Project Risk Analysis

Consulting firm The Right Door Consulting & Solutions occasionally publishes white papers written by their consultants. A couple of white papers I wrote were included in their collection and distributed at a recent government management conference. The following is one of these. (The version distributed at the conference is available here.)

Don’t Miss Out on a Valuable Management Tool

If you fill out a “project risk register” only because it is required by some governance process, you’re missing a powerful investment analysis and planning tool and missing the chance to

  • Choose among different project approaches with different risk profiles;
  • See at a glance which risks you should be most worried about;
  • Choose what to do about risks, and calculate the ROI of alternative mitigations;
  • Invest in readiness to react effectively if things do go wrong.

Make a list of risks to your project and estimate the probability and impact of each. In your risk analysis, pay attention to these points:

  • Be sure you analyse probability and impact independently. Impact, especially if lives are affected, can be so emotive that it tends to affect assessment of probability. I’ve seen risks that are very unlikely, but would result in death, listed as “medium” or “high” probability. Yes, if the thing happens, it would be really bad. But that should not change your assessment of its probability, or you will overreact and poorly distribute resources.
  • Quantify your probability and impact ratings using historical data and research. This avoids subjective debates and allows you to budget and calculate ROI on mitigations.
    • E.g. A risk with $1M impact and 20% probability has an expected cost of $1M x 20% = $200K. Compare the cost and effect of proposed mitigations to the expected cost of the mitigated risk. Is the mitigation worth it?

Analysing possible mitigations is an important part of the risk analysis process — indeed it’s the point of the process. Consider:

  • Many mitigation plans I have seen focus only on reducing the probability of risks, and often miss addressing impact. Seek mitigations for both.
    • For example, consider protecting a building from fire. Using fireproof materials would mitigate the probability of a fire, while using sprinklers would mitigate the impact. Some things, such as early smoke detection equipment, could be argued to do both.
  • Re-chart what your risks would look like if the proposed mitigations were applied. Make sure that every table and chart is clearly labeled “unmitigated” or “mitigated”.
  • Good mitigation is rarely free. Fund it — risk mitigation is part of the cost of the project.
    • In the above example, fireproof building materials are probably much more expensive than sprinklers. But sprinklers don’t trigger until there is a fire, so choosing them is a decision to accept a certain amount of damage, which will also have a cost. Include all these costs in your analysis.
  • Mitigation will probably not reduce risk to zero. What remains, “residual risk”, should be accepted by an authorized person as part of deciding on that risk management plan.

If there are several project implementation options, risk-analyse and compare the costs and residual risks of each alternative. This information will help you choose the best approach.

Identify and analysis multiple possible mitigations to each risk. Choose those that give a positive return by costing less than the reduction in residual risk cost they generate.

For example, imagine we’re considering implementing an AI-backed Chatbot to interact with clients on our web site. We might identify the following risks.

 RiskUnmitigated ProbabilityUnmitigated Impact
1Lack of skilled resourcesMediumHigh
2Lost opportunities to redirect or upsellMediumLow
3Client upset when they learn they’re talking to AIMediumMedium
4Chatbot gives wrong or embarrassing repliesLowHigh

These can be clearly compared on a “heat map” chart. Simple coloured cells in a 3×3 or 5×5 matrix are usually good enough for our purposes. What to worry about (and what not to) stands out clearly.

In this example, we clearly need to address Risk #1, and can ignore Risk #2. Risks #3 and #4 need analysis and consideration, and you might or might not choose to address them depending on time and resources.

Next, identify how we could reduce the selected risks and what the resulting mitigated risks would look like.

1MedHiSet up contracting supply arrangementLowHi
2MedLowProgram chatbot to collect follow-up contact infoLowLow
3MedMedChatbot clearly self-identifies, offers humanMedLow
4LowHi5-second delay, human review in “probation period”LowerHi

This kind of risk analysis is relatively simple yet is a powerful management and communication tool. Do it because it helps you, not merely to comply with some rule.

IT Funding Models

Consulting firm The Right Door Consulting & Solutions occasionally publishes white papers written by their consultants. A couple of white papers I wrote were included in their collection and distributed at a recent government management conference. The following is the long version of one of these. (The formatted versions are available here: the short version that was handed out, and the longer version reproduced below.)

