Understanding how risks can be identified, mitigated and managed can take the sting out of planning for the unknown.
Risk. It’s not a nice word. In fact, it can seem quite scary, reminding us that anything we do at work (and in life) is not without its potential downsides.
How we think about risk, whether we actively embrace it or avoid it all costs, can make all the difference to how we live our lives and forge our careers. But, whatever our risk appetite, we know that stuff happens; things can and do go wrong.
The secret, as it says in large, friendly letters on the cover of The Hitchhiker’s Guide to the Galaxy: “Don’t panic”. Like so many aspects of leadership, understanding what risk really is and how it can be tamed is the first step to making it feel much less frightening.
Whatever we do at work, risk is an inevitable part of the deal. Whether we’re running an established business or team, managing projects or anticipating change, we need to understand the risks we face, how they break down into different types of risk and how to manage and mitigate them.
For example, because projects involve the new, change, they can feel inherently risky. That can be unsettling, especially if there’s a lot riding on outcomes. We also know that staying in our comfort zones is not an option when it comes to making progress, identifying projects and seeing them through to completion.
That’s why, as part of the project planning process, we need to understand and manage the risks that could threaten the our success. We may not all subscribe to the Zen saying “Leap and the net will appear”, but we can do everything possible to make sure the net is there if we need it.
The essence of risk management is managing uncertainty. We can’t remove risk entirely: as former US secretary of state Donald Rumsfeld famously said: “There are also unknown unknowns – the ones we don’t know we don’t know.”
But we can follow some tried-and-tested methodologies for identifying risks, analysing their likelihood, their impact, deciding how we manage or mitigate them (or not) and then taking action. The aim is to identify and analyse risks regularly, balancing the need to have our risk profile front of mind without becoming so risk-averse that we can’t move forward.
We can do this by capturing a summary of the risks we face, their likelihood and potential impact, in a risk register or log. This gives us a baseline for a risk management process that, like so many processes, is cyclical. As we make progress, and things shift and change, we need to keep monitoring the associated risks and adjust how we might respond.
The mismanagement of risks can be a major contributor to problems at work, even failure. If risks are either not planned and prepared for, or action isn’t taken at the right time to lessen the blow, then we’re in trouble. That’s why a good risk management process is needed to help plan for those unknown unknowns.
Risk management is the process we use to try to reduce or manage risk. The process comprises four steps (with the fifth being 'take action').
Each step will need to be revisited regularly.
Step one is to identify all the possible foreseeable sources of risk we face. Brainstorm with key stakeholders and team members or conduct structured one-to-one interviews to solicit expert opinions.
It can be helpful to consider risks in different categories. For example, project management expert Mike Clayton suggests using the SPECTRES acronym to define risks and remind us that there are eight potential sources of risk that might come back to haunt us:
Social – risks from society or social interactions.
Political – risks from national, local or regional politics and regulatory implications.
Economic – the financial risks that can impact a project, such as materials and people costs.
Commercial – competitive pressures and the commercial environment, for example, supply chains.
Technology – technology might let us down or be superseded.
Regulation – regulatory risks including health and safety regulations and legislation or compliance.
Environmental – both global and local environmental factors such as air conditions.
Safety - where harm to people, data or buildings might come from.
A simpler categorisation might be to divide risks into those that are:
Strategic
Operational
Financial
Related to people. regulation or governance
The categorisation we choose will reflect the complexity and scope we need to take into account, and will emerge as part of our brainstorms.
Once we’ve identified key potential risks, we need to analyse their potential impact, asking two key questions:
What is the probability of the risk occurring?
If it does happen, what’s the likely impact?
This will help us to rank the risks in order of significance, so that we can prioritise those which have the greatest potential to derail us.
We could allocate qualitative descriptors (high, medium, low probability/impact) which will help us to create a risk assessment matrix for key risks, a clear, visual way to identify the double whammy of high probability and impact.
We might also 'score' each risk quantitatively by multiplying the probability of the risk occurring by the impact to give each risk a significance score which can then be ranked. In this case, we might allocate a range of scores to arrive at an assessment matrix.
For example, if we have identified the loss of a key team member as a key risk, and, using a 1-5 scale, we analyse the likelihood of that happening as a 4, and its impact as a 5, then the overall score for that risk is 20, giving it a high priority on our matrix.
This might compare with another risk that has a probability of 2 and an impact score of 3, giving a total score of 6 – clearly a less significant risk, with a low priority on the matrix.
