Risk management

Risk Assessment Guide for Your Project and Workplace

Conduct a risk assessment to think about the additional risks that COVID 19 introduces into your project or workplace, and the steps you need to take to control the risks.

Sample Project Risks

#1 Sponsor support

Having no project sponsor or losing one in the middle of a project.

#2 Budget risk

Estimates or assumptions built into your project budget turn out to be inaccurate.

#3 Change propagation

Changes cause an unexpected negative impact on the product, people or process.

#4 Integration risk

Integration of technology, processes, or information fails.

#5 Resource risk

Failing to meet a goal due to a lack of resources.

#6 Contract risk

Facing losses as a result of the other party not fulfilling the terms of a contract.

#7 Disputes

Disagreements with an employee or stakeholder could disrupt your project.

#8 Scope creep

Scope creep is often a result of poor change control.

#9 Technology risk

Technology failures disrupt your project.

#10 Schedule risk

The project takes longer than planned.

#11 Project dependencies

Activities rely on the completion of another activity.

#12 Project assumptions

Assumptions are accepted as truths at the start of a project, though they turn out to be false.

#13 Skills risk

Team members are inexperienced and lack the necessary skills to complete the project.

#14 Stakeholders

Lack of stakeholder commitment, or conflict between stakeholders, disrupts the project.

#15 Health & Safety

Failing to foster a safe and healthy work environment.

#16 Regulatory risk

Change in regulations or legislation affects the project.

#17 Quality risk

Losses due to quality that fails to meet your quality goals.

#18 Project complexity

Underestimating the complexity of the project.

#19 Supplier risk

Supplier fails to deliver on their commitments to you.

#20 Security risk

Physical or information security incident.

Risk Assessment: What is it?

Risk Assessment, team performing tasks

Risk assessment is a systematic process of evaluating potential risks.

According to the international risk management standard ISO 31000, risk is the "effect of uncertainty on objectives".

The term "risk" has many definitions depending on the context. One of the common definitions of risk is uncertainty - an event may or may not happen. In cybersecurity, risk is a result of a threat exploiting a vulnerability.

risk management

Sometimes risks are mistaken as issues. However, issues are events or problems that are already currently happening. Risks are problems that may happen in the future.

Why do you need a Risk Assessment?

Doing a risk assessment provides an opportunity for your whole team to take part in identifying key risks and get a mutual understanding of critical issues that might impact on your success.

  • Performing a risk assessment enables you to identify assets, threats and vulnerabilities in order to make better decisions about which controls to use.
  • Recognize and prevent potential threats.
  • Determine your company's preparedness.
  • Identify which assets need to be protected.
  • Create awareness of risk.
  • Prepare for challenges, so you can respond to incidents more effectively as they come.
  • Meet legal requirements where applicable.
  • Establish priorities.
  • Reduce the likelihood and impact of undesirable events.
  • Reduce costs and damages.

When should you do a Risk Assessment?

When should you conduct a risk assessment? It depends on your field, size of your project, context and complexity. Some teams do small risk assessments in the beginning of each sprint. Even though the use of Scrum reduces lots of project risks, doing risk assessments is crucial, and bring various benefits.

Developer, doing a cyber risk assessment

Here are a few questions, to help you decide when to carry out a risk assessment:

  • Has the scope of the project changed?
  • Are there new activities or events coming up?
  • Have there been any other changes, such as new technology or new procedures, which could lead to new risks?
  • Have employees or stakeholders spotted problems, for example faulty equipment?
  • Does your project have a legal timeframe to carry out a risk assessment review? Or regulatory requirements?
  • Do you need to do a risk assessment for insurance purposes?
  • Has there been unusually high staff turnover?
  • Has there been an unusual volume of sickness absences?
  • Have there been complaints of stress or bullying?
  • Have there been other big changes at the workplace, or in the project?
  • Where are you on the project lifecycle?
  • What is the particular risk culture you are working in (e.g. risk tolerant or risk avoidant)?

