“Risk” is a scary word. Most people view risks in a very negative light. Society constantly encourages us to avoid risk at all cost. A product represents a “health risk”. A service puts you at “financial risk”. If you drive this way you risk accident or death. Risk is bad, right?
But consider that huge companies like CitiGroup, with assets in 2007 of over US$2 trillion (Forbes Global 2000, March 2007), base their entire business on managing risk. Why is something so bad for everyone else, so good for them? Why isn’t risk bad for them?
Any time anyone undertakes any type of activity, it involves risk. Business people and engineers understand that risk is not actually good or bad – it just is. Risk rapidly becomes a real problem if we fail to recognise or plan for it. Managing and reducing risk is a discipline and good companies practice it on a daily basis.
In the experience of my company, which develops software in Bali for Australian organisations, one of the keys to success is how the owner of the project and their development partners manage that risk. It’s all about the thoroughness of their risk analysis and mitigation strategies and their vigilance in monitoring the risks associated with projects.
We embrace a two-stage approach to risk management. Significantly, we use exactly the same process for our internal projects as we do for client projects – because it works!
In the first or Risk Assessment phase, we identify what risks are associated with a piece of work. We then assess the likelihood of each risk materialising and its potential impact.
For example, what’s the risk to a project if a key staff member becomes unavailable through accident? Experience tells us that it may happen during a project. What would be the impact? Perhaps the team would be 30 percent less productive without that key player, so the impact could be up to 30 percent overrun on the project duration and cost – a pretty significant amount. By combining the likelihood (in this case, medium) and the potential impact (high) we can see that this is a serious risk that needs management before it happens. That’s called the Risk Rating.
The next step is Risk Management and Minimisation. One available option is to just accept that it might happen and hope for the best – which may be our only option for things we have no control over. Another option is avoidance – we could double the size of the team so that every staff member has a full-time backup. But that invites other risks that we must also assess. The most common strategy is called ‘risk mitigation’, where we recognise the initial risk and put in place strategies that reduce its likelihood or impact until it becomes acceptable. What remains is Residual Risk.
In this case, one mitigation strategy would be to share key information between pairs of team members. Should a team member be lost for a period, his counterpart can take the key role and the team can be back-filled at lower levels, minimising the impact to the project. We have effectively managed a severe risk down to an acceptable one.
All our Project Managers must maintain a register of risks for each project and report on mitigation strategies. Weekly reports are provided to our management and clients and the risk registers are updated regularly.
Risks change as each project progresses, so the risk register is dynamic. But the message is simple: whatever the discipline or project, risk is not something to be feared, but managed.
Mike Page is vice president, software development for Mitrais, a multi-cultural company headquartered in Bali that provides software development for Australian companies.
Photo: topher76 (Flickr)