If you ask people which technique they use to identify risks, most will include brainstorming in the list,
usually conducted as part of a facilitated workshop. Indeed for many, brainstorming is not just one
technique among several; it’s the only one they use. Brainstorming is popular for a range of reasons:
- Everybody feels involved, with an opportunity to share their opinion openly
- It produces visible results quickly as the flipcharts fill up around the room
We all know that risk management is supposed to manage risks. But people often understand very different things when they use the word “risk”. One way to solve this problem would be to insist that everyone uses the definitions found in risk standards and guidelines. These definitions have usually been produced by groups of experts who work hard to be clear, to say what they mean and to mean what they say. Unfortunately most people ignore official definitions when they manage risk in practice. Instead they rely on their own ideas about risk which are often limited or misleading. This in turn can reduce the effectiveness of the risk process and stop it delivering the full range of potential value.
The most simple definition of risk as “uncertainty that matters” provides two simple tests for whether something is really a risk or not. The first and most obvious characteristic of a true risk is that it is uncertain. If something is a fact, constraint, requirement, problem or issue, then it is not a risk. However not all uncertainties are risks, which brings us to the second test of a real risk: Does it matter? The majority of uncertainties in the universe are not risks because they are irrelevant. The only reason we need to identify, understand and manage risks is if they matter.
Different projects are exposed to different levels of risk, so the project risk management process must be scaleable to meet the varying degrees of risk challenge. While we can apply a common risk process to any project, that process can be implemented at different levels, from a few simple informal steps to a fully rigorous and integrated process.
Risk management is an important contributor to project and business success. The past few decades have seen growing consensus on the elements required to manage risk effectively, including an efficient and scaleable risk process that can be tailored to the particular risky situation, an appropriate level of infrastructure to support the risk process, and skilled and competent people who know what to do and how to do it.
One of the biggest challenges for the world is how to prepare for emerging risks. These are new and previously unknown risks, or familiar risks that appear in new ways. Very often our existing risk responses are inadequate to deal with this type of risk. After all, how can you predict or prepare for something that you have not seen before or that you did not expect?
The International Risk Governance Council (IRGC) published an important report in 2010 (“The Emergence of Risks: Contributing Factors” 1) which identifies twelve factors that can give rise to novel and previously unforeseen risks. IRGC suggest that by addressing these causal factors, we can prepare better for emerging risks and reduce their effect if they arise. The twelve factors are:
1. Scientific unknowns. Unanticipated risks can result from lack of knowledge or understanding about how the natural world or human systems work.
2. Reduced margins. The desire for increased speed and efficiency reduces the margin for error and leaves us more vulnerable if things go wrong.
In these fast paced times risk is a constant factor in business technology. Computing and software systems have become so complex and interconnected that errors are more likely to occur and harder to solve. This can cause downtime to the business resulting in heavy financial loses not only from lost business but also a loss of reputation
And the source of IT risk is not necessary what you’d assume. According to a 2016 Ponemon study on data centre outages, failing IT equipment accounted for only 4 per cent of outages. The biggest outage sources were power related with 25% unplanned outages stemmed from a dodgy power supply, followed closely by denial-of-service attacks (22%) and accidental or human error (22%).
So what can we do to protect ourselves from these risks? First you need to identify and quantify them. How likely is that particular risk? What would the damage be to the company if it happened? Can we make the risk less likely to occur? Are there actions we can take now to reduce the impact of the risk if it does occur?
Time and money spent on a quantitative, analytical approach to risk can help us to absorb risk and carry on.
The Register is a British online tech publication with more than nine million monthly unique browsers worldwide. Read their full article on Risk and IT here: Risky business: You’d better have a plan for tech to go wrong
Based on experience, it seems that the majority of companies in developing countries who are implementing risk management do not get the added value that they expect. This is often because they are attempting to import risk management from a different cultural setting, from developed to developing parts of the world.
In many cases, it makes sense to begin by bringing in a system from a developed country, rather than starting from the beginning to build something new. But how can organisations in developing countries avoid the threats that come with importing a risk management approach from elsewhere? These steps will help:
Projects hit the same risks over and over again:
- The requirements may not be adequately defined, causing re-work;
- The team members may not collaborate adequately, causing delays and cost overruns; and/or
- The client may prove mercurial, causing delays, cost overruns and re-work.
As you look at those three risks, you probably have a reasonably high confidence level that they’ve happened on your own projects. They’re common. They’re pedestrian. They happen on virtually every project. People are human and change their minds. Requirements are generally difficult to define. And yet, we still act surprised when these three things evolve on our own projects.
Assuming you are immune to common risks is like assuming you are immune to the common cold. It’s a lovely thought, but…
It is clearly important for us to understand the nature of a risk properly if we are to manage it effectively. Many people only consider a limited number of risk characteristics, leading to a limited ability to manage risk. Effective risk management requires a deeper understanding.
One way to improve understanding is to explore the “anatomy of risk”. Anatomy can be defined as “separating or dividing into parts for detailed examination.” If we separate and divide risk into its constituent parts, we find seven elements. Four of these relate to the nature of the risk itself, and three are connected to people.