Use the right mix of funding options for your IT organization

Many years ago, I inherited an IT organization with a funding problem: they were coming to the end of a multi-year, but temporary, allocation of funding. Unfortunately, this temporary funding had been used to enter into ongoing liabilities, such as enterprise software licensing and hiring indeterminate staff. (Hint: don’t do this.) This prompted us to consider the various ways that mandatory and optional services could be funded in an organization, and how to allocate available funding in the most effective and justifiable way.

It is worth thinking about how your IT organization is funded. There are probably options you haven’t considered, and a mix of funding models can improve your financial stability, your client satisfaction, and the quality of your portfolio management.


Most IT organizations have a dedicated budget – a fixed portion of their organization’s overall permanent budget. This is a form of internal taxation: allocating a department’s budget is a zero-sum game, so the “tax” is funding that the organization allocated to the IT group instead of to other branches. It would be the same as if the IT group had no budget of its own, but then all the other branches in the department had a mandatory tax clawed out of their budgets and given to the IT group.

Thinking about a dedicated branch budget as a tax is useful, as it prompts us to ask how the tax is allocated (i.e. who didn’t get the funding that went to IT). Was it allocated according to the number of staff in the other branches, their budget size, or some measure of their IT consumption? Chances are that no such analysis took place – the department simply allocated “the funding IT needs” then allocated the rest to the other branches.

Taxation is a suitable way to fund certain things. First among these is what economics calls “public goods” – services that benefit everyone in a community, not just certain individuals. The classic example is street lighting, which benefits everyone, not just drivers. Many IT services are public goods – email, the telephone system, and cross-enterprise applications such as finance and payroll. All the hidden infrastructure that makes these things possible (e.g. the data centre) is also in this class.

Taxation is a good way to pay for mandatory programs, especially those that are unpopular or invisible, and is an appropriate way to pass on costs that you are receiving, from suppliers, as tax – for example, enterprise-wide software licensing.

However, there are disadvantages to a taxation model. The most obvious is that tax is unfair to non-beneficiaries. If an IT system is built and operated for the exclusive benefit of one branch in a department, making all the branches share in the cost will seem unfair.

Tax also discourages resource conservation, promoting waste. We have all known (or been), an apartment dweller who said, “Why turn the lights off? Power is included in the rent.” If IT clients pay a fixed amount for a service, whether they use it or not, there is no incentive to be thoughtful about what resources they consume. Frivolous and wasteful network usage is a common symptom of this problem. “If I pay a fixed amount for the network, whether I use it or not, why not stream ‘Dancing with the Stars’?”

Tax is also not very agile. Because it is hard to quickly add funding and the staff to spend it if additional services are urgently needed, and hard to quickly release funding if there is surplus, taxation promotes large, long-term enterprise projects. Not that that is a bad thing – but it doesn’t encourage or facilitate short-term quick wins.

Finally, a tax-funded organization should be prepared for intense scrutiny from their taxed base. Clients will want to know where their money is going and that they are getting good value. A tax-funded organization needs good bookkeeping, reporting, and transparency.


Cost-recovery is the other extreme on the scale. For example, look at the IT Consulting industry: you pay a well-defined rate for consultants, who will do exactly what you pay for and nothing more. You don’t get work you didn’t pay for, and you don’t pay for work you didn’t get.

This model can be applied to an internal IT organization. In its pure form, the IT organization would have no base budget, and would bill client branches for the total cost of all the work they do. Clients would pay the total cost of new projects done for their benefit and would pay a share of the cost of consumable services (e.g. network) based on usage.

The advantage of cost recovery is that it promotes better-informed business decisions. Client branches get what they are willing to pay for, and they are fully aware of the price of their decisions1I heard an IT group say, “if we charge the client the full cost of the service, including the ongoing operating cost, they might decide it’s too expensive and not go ahead”. To which I would respond, “Good! If they can’t afford it, they shouldn’t go ahead. If you can’t afford the car insurance, you can’t afford the car.”. Cost recovery also encourages conservation, since clients will use only what they are willing to pay for, which usually translates into using only what brings positive value.

