Conduct a risk assessment to think about the additional risks that COVID 19 introduces into your project or workplace, and the steps you need to take to control the risks.
Having no project sponsor or losing one in the middle of a project.
Estimates or assumptions built into your project budget turn out to be inaccurate.
Changes cause an unexpected negative impact on the product, people or process.
Integration of technology, processes, or information fails.
Failing to meet a goal due to a lack of resources.
Facing losses as a result of the other party not fulfilling the terms of a contract.
Disagreements with an employee or stakeholder could disrupt your project.
Scope creep is often a result of poor change control.
Technology failures disrupt your project.
The project takes longer than planned.
Activities rely on the completion of another activity.
Assumptions are accepted as truths at the start of a project, though they turn out to be false.
Team members are inexperienced and lack the necessary skills to complete the project.
Lack of stakeholder commitment, or conflict between stakeholders, disrupts the project.
Failing to foster a safe and healthy work environment.
Change in regulations or legislation affects the project.
Losses due to quality that fails to meet your quality goals.
Underestimating the complexity of the project.
Supplier fails to deliver on their commitments to you.
Physical or information security incident.
Risk assessment is a systematic process of evaluating potential risks.
According to the international risk management standard ISO 31000, risk is the "effect of uncertainty on objectives".
The term "risk" has many definitions depending on the context. One of the common definitions of risk is uncertainty - an event may or may not happen. In cybersecurity, risk is a result of a threat exploiting a vulnerability.
Sometimes risks are mistaken as issues. However, issues are events or problems that are already currently happening. Risks are problems that may happen in the future.
Doing a risk assessment provides an opportunity for your whole team to take part in identifying key risks and get a mutual understanding of critical issues that might impact on your success.
When should you conduct a risk assessment? It depends on your field, size of your project, context and complexity. Some teams do small risk assessments in the beginning of each sprint. Even though the use of Scrum reduces lots of project risks, doing risk assessments is crucial, and bring various benefits.
Here are a few questions, to help you decide when to carry out a risk assessment:
There are various ways to identify risks, you should use a combination of methods, depending on your context:
Rate risks based on their impact and likelihood.
"Risk is the combination of the impact and likelihood of the event occurring."
Who is responsible for monitoring and managing the risk? Not every identified risk will require an owner. In fact, if your team has hundreds of risks identified, assigning a risk owner for each one will overwhelm you and your team. Instead, start with the most critical risks.
Based on the rating, find out which risks are unacceptable and urgent to be mitigated.
Identify solutions against those risks which are seen as a priority. What are you already doing? What further action is necessary? Action by whom? Action by when?
Communicate results from the risk assessment with your team and relevant stakeholders. Continue to monitor risks. Check in with your risk owners regularly.
You can use a risk matrix to understand and observe the level of risk. There are several types of risk matrices, at finnovatec we use the qualitative 5 x 5 matrix. The combination of the likelihood and impact gives us a risk rank.
There are both benefits and challenges to using a Risk Matrix.
The example matrix above categorizes risks into 3 levels; low, medium and high. Risk ranking is based on a matrix with axes for likelihood and impact. The risks in the green-ish area are low impact and low likelihood. Risks in the red-ish area are high impact and high likelihood.
It's important to be cautious of low likelihood, high impact events. Gordon Graham explains High-Risk, Low-Frequency Incidents in an engaging way. We highly recommend watching his video on the topic.
Risk matrices are simple to use, however they sometimes give a false sense of security. The assessment of risk's likelihood and impact is an estimate only, doesn't include an assessment of timeframes (for example when the risk might materialize), and is often biased.
Sometimes assigning a risk rating can oversimplify the complexity, and doesn't take into account how risks interact with each other.
However, a qualitative approach to rating risks makes it easier to understand and observe the level of risk. It's a simple method to implement and introduce to a team not yet familiar with risk management. It promotes discussion, makes the analysis process faster, and helps to prioritize and evaluate the most important areas of risk.
Once risks have been identified, there are several ways to manage them. Here are four major categories: Avoid, Reduce, Share or Retain.
We found the ROAM technique (SAFe, 2019) of managing risks useful in our projects:
1. Resolve the risk — The risk is not a problem.
2. Own the risk — Someone in the team takes ownership of the risk, as it was not resolved in the meeting.
3. Accept the risk — The risk cannot be resolved, so it has to be understood and accepted for what it is.
4. Mitigate the risk — Make a plan to reduce the risk.
When managing risk, often new risks are triggered. Remember to think about the risk that remains after controlling it (i.e. "residual risk"). And what are new risks that come as a result (i.e. "secondary risks")?
Take a holistic view of risks, by managing how they interact (Deloitte & Touche, 2012). Some risks might be considered small, yet as they interact with other risks, events, or conditions, they might cause great damage, or create a significant opportunity.
It’s impossible to predict every potential risk but with strategic planning and collecting information beforehand, you can anticipate problems. With that information, your teams can develop control measures that can help you to deal with the risks.
The main goal of performing a risk assessment is to reduce risks to a level that your company will accept. Management needs to decide what resources (e.g. budget, hardware or time) to dedicate to controlling risks. Remember that senior management is ultimately responsible for residual risks, meaning the amount of risk that remains after mitigating risks.
You need to determine what assets you need to protect and prioritize on. As the National Institute of Standards and Technology (NIST) explains in its Framework for Improving Critical Infrastructure Cybersecurity, no solution fits all companies out-of-the-box. Your company has different potential risks than other companies.
Your team and relevant stakeholders
1 - 2 hours
Once you have assessed the risks to your team or project and made an action plan on how to mitigate risks, in some cases it is important to have your risk assessment reviewed. If you identified employee health and safety risks, you can get a professional occupational safety and health specialist to review your assessment. It is also important to record those risks that are already under control. That way you get a summary of the overall safety and health risks in the workplace and the key areas for development.
Enjoy the rest of your Thursday!