Project Risk Analysis

Consulting firm The Right Door Consulting & Solutions occasionally publishes white papers written by their consultants. A couple of white papers I wrote were included in their collection and distributed at a recent government management conference. The following is one of these. (The version distributed at the conference is available here.)

Don’t Miss Out on a Valuable Management Tool

If you fill out a “project risk register” only because it is required by some governance process, you’re missing a powerful investment analysis and planning tool and missing the chance to

  • Choose among different project approaches with different risk profiles;
  • See at a glance which risks you should be most worried about;
  • Choose what to do about risks, and calculate the ROI of alternative mitigations;
  • Invest in readiness to react effectively if things do go wrong.

Make a list of risks to your project and estimate the probability and impact of each. In your risk analysis, pay attention to these points:

  • Be sure you analyse probability and impact independently. Impact, especially if lives are affected, can be so emotive that it tends to affect assessment of probability. I’ve seen risks that are very unlikely, but would result in death, listed as “medium” or “high” probability. Yes, if the thing happens, it would be really bad. But that should not change your assessment of its probability, or you will overreact and poorly distribute resources.
  • Quantify your probability and impact ratings using historical data and research. This avoids subjective debates and allows you to budget and calculate ROI on mitigations.
    • E.g. A risk with $1M impact and 20% probability has an expected cost of $1M x 20% = $200K. Compare the cost and effect of proposed mitigations to the expected cost of the mitigated risk. Is the mitigation worth it?

Analysing possible mitigations is an important part of the risk analysis process — indeed it’s the point of the process. Consider:

  • Many mitigation plans I have seen focus only on reducing the probability of risks, and often miss addressing impact. Seek mitigations for both.
    • For example, consider protecting a building from fire. Using fireproof materials would mitigate the probability of a fire, while using sprinklers would mitigate the impact. Some things, such as early smoke detection equipment, could be argued to do both.
  • Re-chart what your risks would look like if the proposed mitigations were applied. Make sure that every table and chart is clearly labeled “unmitigated” or “mitigated”.
  • Good mitigation is rarely free. Fund it — risk mitigation is part of the cost of the project.
    • In the above example, fireproof building materials are probably much more expensive than sprinklers. But sprinklers don’t trigger until there is a fire, so choosing them is a decision to accept a certain amount of damage, which will also have a cost. Include all these costs in your analysis.
  • Mitigation will probably not reduce risk to zero. What remains, “residual risk”, should be accepted by an authorized person as part of deciding on that risk management plan.

If there are several project implementation options, risk-analyse and compare the costs and residual risks of each alternative. This information will help you choose the best approach.

Identify and analysis multiple possible mitigations to each risk. Choose those that give a positive return by costing less than the reduction in residual risk cost they generate.

For example, imagine we’re considering implementing an AI-backed Chatbot to interact with clients on our web site. We might identify the following risks.

 RiskUnmitigated ProbabilityUnmitigated Impact
1Lack of skilled resourcesMediumHigh
2Lost opportunities to redirect or upsellMediumLow
3Client upset when they learn they’re talking to AIMediumMedium
4Chatbot gives wrong or embarrassing repliesLowHigh

These can be clearly compared on a “heat map” chart. Simple coloured cells in a 3×3 or 5×5 matrix are usually good enough for our purposes. What to worry about (and what not to) stands out clearly.

In this example, we clearly need to address Risk #1, and can ignore Risk #2. Risks #3 and #4 need analysis and consideration, and you might or might not choose to address them depending on time and resources.

Next, identify how we could reduce the selected risks and what the resulting mitigated risks would look like.

RiskUnmitigatedMitigationMitigated
ProbImpProbImp
1MedHiSet up contracting supply arrangementLowHi
2MedLowProgram chatbot to collect follow-up contact infoLowLow
3MedMedChatbot clearly self-identifies, offers humanMedLow
4LowHi5-second delay, human review in “probation period”LowerHi

This kind of risk analysis is relatively simple yet is a powerful management and communication tool. Do it because it helps you, not merely to comply with some rule.