Risk assessment is a snapshot of a point in time and the assessment is by no means definitive as circumstances change. It’s vital to constantly revisit, review and react to the risk assessment as things change.
Once our risks have been assessed, we can create a plan of action. This can be tricky. Not only are decisions made in the face of uncertainty, but risks and their related outcomes are likely to be interlinked. Although not applicable to all risks, there are likely to be six options available:
Accept it
Sometimes, the best course of action is to do nothing. Perhaps there’s only a small impact if the risk occurs, or there’s no easy way of getting around it, but there’s not reason enough to stop the project from proceeding.
Prevent it
Take action to ensure the risk doesn’t happen. However, it must be worth spending the extra time, effort or cost needed and the action shouldn’t negatively impact the project’s objectives.
Reduce it
Lower the probability and possibility of the risk and its potential impact occurring.
Mitigate it
Devise a plan of action to minimise the impact of a risk if or when it should occur.
Make contingency plans
Set aside time or resources to call upon should a risk occur. This is important for identified risks as well as for unforeseen events.
Transfer it
Sometimes it’s possible to give the risk to another party to deal with, usually for a fee. That’s exactly what insurance companies do. Another way of summarising different risk responses is by using the 4Ts: tolerate, terminate, treat and transfer.
Tolerate
Sometimes it’s ok to do nothing if the likelihood and impact of the risk are low. We can decide to simply live with the risk because we deem it acceptable. Remember to log and monitor the risk because retaining a risk should always be an informed decision — we should never retain a risk by default.
Terminate
Sometimes a risk is so far outside our appetite, or it’s been assessed as having such a severe impact on the project, that we simply have to stop and terminate the activity causing it.
Treat
If a risk is severe, we’ll almost certainly want to take action to reduce the likelihood of the risk occurring, or the severity of the consequences if it does.
Transfer
We can transfer the risk to another party. However, insurance isn’t always available and sometimes while we can transfer the activity to a third party, we’ll still retain liability if things go south.
As well as planning the action to take against each risk, we also need to identify when and under what circumstances the action should be taken. There’s no point in having a brilliant plan if it’s not implemented when it’s needed.
Risks are more likely to be avoided, or their impact lessened, if action is taken sooner rather than later. Everyone should know how to identify the indicators of each risk and what the plan is should the risk occur.
Risk management is a continuous process and identified risks need to be tracked regularly. But it’s not just the identified risks that we need to keep our eyes on; we also need to be on the lookout for other, new sources of risk. We need to stay on top of them, keep the risk register up to date and regularly review the status of each risk.
If people have been nominated as responsible for certain risks, they should report back on the risk status at regular intervals with a risk report including:
actions taken since the last update.
changes in risk status.
next actions.
any new issues.
effects on the project.
Risk should be discussed regularly. It’s common, for example, for an organisation’s board or senior management team to review their risk register as a routine agendaitem at meetings. It’s important to keep on top of things like any risk indicators or new sources of risk.
The discussions should be open and free of blame. If people hide information through fear of repercussion, risks may not be dealt with until it is too late.
When we have the key stages of the risk management process in place, we can capture them using a risk register or a risk log.
This is where we document the results of our analysis and risk response planning.
In our register, we can include:
our list of risks, perhaps ordered by categories.
a description of each.
the probability of the risk happening, its impact and an aggregate score/priority level.
the response (mitigation) we’ll take.
the risk owner.
A colour-coded risk assessment matrix can help us to see immediately which of the risks we need to prioritise. Once the analysis is done, the registers themselves are sometimes organised by risk priority too, with high-ranking risks appearing first within each category.
Consider this as a living document that will need regular adjustment to keep it updated as circumstances change.
Our risk register template will help you to create your own version.
As the banker Walter Wriston observed: “All of life is the management of risk, not its elimination.” But this doesn’t have to be overly complicated, provided that we bear in mind some key tips:
Identify potential risks (the SPECTRES acronym might help).
Keep a running risk list to use as a checklist.
Focus on what matters most: what will have the biggest impact?
When estimating risk likelihood, keep it simple, with either a narrative (low, medium, high) or a simple scoring system.
Remember the four Ts of risk mitigation: tolerate, terminate, treat and transfer.
So, while there may well be unknown unknowns just around the corner, if we’re forearmed and forewarned, there’s really nothing to fear.
Explain the five steps of the risk management process.
Identify the four Ts of risk mitigation.
Think of a simple project you might be planning. Identify just five key risks and run through the steps of the risk management process to practise creating a risk register.