There are also disadvantages to a pure cost-recovery model. On the other side of the above coin, cost-recovery might discourage experimentation and automation, since the innovator knows they’ll have to pay for the new service. Such concerns are often misinformed, as automation is often cheaper than the manual process it replaces, but the bill for automation is overt, while the cost of manual processes is distributed and hidden, and thus often overlooked and mis-labeled as “free”.

In a cost recovery system, we must prorate shared infrastructure and services. It wouldn’t be fair to bill the cost of a new data centre to the next client whose application request caused us to build one. We need to calculate the cost of the shared foundation and determine a fair way to add a share of it to each client’s bill.

This billing for “total cost” tends to make clients think that our costs are too high. They compare our proposed price for a new application to the number they saw on a software box at Best Buy, or how long their co-op student says it would take to build. They aren’t taking into account the data centre, network, foundation software, help line, power systems, operations staff overtime, etc.

Cost recovery also implies that the services in question are optional. If there is a bill for the service then, surely, I can say “no thanks” and choose not to purchase it. Cost recovery is a poor way to fund mandatory services. “Thanks, but I’ll just take the web application, not the IT Security option.”

Staffing a cost-recovered IT organization is difficult. Clients expect to be able to have anything they are willing to pay for, but this requires that there be staff available to do the work. Does the IT group staff for the demand peaks or the demand lows? How does it pay staff during periods of low demand, or have enough workers available during peaks?

Cost recovery also implies that the IT organization is just a competitive supplier – that the client can “price shop” and go elsewhere for their services. This is probably not allowed – IT is, in fact, a cost-recovering monopoly. Those are usually unpopular.

Finally, there is a cost for cost recovery. We need a billing system, cost transfer transactions, debt collectors, and additional budget planning and complexity. We need to include the cost of cost recovery in the cost we recover, and we need to be careful that we don’t simply transfer the burden of cost recovery to our internal finance group. We must set the system in place in partnership with them, and making sure that the budgeting transaction size and period are set appropriately.


As you might expect, we can get some of the advantages and avoid some of the disadvantages of both models by combining them: pay for foundation and enterprise-wide services with tax, and cost-recover services provided to specific clients.

For example, we could tax-fund the data centre, network, help line, storage, and database and application server layers, as well as enterprise-wide applications such as payroll, finance, and email, and then cost-recover development and operation of services for specific clients.

We can also simulate cost recovery without the burden of financial transactions. Stay with a fully tax-funded IT organization, but don’t allocate all of the funded resources. Set aside a sizeable capability and let clients “purchase” work from that capability by spending “IT Bucks” – some kind of token purchasing power that is corporately-calculated and allocated to the client groups. To have the desired effect on business planning, the “IT Bucks” need to be multi-year and transferable, allowing clients to save, conserve, and barter with them.

Example: Shadow IT and the Gold Standard

Any time resources or funding prevents the IT group from doing everything clients want, “shadow IT” may pop up – clients doing IT themselves because the IT group can’t or won’t. This is often a nightmare for the IT group because of the effect of the non-professionally-done IT on the enterprise environment.

One partner organization that I worked with several years ago took on the issues of shadow IT and IT funding in a single approach. They redefined the IT group’s primary role as to deploy and support application development capability – from the data centre all the way up the stack to the development environment, programming language, workflow engines, and a set of services such as storage, data base, user interface, user management, etc. Those services were well-defined, integrated, managed, secured, and accredited.

The IT group maintained a small cadre of business application developers available, on a cost-recovered basis, to build applications upon those services — not enough for all demand, but a number that was sustainable even in the low-demand seasons. Anyone else — client organizations, students, contractors — was also allowed to develop their own applications as long as they used those services and only those services.

Foundation services were pre-approved architecturally and accredited for security and end-user branches were not allowed to build or use competing foundation or services, or to omit mandatory ones such as security audit. An application built on preapproved services with preapproved tools was automatically approved for operation, including accreditation.

Clients with funds and no people would buy application development from IT, while clients with skilled people might prefer to build their own applications. The foundation was centrally-supported, while client-built applications were supported by the client, or support by IT could be negotiated and purchased in long-term deals.


The process for allocating funding for your IT organization is an important consideration, and can affect how projects are selected and prioritized, and what business decisions clients make. Funding models deserve attention, and even occasional re-consideration.