Manage Your Risk!
Risk exists in all businesses. Whether we acknowledge it or not, it exists. Risk is that funny little thing that throttles our latest and greatest project. It is also the really big thing that bankrupts our businesses. It is also something that can make us more successful than we ever thought possible.
What is risk? More importantly, how do we address risk? In this post, we will define risk and discuss strategies for dealing with it.
First, let’s define risk. . The online Merriam-Webster dictionary defines it as ‘the possibility that something bad or unpleasant will happen.’ This definition is OK, but doesn’t really fully embody risk. It doesn’t consider the possibility of a positive outcome nor does it look at the impact. The Project Management Body of Knowledge (PMBOK) Guide defines risk as an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives. This basically tells us that it is any uncertainty that can affect what we are trying to accomplish. One of the key differences between the dictionary definition and the PMBOK definition is that the dictionary definition only looks at risk in a negative light whereas the PMBOK definition accounts for both the negative and positive aspects of risk. The last way we can define risk is with a mathematical equation. The equation is simple. Risk = Probability of occurrence X the impact if it occurs. If the probability of equipment being late is 30% and the economic impact if the equipment is late is $100, then the risk to the organization is $30. Of course, this is only valid over a set of risks and over time. Next we will talk about strategies to affect that simple equation in our favor.
Now that we have defined risk, let talk about some risk strategies and give some examples for each. The below table outlines those strategies that we can use for both negative and positive risks
|Negative Risk (Threats)||Positive Risks (Opportunities)|
The first set of strategies has us either avoiding the risk if it is negative or exploiting the risk if it is positive. This may sound like the impossible task, but it’s not. Many organizations do this today without even thinking about it. Let me give a good example of risk avoidance. How many organizations roll out the first version of any piece of software? The answer is very few. Unless you have a compelling need to get at a particular feature, chances are pretty good that you will wait until the first service pack or two is released. The organization is practicing risk avoidance. It is simply not willing to take on the possible negative effects of the new software until it is more stable. A good example of the exploiting happens at the grocery store. When you took a trip to the grocery store for milk and bread, you had no intention to pick up 4 cases of soda. Upon arrival at the store, cases of soda are on sale. You exploit the positive risk and come home with 4 cases of soda to go along with the bread and milk.
The next strategies tell us to transfer or share the risk. The easiest example of transferring is insurance. We purchase insurance to transfer some economic risk that we have to the insurance company for a cost to us. This is typically done for things like car insurance, health insurance, and liability insurance. The risk of the economic impact is transferred to the insurance company. A good example is sharing the outcome of a positive risk would be passing along an unanticipated price break to a client. The positive benefit of the unexpected event is shared with you and the client.
The third set is where we generally spend the most time when speaking of risk in a project or to an organization in general. How can we mitigate or lessen the risk if it is negative? How can we enhance or broaden the risk if it is positive? This brings us back to our risk equation. Risk = Probability of occurrence X the impact if it occurs. In order to mitigate or enhance, we have to affect change on at least one of the two variables in the equation. If we want to mitigate, we must reduce the probability of occurrence or the impact if it does occur. Conversely, if we want to enhance, we must increase the probability of occurrence or the impact if it does occur. Let’s talk through some examples. We can mitigate our risk of not getting equipment on time for a job by having multiple vendors; therefore, reducing the probability of occurrence. Another example would be the cost of rework. We can reduce the impact of rework by having a mitigation strategy of QA checkpoints along the way. The theory is that the additional cost of the QA outweighs the potential cost impact of rework if is not caught until the end of production or deployment. Some examples of enhancement can be applied to RFPs and recruiting. For an RFP, you may recommend multiple technologies in the hopes that one of the technologies will resonate with the customer. In this scenario, we are trying to increase the probability of occurrence. In recruiting, we like to interview multiple candidates in hopes of increasing the probability of finding a successful candidate.
This brings us to the final strategy which is the same for both negative and positive risks. It is acceptance. Please do not confuse acceptance with ignoring. Acceptance means that the risk has been analyzed and vetted and an active decision has been made to accept it. Ignoring is trying to pretend like the risk doesn’t exist when it actually does. Acceptance is often times chosen when the other 3 strategies are more costly than the potential impact. Going back to our multiple vendor scenario for parts, if the cost to maintain a second vendor is greater than the potential impact of not having parts on time, then we would choose to go with a single vendor and accept the risk of not having parts on time. Another example comes in the decision making on network redundancy. If the cost of having everything fully redundant outweighs the economic impact to the business of the network being down, then we would choose to accept the risk of the network being down affecting the business until we can get it back online. The key to acceptance is that the risk has been analyzed and acceptance is an active and not a default or passive choice.
I hope this brings some clarity to the true definition of risk and some of the strategies for dealing with risk as it relates to an organization. Risk can be negative or positive in its impact to an organization and there are a variety of strategies that can be employed when dealing with risk. The right strategy simply depends on how the organization wants to deal with its impact.
A proven leader, Jeremy Niedzwiecki has over 20 years in the IT industry. As the Director of Customer Support at ABS, Jeremy works to ensure that the ABS Customer Support team continuously provides the highest levels of support possible ABS clients.