It's hard to imagine change without risk and the management of risk is now well established as a fundamental part of any project plan.
Risk can be defined as any uncertainty that may adversely affect a project.
We can lessen the chances of some risks from occurring while some we cannot influence at all.
Once a risk happens it becomes an issue and our planning should leave us with clear strategies for dealing with such issues.
Risk Management has traditionally been confined to the project development lifecycle but, as with benefits delivery, we are becoming increasingly concerned with the operational phase of our products.
Identification - we need to get a variety of inputs and perspectives to help us identify the potential risks to our project.
Assessment - once identified risks need to be analyzed and prioritized.
Strategy -our responses to issues needs to be clear and planned.
Management - existing risks need to be reviewed regularly and new ones examined.
It is important that your project specialists are consulted when looking for potential issues. Brainstorming Sessions and Risk Workshops are well established methods.
This process of risk assessment should involve all of the expertise that you can muster for group or individual input. This assessment can also form the basis of an action plan to deal with these risks and to identify suitable Risk Owners.
Our responses will largely depend on our ability to deal with each risk and the associated costs.
If these costs outweigh the potential impact then we may decide to simply continue despite the risk. But we must still monitor and re-evaluate regularly. This strategy is known as acceptance and is one way of dealing with risk.
It may not be possible to find the ideal solution to a particular risk. The best solution will depend on our ability to prevent or deal with a risk along with the likelihood of its happening.
The following strategies are used for mitigating risks:
Acceptance - decide how to absorb the effects of a risk.
Avoidance - taking action to prevent a risk from occurring.
Contingency - what counter measures will need to be taken in the event of a risk happening.
Reduction - preparing to limit the likelihood or impact of a risk.
Transference - the act of shifting the burden of dealing with a risk.
After compiling a risk register we need to allocate an owner to each one. This is not an arbitrary task and needs to be agreed by all parties so that people are aware of their accountability.
A risk owner should be best placed to recognize a change in status of a risk and to instigate the chosen response.
Risks do not necessarily remain static and prudent monitoring should take place along with formal risk reviews.
New risks can surface at any time and the risk potential of any action or event should be taken into account as a matter of course.
Enhancements, fixes, patches etc., all of these can introduce new risks in a project and strict change management procedures must be adhered to.
Risk Management is a vital part of any change and can have the highest priority in certain industries (e.g., aeronautics, pharmaceuticals).
People's attitude to risk can vary, so a formal and structured approach should be adopted in order to properly control and manage risk.
Simply identifying some risks can greatly diminish their disruptive potential, while others can only be monitored and dealt with when, and if, they become issues.
The Risk Register should identify each risk owner and list the planned responses.
Risk is an integral part of change.