• When might it happen?
• What kind of effect will it have?
• Where will the effects be felt?
• Who will it affect?
• How much will it cost if it happens?
• Who is best placed to deal with this?

Answers are collected for all identified risks to build up an understanding of the overall risk exposure.

Risks can then be ranked in priority order starting with the biggest negative impact risks. For example, we could ask "What risk is most likely to happen and could hurt us the most?"

Many organisations feel that once they have identified and assessed risks then their job is done and they are free from worry. Well it is a good start, but if we stopped there it would be like saying "We know about the risks so they can't hurt us." How often have you heard the refrain "I knew this would happen" in response to some previously identified problem that was not acted upon.

There is so much more to "grown-up" risk management. We need to come up with suitable, cost-effective and timely responses to the identified risks. These responses need to be owned, acted upon and measured to find out if they are having the desired effect. If we don't, then we are simply reacting to situations rather than proactively managing them. By "proactively" I mean work through the phases: "Identify, Assess, Develop, Plan and Manage" It's a great starting point for a risk management process. In a nutshell here's what we can do for each of the phases.

• Identify the objectives which are at risk
• Determine how much time should be spent on risk management (there's a cost : time trade-off)
• Identify risks which affect the achievement of objectives

• Assess risks in terms of likelihood and impact (qualitatively and/or quantitatively)
• Who is best placed to deal with these risks?

• Develop risk responses and plan how these are going to be implemented
• Work out cost of responses

• Are the responses cost effective?
• Decide on responses to be implemented
• Ensure risk action owners are briefed
• Implement the chosen risk responses

• Are the risk responses having the desired effect?
• Have any risks happened.
• Have any new risks been identified?
• Adjust the risk response plan to achieve the desired effect
• Was it worth spending the time and money on risk management?
• Go back to the Identify phase if necessary

A good way of keeping track of all this knowledge is to write it down. Much of the information about risks, assessments, responses and results can be recorded and updated in a document called a risk register or risk log. Here's a basic layout with a potential risk and response outlined, but in your world, make a risk log that works for you and your organisation.

Therefore, risk management prompts us to gain knowledge which helps us make informed decisions. Making informed decisions supports good business. If you want to show the evidence of why a decision was made, then the background and supporting information can be found in your risk documentation. This trace-ability is extremely useful during project reviews and "lessons learned" exercises. Try it out for yourselves and let us know how you get on.

As the risk management saying goes, "it's no good crying over spilt milk". So until the next time, watch-out, watch-out, there's a Humphries about.

The Service Station started in 1993, The Service Station is a professional services organisation providing clients with specialist resources to successfully select, start, manage and complete their projects. The company philosophy is built around three core business fundamentals; simplicity - because life is complicated enough, communication - because people need to know what's happening and delivery - because they love seeing results!