This week I thought we’d take a look at what I believe to be the seven biggest mistakes related to dealing with risk (and opportunities):
1. Ignoring it – this is the biggest mistake of all – if you do not have a process to anticipate and manage risk properly then something unexpected can cause delays, overspend or worse. There are five simple steps: Identification, Assessment, Design Response, Implement Response, Review (and adapt); ignore them at your peril.
2. Not engaging with key stakeholders – this is a recipe for missing critical risks and/or opportunities – you need a broad and balanced contribution from all quarters to ensure adequate coverage
3. Doing it only once – things change and you need to be responsive to emerging risks and opportunities in addition to pruning those that are no longer relevant. This ensures that resources remain properly focused.
4. Not monitoring risk response effectiveness – it is essential that the response be confirmed as effective both in terms of outcome and ongoing ROI; if not, you must adapt. To do this it follows that success criteria must be both measurable and agreed in advance.
5. Inappropriate scoring system – the scoring system needs to fit the scope and stakeholder needs across a multiplicity of domains. If not, then it will be difficult to prioritise the risk responses; and that’s the whole point. Additionally, there should be agreed thresholds that enforce specific levels of response [eg. do something within 24 hours].
6. Inappropriate responses – it is easy to get carried away and devise elaborate risk responses that cannot be justified (eg. cost more to implement than they actually mitigate). Of course, this has to be balanced with the SFAIRP [so far as is reasonably practicable] requirement related to HSE [health, safety and environment] risk and, also, other contextual drivers. You need to understand the return on investment [ROI].
7. Confusing the risk response with the risk contingency – risk responses need to be added to the scope and managed as parts of the overall project/program; just like any other activity. The purpose of the contingency is to be able to respond to the residual risk and emerging risks/opportunities.
8. [bonus] Analysis paralysis – it is important not to get bogged down in the process of scoring; you are just trying to get a handle on the priority of the response. The old 80:20 rule prevails and it’s always the risks that you have missed altogether that bite the hardest. Spending time reviewing risk and implementing some kind of response is the biggest contributor to success.