Identify, Assess, and Address Risk
After completing this unit, you’ll be able to:
- Explain the three dimensions of a risk.
- Describe the four ways to address risks.
Let’s look at three main tasks in the risk management process: identify, assess, and address.
The first step in risk management is risk identification—detecting, documenting, and communicating the causes and anticipated effects of project risks.
When you identify risk, it’s best to look at all project areas. Look internally and externally. Look to the past and the future. Here’s a handy summary to help you be as comprehensive as possible.
|Cost, quality, and time
|Project management and governance
|Historical project data
As you sleuth out risk, it’s easy to look for apparent problems such as loss of people or functionality that may break. But risks can masquerade as benefits. For example, your customer’s revenue skyrockets. That’s a good thing, but now they can afford more features. Sure enough, they ask to increase scope. That’s a risk.
Try to follow a sequence of events to help you identify risk in all its forms and from all angles. In this case, more revenue leads to a hunger for more features in your app. That leads to scope creep, and if you’re not careful, an overcommitment to work you’re not equipped to handle.
One more thing to keep in mind: Risk identification isn’t a one-time task. New risks can pop up at any point in the project lifecycle. Keep an eye out for new risks at every stage.
Now that you know how to identify risks, let’s look at ways to assess each risk.
Risks have three dimensions.
- Probability: The likelihood that the risk happens.
- Impact: How risk affects the scope, schedule, and cost of a project.
- Proximity: How soon will the risk happen, given the length of the project.
Consider all three dimensions. Then, quantify your assessment by assigning a score. Use whatever scale you prefer, such as high-medium-low, or 1–100. Scores make it easier to prioritize risks and determine which to address first.
Back to those SuperTasty cheese sandwiches. Suppose the cafe uses this approach to assess its risk of running out of cheese. It might come up with something like this.
- Probability: The cafe manager was vacationing in Bora Bora and hasn’t taken an inventory in 2 weeks. The probability of running out of cheese is high.
- Impact: If the cafe runs out of ingredients, it can’t sell as many sandwiches. The impact is lost revenue.
- Proximity: Every day is a new sales cycle. The proximity is imminent.
|The cafe runs out of SuperTasty cheese.
The overall score for this risk is high. It’s best to address it as a top priority.
Evaluating the dimensions of each risk not only helps you prioritize them, it also helps you determine the best way to address them. There are four ways to address a risk: transfer, eliminate, accept, or mitigate (TEAM).
Transfer: Transfer risks to another team or another project. For example, instead of coding a customization, use an existing third-party plug-in. This may bring up other risks, but ones that are more acceptable to your team.
Eliminate: If it’s possible and sensible to completely eliminate a risk, then all the better! That can be as simple as modifying or removing a requirement, or using only well-known, well-tested features and customizations.
Accept: Sometimes the likelihood that a risk occurs is negligible, and its potential impact is minimal. If the risk actually materializes, your team feels confident that they can absorb the impact into the project without negative repercussions. No further action is needed, unless the risk actually happens. Throughout the project, revisit accepted risks. Make sure that acceptance is still the best choice.
Mitigate: Develop options and actions that reduce the likelihood that the risk turns into an issue, reduce the impact if it does, or both. Mitigate all risks that can’t be transferred, eliminated, or accepted.
It’s important to have everyone agree on mitigation plans so that everyone understands the path forward. If mitigation plans affect scope, schedule, or cost, document that in change orders that you share with your customer.
Even the best laid risk management plans can go awry if no one knows about them. To ensure that everyone handles risks efficiently, set clear expectations with all your stakeholders.
Here are a few essential expectations to set internally with your project team and any third parties you hire.
Throughout the project lifecycle, team members regularly:
- Identify and communicate new risks in a timely manner.
- Report accurate project task progress.
- Review and reevaluate risks.
It’s also critical to set expectations externally with customers. Here are some examples.
- Customers are responsible for communicating with and managing any third parties they hire.
- Customers are responsible for communicating dependencies, risks, and issues within their team.
- All change requests are evaluated and documented even if there’s no impact to scope, schedule, or cost.
Now you know the three steps in the risk management process—identify, assess, address. In the next unit, we discuss practical tools and methods that you can use to document, monitor, and communicate project risks.