How to Write a Foolproof Risk Management Plan
Help! I need to write a foolproof risk management plan!
A foolproof risk management plan? Now that’s a risky proposition. If you are a new business owner - everything seems like a risk. The entire course of action that brought you to this point involved undertaking some level of risk. And seasoned business leaders also know that the need to manage risks never ends.
But let’s face it, creating a risk management plan can be frustrating. It can seem overly time consuming… who wants to deal with the negative aspects of project management anyway, especially when the biggest risk seems to be the risk of falling behind? And it can seem daunting… what if you overlook a major risk? What if there’s a risk that you can’t easily solve?
Risks can feel like they are unmanageable. But hiding your head in the sand –even if it’s a software sandbox- isn’t going to do a bit of good. Identifying and managing risks can be the difference between success… and failure.
Anath Lee Wales, author of Your Life can be Changed: the True Guide to Become a Change Maker! hammered home how important risk management is, stating, “every entrepreneur must master the art of risk management, the truth of why a few are successful stands here.”
Risk management plans aren’t about avoiding risk. We undertake risks to push the envelope of the doable and to create amazing solutions. Mary Poppendieck, author and speaker on agile development, said it well, “Risk management is not about avoiding risk, it’s about making better decisions,”
Read on for some solid steps to create a risk management plan that can address those risks and help you make effective decisions to guide your next project to a successful completion.
Create a foolproof risk management plan, one step at a time
Ok, so in the world of risk, nothing is entirely foolproof. And part of understanding risk is understanding nothing is absolutely risk-free. The good news about creating an effective risk management plan is that there are several agreed-upon steps out there. Follow this list to create a risk management plan that works.
1. Identify key stakeholders and expose potential threats
This may sound more CIA than PMI (Project Management Institute), but it’s true that just as we have to name our goals and objectives in order to achieve them, we have to take the time to identify possible risks in order to manage them.
This includes identifying any potential threats to the project, its deliverables, its budget, and its timeline.
And it’s not just an isolated process in which you create a “risk list” yourself. The risks you see may seem like the most obvious and most important. But there are hidden risks that only your stakeholders can articulate. Since stakeholders include a range of individuals and groups impacted by your project–such as your customers, project sponsors, organizational leadership, outside vendors, and project partners–take the time to identify them in order to engage them in the process.
So how do we best expose project risks? Practice ongoing risk identification, including obtaining feedback from all stakeholders. The way you collect this information can take a variety of forms, depending on what’s appropriate for each situation or stakeholder group.
Here are a few specific sources to identify risks:
Facilitated sessions - more than just a high-level identification of potential concerns, facilitated sessions can allow you to dig into an explanation of the risks that stakeholders identify.
These sessions work particularly well with groups who are truly onboard your project effort. Your team, product advisory councils, and partner groups are all natural fits for facilitated sessions.
While these types of sessions are particularly valuable, so is your participants’ time. Don’t waste it. Keep the sessions focused and well managed, making sure to “circle back around” to provide status on your efforts.
Risk management on the agenda - add risk management as an ongoing agenda item in key meetings. An ongoing focus on risk mitigation helps create trust and customer satisfaction.
Sales as a signal - create a channel of communication with your sales team to collect risk information as they encounter impediments to driving sales. These could be caused by project risks.
Help from help desks - help desks are an often overlooked but rich source of information for identifying risks. Help desks get key details on what is really bothering the customer. Working with your help desk to create a way to ask the right questions and track the information effectively for your risk management plan will pay off in spades.
Other sources - Consider other parts of your organization or business that may not be an obvious source of risk information but that could provide valuable insights, such as training groups, implementation teams, eco-system managers and others who are part of the front lines in dealing with customers and stakeholders.
Once you’ve identified sources of information, here a few examples of effective techniques you can use to identify risks:
SWOT analysis: SWOT stands for Strengths, Weaknesses, Opportunities, and Threats. This involves identifying internal and external factors that may affect the project.
Delphi Technique: This is an anonymous method in which a group of experts independently provides their opinions on potential risks. The results are then aggregated and used to identify the most significant risks.
Root Cause analysis: This technique involves analyzing the cause of past failures or incidents to identify potential risks in the future.
Surveys and other online channels: Using feedback tools such as surveys and other channels (such as issue trackers) is a great way to collect feedback. These data-driven approaches help you to create a baseline of information to compare to as you work through managing risks. As online sources, they can be easily tracked and managed.
Checklists: Along with surveys, checklists create easy ways to track data. This is a simple approach in which a prepared list of potential risks is reviewed and updated by the project team.
Interviews: Interviews involve speaking with stakeholders and experts to gather their perspectives on potential risks.
Brainstorming: This is a group activity in which team members are encouraged to share their thoughts and ideas about potential risks.
As part of the risk identification process, consider risks related to the technology itself, resources, schedule, budget, quality and marketplace drivers.
In addition, identify potential triggers. Knowing what upstream actions can kick off certain risks can help you reduce them or even avoid them entirely.
2. Analyze risks
Investment expert Naved Abdali said, “it is not a calculated risk if you haven’t calculated it.” So, too, with software project risks. And that is the next step in creating your risk management plan.
Once you have identified your risks, analyze them in terms of their likelihood and potential impact on the project's objectives. This will help prioritize the risks that require the most attention.
Risk analysis can feel like a complicated process. It can be. But it doesn’t have to be. While it’s true that the more informed the risk analysis is, the more effective it is, it’s also true that simple risk analysis can go a long way. Without at least some level of evaluation, however, all the risks just seem like a never-ending and untamable list.
