Three Easy Steps to Risk Management

“All project management is risk management”
(Eric Verzuh)

Risk management is an essential activity in any project or organisation. Risk is defined by M_o_R (Management of Risk, the OGC risk management methodology) as uncertainty of outcome. A risk manager is concerned with managing the risks (uncertain issues and incidents) that, were they to occur, would affect the product or services that an organisation sets out to deliver.

The M_o_R framework highlights three basic steps to effective risk management that can be applied within an organisational or project context:

•    Identify
The first step of risk management is risk identification. This includes naming and describing any risk that might affect the achievement of objectives, to ensure that there is a common understanding of these risks among all appropriate individuals involved in the organisation or project activity.

Techniques for identifying risks will differ according to the size and structure of the organisation, the nature of the activity or project and the experience of the risk management team. For example, risk management within a small software organisation may involve brain-storming and discussing potential risks to the project, based on the expertise of the developers involved. A large government body, on the other hand, might draw on the experience of risk management experts who have dealt with risks across a range of similar organisations. Project managers responsible for risks to a technical activity might call on the authority of experts to highlight the relevant risks.

•    Assess
Evaluation is critical to successful risk management. Without critical analysis of the risks identified in step one, the risk manager may fatally underestimate the potential impact of one particular risk, or (also fatally) attempt to combat each and every risk, without considering how likely it is that a risk will occur.

The two factors that must be considered in risk analysis are:
o    probability
o    potential impact

Individuals responsible for managing risks must also be aware of the organisational context of the risks. For example: Risk A may have a greater impact on Output 1 than the effect of Risk B on Output 2. However, if Output 2 is more important than Output 1 to the overall objectives, then Risk B may be considered more important than Risk A.

Ranking risks according to immediacy, impact and organisational context enables the risk manager to prioritise and plan how individual risks will be controlled.

•    Control
The risk manager needs to identify the appropriate response to a risk and assign a risk owner, who ensures that the risk response is carried out, monitored and controlled.