Risk management is everyone's job

"...and senior management is ultimately responsible for residual risks"

What should you do before a Risk Assessment?

  • Establish a risk management framework to ensure your risk assessments are consistent, valid and comparable.
  • Define your "risk appetite" together with management. Risk appetite is the level of risk that your company is prepared to accept before action is considered necessary to reduce the risk.
  • Determine the scope of your risk assessment. What are you trying to achieve?
  • What laws and regulations apply to your business?
  • Who are the stakeholders involved?
  • Do you have a list of your assets? What do you need to protect? E.g. software, hardware, people, services, intangible assets, information assets.
  • Who can help you identify risks?
  • Does your company have a risk registry?
risk management

What is the Risk Assessment process?

Step 1: Identify risks

There are various ways to identify risks, you should use a combination of methods, depending on your context:

  • Root Cause Analysis
  • Documentation Reviews
  • Risk Breakdown Structure
  • Threat modeling
  • Pre-mortem
  • Post-mortem
  • Nominal group technique
  • Facilitated workshops
  • Scenario analysis
  • Brainstorming
  • Interviews
  • Cause and effect diagrams
  • Delphi technique
  • Affinity diagrams
  • Prompt list
  • Checklist analysis
  • Failure Modes and Effects Analysis
  • Assumption analysis
  • Do a visual inspection of the area
  • Inspect accident / incident reports
  • Inspect engineering change proposals, technical publications, manuals, or safety data sheets.
risk management

Step 2: Analyze risks

Rate risks based on their impact and likelihood.

User feedback for finnovatec "Risk is the combination of the impact and likelihood of the event occurring."

Step 3: Assign risk owners

Who is responsible for monitoring and managing the risk? Not every identified risk will require an owner. In fact, if your team has hundreds of risks identified, assigning a risk owner for each one will overwhelm you and your team. Instead, start with the most critical risks.

Step 4: Evaluate and prioritize risks

Based on the rating, find out which risks are unacceptable and urgent to be mitigated.

Step 5: Control risks

Identify solutions against those risks which are seen as a priority. What are you already doing? What further action is necessary? Action by whom? Action by when?

Step 6: Monitor and review

Communicate results from the risk assessment with your team and relevant stakeholders. Continue to monitor risks. Check in with your risk owners regularly.

risk management

What is a Risk Assessment Matrix?

You can use a risk matrix to understand and observe the level of risk. There are several types of risk matrices, at finnovatec we use the qualitative 5 x 5 matrix. The combination of the likelihood and impact gives us a risk rank.

Risk = Impact * Likelihood

There are both benefits and challenges to using a Risk Matrix.

risk matrix 5x5

The example matrix above categorizes risks into 3 levels; low, medium and high. Risk ranking is based on a matrix with axes for likelihood and impact. The risks in the green-ish area are low impact and low likelihood. Risks in the red-ish area are high impact and high likelihood.

It's important to be cautious of low likelihood, high impact events. Gordon Graham explains High-Risk, Low-Frequency Incidents in an engaging way. We highly recommend watching his video on the topic.

Risk matrices are simple to use, however they sometimes give a false sense of security. The assessment of risk's likelihood and impact is an estimate only, doesn't include an assessment of timeframes (for example when the risk might materialize), and is often biased.

Sometimes assigning a risk rating can oversimplify the complexity, and doesn't take into account how risks interact with each other.

However, a qualitative approach to rating risks makes it easier to understand and observe the level of risk. It's a simple method to implement and introduce to a team not yet familiar with risk management. It promotes discussion, makes the analysis process faster, and helps to prioritize and evaluate the most important areas of risk.

risk management

How can you manage Risk?

Once risks have been identified, there are several ways to manage them. Here are four major categories: Avoid, Reduce, Share or Retain.