To tame the list, prioritize and size. In other words, evaluate risks for risk rankings and level-of-effort sizing. For each risk on your list, answer these key questions:
How big of a risk is this? (impact/importance)
How likely is it for this risk to materialize? (likelihood)
How big of a job is it to address? (level of effort)
Program Evaluation and Review Technique (or PERT estimation)is a particularly effective tool for risk management. This approach estimates task duration with best case, most likely case, and worst case scenarios. PERT calculations can help both size and estimate potential risks as well as potential solutions to the risks. See our article on PERT estimation for more on this valuable technique.
3. Develop a response
Based on your understanding of identified risks, potential triggers, and your risk analysis, develop an appropriate response strategy for each risk. This may include risk prevention, risk reduction, or risk transfer:
Risk prevention - create a response that prevents the risk from becoming reality. An example of risk prevention includes conducting thorough testing and quality assurance processes to identify and fix defects early.
Risk reduction - a response that may not solve the problem or remove the risk entirely, but serves to reduce the possibility and mitigate the overall risk. For example, using modular design and architecture to make a system more resilient reduces the risk of unexpected impacts and changes. In this approach, if a change needs to be made in one module, the risk of affecting another part of the system is reduced through the modular design itself.
Risk transfer - a response that shifts the risk. Outsourcing certain components or tasks to third-party vendors or contractors to transfer the risk associated with certain tasks is an example of risk transfer. For instance, cloud solutions take advantage of outsourcing the hosting and maintenance of a web application to a hosting provider, which assumes the responsibility for maintaining the servers and network infrastructure.
By using a combination of these risk management techniques in your plan, you can calibrate your efforts according to the most workable approach.
Another key technique in any risk management plan is to create contingencies. Not every risk can be entirely avoided all the time. Creating “plan b” contingency plans for identified risks is a powerful way to control risks and avoid a worst-case scenario.
4. Create a risk register
Your risk management plan should include something called a risk register. This is a way to track your risks.
Risk registers can take a variety of forms. Here’s an example of a simple risk management register (with limited and simplified data):
Note: Your risk rating can be calculated using a standardized method, such as multiplying the impacting and likelihood or using a risk matrix. The PERT estimate is the estimated time added to the project timeline to address the risk. The risk owner is responsible for monitoring and managing the identified risk.
Communicate the plan
A plan can only come to the rescue if everyone knows their part and how to implement it. So communicate it.
For your communication to be effective, the buck has to stop somewhere for each and every risk. That means the risk plan should identify risk “owners.” This ensures project team members understand their roles and responsibilities in the event of an issue materializing. In fact, risk owners can be tasked with the details of risk mitigation and contingency plans.
Provide a timely response
Once you equip your plan with a solid set of responses, be prepared to implement them as quickly as possible to minimize the potential impact of an issue. Just as a ship gets farther off course the longer it’s left unchecked, it’s easier to undertake project course correction sooner rather than later if challenges do arise.
Monitor, review, improve, and repeat
Risks are rarely static and your plan shouldn't be either. You should monitor your plan to ensure that it remains effective and relevant. This includes updating the plan as the project progresses and new risks are identified.
NSS scientist Bruce Pitman stressed the importance of up-to-date risk management plans, stating, “Keeping the risk management plan up to date can transform it from a door stop into a vital project management tool. Remember: what you don't know can kill your project.” A bit dark, perhaps, but wise words.
Review and evaluate your plan for ways to improve it to make sure it is both effective and adaptable to changing a project environment. Update lessons learned on your risk register so that they can be passed on to future projects and project teams. Parlay successful risk management into future success!
Take calculated risks - and manage them well. DevStride can help.
Creating an effective risk management plan equips you to be successful. So get out there and take risks - armed with ways to manage them for better decisions and brilliant results. And DevStride is here to help.
DevStride is a modern project and portfolio management tool purpose-built to reduce the stress factor and make managing projects - successful. A refreshingly easy-to-use tool, DevStride provides the robustness and insight project leaders need and support that teams love.
Here are just a few ways you can use DevStride to help you truly manage risk:
Workstream mapping to strategic goals and objectives - ensures work is focused on the right projects and is aligned with goals.
Collaborative workspaces - DevStride promotes communication through common workspaces, breaking silos and promoting cohesion. Create and collaborate, keep your risk management plan up-to-date for everyone in one place.
Custom fields and tags - DevStride’s flexible custom fields and tags allows team members to track risks, bugs, ratings, priorities and any other relevant information, providing an easy way to search, sort, and report on any data, any time.
Filtering and reporting - is multidimensional on all data, instantly.
Stack ranking - makes priorities clear and easy to manage.
PERT (Program Evaluation and Review Technique) feature - for planning and controlling projects using a three point estimation calculation.
Workflow automations - make use of customizable, event and criteria-based triggers to notify owners, promote task management, and stay informed.
Notifications - keep work moving, information available, relevant, and up-to-the second regarding changes, communications, and issue management.
Filters and reporting provide real time visibility on all projects and across projects and teams, organization-wide.
Visual indicators display throughout the tool for easy information at-a-glance, including priorities, completion rates, and status.
Work in Progress (WIP) limiters - manage the risk of task overload and potential delays.
Rich Analytics - DevStride analytics are a powerful and effective way to identify potential issues before they become problems. Beyond raw data, DevStride provides insights to make the kind of informed decisions leaders and teams need to manage risks.
Reach out today - we are here for you
If you need access to a modern project management tool that can help you plan and control projects, then schedule an introductory call with us today.
Our integrated work management platform provides teams with superior visibility and alignment. Understand the true state of the work, even as priorities shift.
By using DevStride’s platform, you can gain a holistic view of your projects and initiatives, enabling you to deliver successful projects and improve the overall performance of your organization.
We’ll show you exactly how DevStride can help your teams manage exceptional project and product delivery. For projects big and small, DevStride is here for you!