Working on a digital project, you always take risks. At a minimum – not meet the deadlines and budget. Sooner or later the risk will work, and you have a choice how to live with this information: to ignore and hope that you will arrive at a minimum, or take risks under the bridle and start managing them. Risk management is the adoption and implementation of solutions that reduce the probability of force on a project or allow you to manage the budget for the risk that has been triggered. How risk management works and how to use it in digital projects …
Form a risk table
To begin with, risk management is a five-step process …
- Search for the main risks.
- Evaluation of their importance.
- Finding ways to reduce risk.
- Evaluation of the cost of these measures.
- Evaluation of the appropriateness of measures for a given degree of risk.
This is the table in which the identified risks, their consequences, importance and probability are entered. Based on these data, the risks are evaluated, and a decision is made what to do with them. The ultimate goal is to turn each risk into a specific action and assign the person responsible for it.
In the preparation of the risk register, the project manager, the team, and, if necessary, even the customer, can take part.
As a result, you will receive a table with the following fields …
- Cause;
- A description of the risk;
- Importance;
- Probability;
- Effects;
- Estimation of losses;
- Strategy;
- The main scenario;
- An alternate scenario;
- Responsible (for risk management);
- Happened / did not happen (fill in after the fact).
The table will contain all the necessary information to manage risks. And now we will tell you how to get it.
Finding the main risks
Risks are more or less expected and completely unexpected. Scientifically – Known and Unknown.
1) Known risks (in some sources – controlled): If you have already worked in similar conditions and know where the gun can fire. Or heard about it. And you know what to do with the consequences.
2) Unknown Risks (in some sources – uncontrolled): Those that you cannot even imagine because of a lack of information. They appear on new projects and when working with an unfamiliar team. They are difficult to find, it is difficult to prepare for them.
To find and register unknown risks, you need to discuss the project with the team. Preliminary – tell about the goals, objectives and deadlines, familiarize yourself with known risks. And ask each participant to think about what other problems may appear. All emerging ideas are accepted without exception and comments. All the unknown risks you so you will not reveal, but at least find a part.
The reasons for the risks are different: force, human factor, etc. In the table, you can fill in this column in your own way. It is necessary to classify the risks for the reports in the future.
When you realize the scale of possible (and not so) risks, you have to choose from them those that it makes sense to manage. Because trying to lay straw everywhere – expensive, inefficient, and you still do not foresee everything. To choose the most promising risks, you need to assess their importance.
Assessment of the importance of risks
The importance of risk can be obtained in several ways. The first and simplest is to multiply the probability and consequences of the risk. Probability and consequences are estimated on a 10-point scale. The project manager does this based on their experience and knowledge. If they are not enough – you can contact the team, but at this stage it is not necessary.
When the probability and consequences are estimated, the leader multiplies them and obtains an indicator of the importance of the risk. The maximum will be 100 points.
There are no points and school multiplication, and in general the process is a little more complicated.
In the matrix, you need to determine not only the probability of risk on a scale of 1 (100% happen) to 0 (never happen), but also the tone of the consequences – negative or positive. And find the corresponding indicator on the lower scale.
Then you need to determine the level of exposure to the risk: very low, low, medium, high or very high. Find the correspondence on the scale to the left. And after – to find a cell at the intersection of the level of impact and probability. In it, there will be an indicator of the importance of risk. So that you immediately understand whether this indicator is good or bad, the cells are painted in three colors. Green means low risk, yellow – medium, and red – high.
If the importance of some risks you determine by the first method, others – by the second, do not forget to translate the matrix indicators into a 100-point format. This is necessary to then sort out the risks by importance without any problems.
The importance of risks is determined in order to understand what to react first.
Finding ways to reduce the risk
There are four work strategies to reduce risks …
1) Evasion of risk: The goal is to evade the threat and completely eliminate it. It is impossible to implement evasion, and if it is possible, it is technically difficult. And it’s not a fact that the measures taken will work. Probably the only completely working variant of evasion is the complete termination of the project.
2) Transfer of risk: In the case of transfer, you share the consequences of the risk (both bad and good) with the other party. As an option, with the customer or contractor. This can be done in the event that it is impossible to influence the risk. This may be, for example, the suspension of the project due to late payment of bills. To transfer the risk, you need to agree on this with the host party and fix the decision in a contract or agreement.
3) Risk reduction: The purpose of this method is to reduce the likelihood of risks and mitigate their consequences. It is better to start reducing risks at the start of the project. Because the further, the more expensive and more difficult to manage the risk.
4) Acceptance of risk: Those who choose this method resigned themselves to the risk and do nothing active to prevent it. Now if it comes – then they will start working with the consequences. Acceptance is appropriate if you cannot avoid risk, and transfer it – expensive and unjustified.
In acceptance, you can act actively or passively. Passively – just record what to do when the threat turns into reality. Actively – to establish a reserve for possible losses: additional time or money.
In the risk register in the “Strategy” column, enter the method of reduction. It is necessary to do this for every risk. And, based on the strategy, think up and write down the main and reserve scenarios of actions in case the risk is working.
And do not forget to appoint a person responsible for each risk, otherwise the sense from the scripts will not be enough. Must be someone who will monitor their implementation.
In public areas, there are always signs with evacuation plans, on which the person responsible for fire safety is registered. The same in risk management – there must be someone who is responsible for the organization of the relevant procedures. And vice versa – if nobody directly answers for an activity for an activity, then the general director is responsible for it. The same in digital projects. If the person responsible for managing a particular risk is not appointed, then this is the task of the project manager.
The cost of risk reduction measures
At a stage where you appreciated the importance of risk, chose a way to reduce it and painted detailed scenarios, it’s time to analyze everything and understand how much it will cost.
One of the methods by which you can assess the risk is the analysis of the expected monetary value. To calculate it, you must multiply the value of each possible result by the probability of its occurrence, and then add together the values obtained. The possible result is expressed in money. For unfavorable risks, the indicator will be negative, positive for positive ones.
In case the project is small and does not involve serious risks, you cannot bother with the formulas, but involve experts for evaluation.
On our project, there is a risk that when the deadline remains a week, the lead developer will go to the hospital. Then the team will decrease by one person, the project will not be delivered on time, and the implementation will require five additional working days.
Let’s estimate the importance of risk. The probability of a ten-point scale is 5 and the consequences are 7. The consequences are of such force, because the company signed a contract with penalties in the event that the deadline is disrupted. Multiply 5 and 7 to get importance. It turns out 35 out of 100 – even less than half. By the matrix of probabilities and effects, we are in the green zone. In this situation, we can easily assess the risk in money. The forfeit amount is 1% of the contract amount per day, 1000 dollars. In total, in case of a risk, we lose 5000 dollars.
There are losses that can not be quantified, for example, reputational ones. But in this example, let’s say that they will not be, because the customer does not have a clear start date, he is a loyal customer and, in general, a darling.
So is it worth it for 5000 dollars to bother and before planning to send a developer for a survey in the hospital? We decided for ourselves that, since the importance of risk is small – only 35 – it’s not worth it. Therefore, our strategy in this case is acceptance. The main scenario is to do nothing and take action only if the developer really gets sick.
Among the managerial managers, there is an opinion that risk management is untenable – therefore, it is rarely resorted to. But this is not entirely true. Risk management is useful in helping to minimize risks at the concept stage – it is much cheaper than at the stage of assembly. Indeed, on small projects to maintain such a table and account for the risks that arise are redundant. But on long-term, mature projects with large budgets and complex interactions, risk management is an irreplaceable thing.