We found the ROAM technique (SAFe, 2019) of managing risks useful in our projects:

1. Resolve the risk — The risk is not a problem.

2. Own the risk — Someone in the team takes ownership of the risk, as it was not resolved in the meeting.

3. Accept the risk — The risk cannot be resolved, so it has to be understood and accepted for what it is.

4. Mitigate the risk — Make a plan to reduce the risk.

What are Residual and Secondary Risks?

When managing risk, often new risks are triggered. Remember to think about the risk that remains after controlling it (i.e. "residual risk"). And what are new risks that come as a result (i.e. "secondary risks")?

Remember to Assess Risk Interactions

Take a holistic view of risks, by managing how they interact (Deloitte & Touche, 2012). Some risks might be considered small, yet as they interact with other risks, events, or conditions, they might cause great damage, or create a significant opportunity.

risk management

Managing risks is an ongoing process

It’s impossible to predict every potential risk but with strategic planning and collecting information beforehand, you can anticipate problems. With that information, your teams can develop control measures that can help you to deal with the risks.

The main goal of performing a risk assessment is to reduce risks to a level that your company will accept. Management needs to decide what resources (e.g. budget, hardware or time) to dedicate to controlling risks. Remember that senior management is ultimately responsible for residual risks, meaning the amount of risk that remains after mitigating risks.

Determine what you need to protect

You need to determine what assets you need to protect and prioritize on. As the National Institute of Standards and Technology (NIST) explains in its Framework for Improving Critical Infrastructure Cybersecurity, no solution fits all companies out-of-the-box. Your company has different potential risks than other companies.

project risk
Project team
project risk
Manager

What you need for a remote Risk Assessment workshop?

your team Your team and relevant stakeholders

time 1 - 2 hours

For best results

  • Send the information (e.g. Risk Management Policy, Framework, Guideline, Risk Register) to the participants before the workshop.
  • If you have more than 10 people participating, break the group into smaller teams.
  • Define the scope of the risk assessment.
  • No idea is stupid.
  • Start with solo brainstorming, where each participant silently writes down all of their ideas.
  • Differentiate between “Issues” and “Risks”.
  • Update the assessment periodically. Brainstorm on potential new risks.

Once you have assessed the risks to your team or project and made an action plan on how to mitigate risks, in some cases it is important to have your risk assessment reviewed. If you identified employee health and safety risks, you can get a professional occupational safety and health specialist to review your assessment. It is also important to record those risks that are already under control. That way you get a summary of the overall safety and health risks in the workplace and the key areas for development.

Enjoy the rest of your Thursday!

Bibliography

  • World Health Organization: Getting your workplace ready for COVID-19 (PDF) Source
  • Workplace Health and Safety, Electrical Safety Office, Queensland Government: Coronavirus (COVID-19) workplace risk managementSource
  • ISO 31000:2018, (2018) Risk management – Guidelines, provides principles, framework and a process for managing risk. Source
  • Deloitte & Touche LLP. (2012). Risk assessment in practice. Deloitte. Source
  • Shore, D. A. (2016). What Could Go Wrong? How to Manage Risk for Successful Change Initiatives. Harvard Professional Development. Source
  • American College of Healthcare Executives. (2017). Leading a Culture of Safety: A Blueprint for Success. Source
  • PwC Risk in Review. (2017). Managing risk from the front line. PwC. Source
  • Canadian Centre for Occupational Health & Safety, 2019 Source
  • Park, K. (2015). Risk angles. Deloitte. Source
  • Perez, J. C. (2016). Assessing risk from vendors and other third parties is key to business success. Qualys Blog. Source
  • Wallis, P. (2012). Risk management, achieving the value proposition. Government Finance Review. Source
  • The Institute of Internal Auditors. (2014). Managing third-party risks. Source
  • NIST, Framework for Improving Critical Infrastructure Cybersecurity (2014) Source
  • Boyle, T. (2002). Health and safety: risk management. England: IOSH Services Limited.
  • ISO/IEC 27001 Information security management (2017) Source