Myth #9: Project Risks Were Addressed Upfront, So No Need For Further Risk Assessment – Part #2 (Lesson 27)
There are five actions you can take to handle your project risks.
Avoid the risk
Some risks can be avoided altogether. If a project can adapt its plans, it might change in any number of ways to avoid individual risks, including:
- Simply removing/de-scoping that activity.
- Finding another way to achieve the same outcome.
- Changing the processes, approach, tools, or materials.
Avoiding a risk altogether can be the most effective way of dealing with it. This eliminates the chance of loss – but at the same time, it prevents any benefits that could otherwise have been accrued from being realised.
Reduce (mitigate) the risk
If avoiding the risk is not possible or desirable, the most common strategy is to:
- Reduce the likelihood of the risk occurring, e.g. enhance the review process, provide staff training, or bring in external expertise.
- Minimise the impact if the risk occurs, e.g. create a recovery plan, maintain offsite data backups, or ensure manual fallback procedures are in place.
This approach is likely to be adopted for most risks, as it enables the project to continue with the planned activity, while putting measures into place to make it less dangerous.
If the attempt at risk control fails, the project will still suffer the loss it was trying to avoid – but hopefully, to a lesser degree.
Transfer the risk
Another risk mitigation strategy that can prove effective is to look at ways to move some or all of the responsibility for the risk to another party. This can be achieved in a number of ways:
- By cross-training staff to avoid key-person dependencies.
- By identifying alternative suppliers.
- Through outsourcing, joint ventures, or partnerships.
- By taking out appropriate insurance.
- By maintaining access to existing (‘old’) systems.
- By having manual fallback procedures in place.
Accept the risk
Sometimes, a risk must be accepted if it cannot be avoided, reduced, or transferred (or, if the risk is extremely unlikely and it is too impractical or too expensive to deal with). In this instance, a response/recovery plan should still be developed to deal with the impact should the risk occur.
In the case of minor risks, the best course of action may be to accept them. Unless a simple, low-cost solution exists, the effort/cost of dealing with them may not be justified.
Accepting risk is free and releases resources to focus on the more substantial risks. However, the downside is that there are no controls or mitigation in place.
This means it is critical to ensure that the initial risk assessment is correct to avoid surprises.
Exploit the risk
Where the risk can generate a negative impact on the project, avoidance, reduction, transference, and acceptance are appropriate strategies to adopt.
However, some risks to a project can actually result in a positive impact.
For example, a new ecommerce website launch may be so successful that the organisation has to bring in more people to fulfil all the orders. This positive risk would benefit the organisation if it happened.
Therefore the strategy should be to maximise the possibility that the risk happens, rather than trying to prevent it – or letting another organisation benefit from the missed opportunity.
In order to exploit the opportunity that this risk presents, marketing efforts could be increased and internal staff seconded (or temporary staff recruited) to help immediately after the web site goes live.