Manage Risk
Learning Objectives
After completing this unit, you will be able to:
- Explain risk attitude.
- Categorize project risks.
- Identify and document risks.
- Assess risk exposure.
What Is Your Risk Attitude?
Are you a risk taker—one who is always up for a new adventure? Do you avoid risk, preferring to take the road already known? Or are you somewhere in between, willing to take calculated risks?
Walden University lets you know it’s all about attitude.
Risk attitude (perception) defines your overall position on risk, which can range from risk taker to risk avoider. Your overall risk attitude is influenced by three factors: risk appetite, risk tolerance, and risk threshold. Risk appetite is the degree of willingness to accept risk in relation to the expected reward. Risk tolerance is how much risk you will withstand; and it may be different depending on the circumstances. Risk threshold is the upper and lower limits of risk you are willing to take.
Your personal risk attitude influences the choices you make and whether you take or pass on opportunities depending on the level of uncertainty and risk. But have you ever done a detailed risk analysis as a way to calculate the risk? Applying project risk management can help you make informed decisions, just as it does in business organizations.
What’s at Risk?
Organizations, project managers, and project sponsors are aware that risks await any project. They have no interest in activities that negatively impact the organization or the project plan. What they are interested in is the opportunity and return on investment that the project represents. But they can’t afford to throw caution to the wind. From the time a project is selected and throughout its lifecycle, they must adopt a more measured risk attitude. They must understand and plan for the risks they face.
The first piece of risky business occurs during project selection. Decision makers must decide which projects to select. Risk attitude plays a factor in this decision. But project selection is an analytical process that’s bigger than mere risk appetite.
How do executives decide whether to pursue certain projects based on the level of risk? How do they weigh the options? How do they plan for risk?
It starts with risk management—a proactive and continuous approach for managing the uncertainty that exists in all projects. Risk attitude will largely influence these decisions, but organizations can only make informed decisions to accept risk or not when they have an estimated level of risk.
How is project risk estimated? Let’s see how it works.
Expect the Unexpected
The first step is to identify potential risks. These are typically documented in a risk register. Brainstorming and interviews are common techniques that help identify risk. But regardless of the technique, it’s important for the project sponsor, key stakeholders, and subject matter experts to be involved in the process and take ownership for certain risks. The project manager and the project team may not have the functional expertise or strategic insight to accurately identify or own them.
Think about possible sources or categories of project risk as a way to organize the risk list. These include:
-
Strategic: Risk that the project will fail to achieve business objectives.
-
Operational: Risk that a project will impact the ability to conduct business as usual.
-
Technical: Risk that technical solutions will fail.
-
Compliance: Risk of sanctions from regulatory agencies.
It’s impossible to identify every risk that could occur, but risk management is an iterative process. Over the life of the project, the project team reviews and updates the risk register as needed.
Let’s use an example to demonstrate the concepts.
Develop a Risk Register
You’re the CFO for a large, multinational bank. The bank is considering a project to migrate all customer data from a legacy system to a new cloud-based system. This will enable the bank to provide real-time updates to customer data and reduce the footprint in the bank’s data center.
You’re the sponsor. The CEO mentions this is a mission critical project and the stakes are extremely high. The window of opportunity to complete the migration is very tight. Any missteps could leave the bank unable to provide current data to its customers.
Worse than that, the bank could incur significant fines from regulatory agencies if current customer data is negatively impacted. You meet with the project team, high-level stakeholders, and subject-matter experts to assess the risk exposure of the project.
During a brainstorming session, the team identified these risks.
Risk Register | |||
|---|---|---|---|
Type of Risk |
Risk Source / Category |
Risk Name |
Risk Description |
Threat |
Operational |
System downtime |
There is a planned window of system downtime during the migration. Downtime beyond that will mean that customer data is unavailable for longer than expected. |
Threat |
Technical |
Equipment failure |
Equipment failure during the migration will extend system downtime, leaving the bank unable to provide current customer data. |
Threat |
Compliance |
Data availability |
The SEC requires that customer data be available in a very specific timeframe every day. Unavailable customer data will lead to significant fines by the SEC. |
Threat |
Security |
Vulnerability of data |
Customer data will be particularly vulnerable during the migration. Any perceived threat will require the migration to stop. The recovery process will extend system downtime, leaving the bank in violation of SEC regulations. |
Take a Calculated Risk
Once risks have been identified, the project team chooses a method to analyze them. Most often, the process begins with a qualitative assessment to determine the likelihood (probability) of occurrence and the effect to the organization (impact).
Your team uses a 3-point scale to analyze the risk: 1 = low; 2 = moderate; 3 = high.
The resulting score (probability x impact) provides the exposure for each risk and opportunity. The total of the individual scores provides the overall exposure of the project. For this project, you categorize the exposure this way: 1 to 3 = low; 4 to 6 = moderate; 7 to 9 = high.
Let’s look at the results.
Type of Risk |
Risk Source / Category |
Risk Name |
Probability |
Impact |
Score |
|---|---|---|---|---|---|
Threat |
Operational |
System downtime |
3–High |
3–High |
9–High |
Threat |
Technical |
Equipment failure |
1–Low |
3–High |
3–Low |
Threat |
Compliance |
Data availability |
2–Moderate |
3–High |
6–Moderate |
Threat |
Security |
Vulnerability of data |
2–Moderate |
3–High |
6–Moderate |
What is the overall risk exposure of the project?
The total of the risk score is 24, divided by 4 (the number of risks) = 6. The risk exposure of the project is moderate. You and the team decide to move forward.
Walden University cautions that risk management doesn't end once the project is selected. After selection, project managers must identify, plan for, and mitigate every risk that could rain on their project plan at every stage. Failure to continually measure, plan for, and manage project risk throughout the lifecycle could lead to project failure or even worse, negative impact to the organization.