Risk assessments have become more common recently, and for good reason. We read headlines daily about data breaches, high-dollar investments gone wrong, and companies that took a market risk that didn’t pay off.
Risk increases as a result of change, whether internally or externally triggered. Examples of internally driven change include executing a new project, launching a new product, or changing a process. Regulatory requirements, market changes, competitive challenges, and new security threats change the risk profile even when a company is conducting business as usual. Enterprises are never done with assessing risks; there is no such thing as “steady state” when it comes to risks.
Risks, or threats, have been described as unrealized constraints; that is, something that may occur but is not yet proven to be true. Risks may be wholly or partially within our control. They may be something we can prevent, something we can recover from, or something we can live with should they occur.
Here I provide a simple framework to identify the risks, rank them in a priority order, and determine what action, if any, must be taken for each.
External changes are often industry dependent. Consider these, which are largely outside a company’s control:
Internal Changes can include process changes, reorganizations, and projects. Each carries unique risks, but many are common to all three:
Risk Assessment Framework
Five basic questions are common to all risk assessments:
We can enter the answers to these questions in a simple matrix that will include calculations to rate and prioritize each risk, and allow you to balance the cost of mitigation against its impact and the likelihood of its occurring.
Initially, list these elements for each risk identified:
Now multiply the number for the likelihood of the risk being realized against by the number representing the impact. This results in a ranked list of risks, the first part of your matrix.
As an example, in Table 1 the impact of customer dissatisfaction and loss of orders for a new product may seem like a very important risk to mitigate, but it has been ranked as unlikely to occur. Therefore, the possibility of the vendor delivering the needed equipment late will be prioritized over the training budget when considering mitigation strategies.
Once the risks have been ranked and ordered, consider what it will take to mitigate each risk. Develop a list of options that includes what you might do to prevent it from occurring, or to recover if the risk occurs. Estimate the cost for each option, again using a 1-2-3 ranking. Table 2 provides an example of three options developed for the risks listed in Table 1, and the cost for each.
Giving absolute scores to these factors allows you to balance the cost of your mitigation strategy against the priority of each risk. In some cases, where probability and impact both are low, the choice to do nothing is a valid one. Each mitigation strategy needs to be funded as a contingency in the budget, and returned to the funding body if the risks are not realized.
In some cases, where risk impact and probability are both low, you may choose to do nothing. This is a valid choice, but once a risk is identified the decision to mitigate or accept the risk belongs to the project’s sponsor. It is critical to discuss and document all such decisions, and it’s always wise to require formal approval or signoff by the sponsor of the change.
The scales presented can be expanded to provide more granularity if there are many competing risks. You may also choose to employ a High/Medium/Low scheme and skip the math, and simply eyeball the impacts and costs.
Make no mistake, risk assessments are not simple. Methods such as the one described above can aid the project owner in quantifying risk factors, but there is skill, art, and experience required both in identifying risks and in deciding what to do about them. Bring in experts from across all functions to brainstorm the topic. Spend this time and effort as you are planning any change, at the first indication of a significant environmental change, and on anything that hasn’t had a risk assessment for a period of time. You can’t afford not to.
The article you requested requires membership
Login or register below to read and comment.