Risk management is the proactive management of things that might screw up your projects or your business. The trouble is, at least in my experience, that risks often aren’t proactively managed. They may not be identified, or they might be identified, logged and nothing meaningful done about them. So how do you prevent risks from being something people just pay lip service too? How do you make sure they are captured, assessed, and actioned appropriately, so they don’t bite you on the backside later?
Here’s a simple technique that is easy to do and will help you to stop risks from screwing up your projects…
Make risks visible.
First of all, create a ‘risks wall’ for each of your projects. If you’re using agile management methods, you can use the same wall as the team uses for tracking their work.
Put a flipchart page on the wall and draw a 2×2 grid on it. Make the vertical axis ‘Impact’, with High at the top and Low at the bottom. This represents the magnitude of the impact if the risk becomes an issue. Make the horizontal axis ‘Likelihood’ or ‘Probability’, with Low to the left and High to the right. This represents how likely it is that the risk will become an issue.
Whenever someone highlights a risk, write a post-it note to remind you about it and stick it in the appropriate position on the grid. Try to identify risks even when people don’t highlight them as such. Whenever people talk about things they are concerned about, they are indirectly highlighting a risk.
Using this simple grid in this way will help you with risk management in a variety of ways. Firstly it gives you a mechanism for capturing risks, so they don’t go unnoticed. Secondly, capturing them on the wall makes them highly visible and hard to ignore. Thirdly, putting them in the appropriate place on the grid helps people to think about how likely they are and what the impact is if they come about. This helps people to park low priority risks without continuing to worry about them, and helps them to understand that higher priority risks need to be actioned.
Once a risk is highlighted, you need to decide what to do with it. So what are the options? Typically with a risk you can choose to do one of the following:
- Avoid it – e.g. by taking a different approach.
- Reduce it – for instance by mitigating the likelihood of it occurring, or by implementing a contingency to reduce the impact it it does.
- Share it – perhaps by contracting it out to a vendor.
- Retain it – accept that it is a risk and do nothing. Even if you decide to do nothing, that should be a conscious decision to accept the risk, rather than simply ignoring it.
Another way of looking at this is the ROAM model. ROAM stands for:
- Resolved – the risk has been answered and avoided or eliminated.
- Owned – the risk has been allocated to someone who has responsibility for doing something about it.
- Accepted – the risk has been accepted and it has been agreed that nothing will be done about it.
- Mitigated – action has been taken so the risk has been mitigated, either reducing the likelihood or reducing the impact.
To make sure risks are actioned whilst using the ROAM model, you can write up a set of columns for managing them on your wall next to the risks grid. There could be one column which is the queue of new risks that need to be discussed and actioned. When a risk is identified it can be written on a post-it note and stuck in that column.
The team should have a regular forum standing at the wall when risks are discussed. In this discussion, the team can talk about any new risks in the queue. Each one can be discussed and placed in the relevant place on the grid. A duplicate post-it note can be written and moved into the appropriate column on the wall, i.e. allocated to someone (Owned), Resolved, or Accepted.
The group can then discuss any risks that are still in the Owned column from previous discussions. What has been done about them? If action has been take to reduce the risk’s likelihood or impact, the post-it can be moved to the Mitigated column when the group is satisfied it has done all it can or all that’s appropriate in the circumstances.
A few simple rules.
As a matter of policy, you could create a few simple guidelines and write them on the flipchart too. For instance, risks in the High/High top right quadrant of the grid must be Mitigated or Resolved and cannot be Accepted. Owned risks must be actioned before the next risks meeting. Accepted risks must be escalated for management awareness. A few simple rules to guide people’s decisions, in addition to utilising the ROAM model, will help to ensure people know (and remember) what’s expected.
You may also have a rule that any risks in the top right quadrant must be escalated, whatever the team chooses to do with them. In this case, you could have a very similar setup for risks on a wall at a program or portfolio level, where escalated risks go up the chain to a more senior group of people discuss, in order to make sure they are aware of them and perhaps to action those that are outside the control or influence of an individual project team.
The difference between success and failure?
Using a simple technique like the ROAM model to proactively manage risks – which is extremely quick to do and easy to maintain – might just make the difference between success and failure…