Risk management is the process of determining what all could go wrong throughout a project life cycle.
By preparing ourselves for possible hiccups, we can strategize viable solutions and stop small problems from becoming dire.
We’ve already talked about a risk management plan, and what goes into making one. But if you’re an experiential learner like I am, you’ll find it helpful to hear from some experts in the field who have had to mitigate their own risks.
In this article, we’ll cover specific risk management plan examples provided by professionals in a variety of industries.
Risk management plan example
It’s not easy to predict what could happen. We’re more inclined to take things one day at a time and course-correct after things have gone completely awry.
As a project manager, team lead, or executive stakeholder, you’ll see greater success if you work to mitigate and reduce risks before they affect your company’s bottom line.
The following anecdotes should give you an idea of what it looks like to take risk seriously.
I’m a risk advisor for LandesBlosch where I help companies of all sizes create risk management plans and control their losses through the four risk management measures: avoid, control, accept, and Transfer.
One of the most significant risks companies face today is the threat of a cyber attack or data breach. When we create a risk management plan for a client, the first thing we do is analyze that client's digital infrastructure and then explore ways we can avoid, control, or transfer the risk.
For example, to avoid potential damage from a data breach, a company could choose to avoid storing sensitive data on their computer systems. To control or mitigate a cyber attack, a company could increase its technical controls and network oversight. To transfer the risk, a company could purchase an insurance policy.
After determining where vulnerabilities exist and developing a risk management plan, companies can implement strategies to minimize risk.
Running online controlled experiments is the ultimate risk mitigation strategy. It's difficult to A/B test large strategic decisions, but I've learned that in the vast majority of cases, it's possible to run a rigorous business experiment to mitigate any potential downside to what you're thinking about rolling out.
This is obviously true in the case of product features, marketing campaigns, and website elements, but it can be true in the broader sense of how you go to market, what your sales cadence looks like, and even how you goal and incentivize employees.
I'd lean in on experiments in most cases, particularly when there is uncertainty (hint: there's always uncertainty) and when it is indeed possible to collect sufficient data and certainty through running an experiment to make a more informed decision.
In my company, the core of our risk management strategy is to have the fewest possible links in the chain. That means that access to sensitive information and core tools for our business should be limited to the fewest possible team members.
Here's an example: the majority of my business is done through websites built through Wordpress. In order to minimize our risk of being hacked and having our sites hijacked or injected with malware, I limit the amount of users with access to these sites to myself, one editor, one designer, and one coder.
This ensures that there are the fewest possible users that can be phished or brute force accessed, limiting our vulnerability. Essentially, my risk management strategy involves keeping as many aspects of my business as possible on a need-to-know basis.
I’ve been managing lots of projects in the IT industry. Risks are inevitable in our sector.
The IT industry is quite specific as there is a lot of things that can go wrong. Trends change on a daily basis which can affect our timelines, finances and resources. In my work, I focus on two risk management strategies: risk avoidance and risk reduction
These aren’t always achievable, but I utilize them as much as possible. Here’s what the process looks like:
I always assign at least one person to continuously follow the changes in the industry, team progress, resources that we have - anything that can affect our work significantly. In this step, it’s important not just to acknowledge things, but also to think a few steps ahead. The ability to predict risks even before they occur is essential.
In case something unpredictable happens, I always spend some time analyzing potential effects on the company before I move to concrete steps. In what ways does a new situation affect us? What can we do to reduce the consequences? How can we solve the issue effectively?
Taking damage control steps
As I mentioned, avoiding unplanned situations isn’t always possible. However, a good risk prediction and reduction strategy can significantly lower the consequences. In this phase, it’s important to take concrete steps as quickly as possible. Sometimes stalling things can cause a lot of damage to the process.
Anderson Technologies is a managed services provider in St. Louis, Missouri. We encounter risk management both in our own company and in those of our clients whose work puts them in regular contact with ePHI.
For this reason, we have to take great care when maintaining HIPAA compliance and developing risk management plans for internal use as well as for our clients.
One of the crucial parts of risk management is determining the priority of the risk. This is a team effort! One person defines all the risks that may affect our company, another analyzes what it would take to mitigate each risk. We then determine if the cost and risk level makes an individual risk worth mitigating, transferring, or accepting, or whether it would be better to eliminate the problem risk all together.
Eventually everyone has to come together and prioritize all the risks by likelihood and level of impact, and decide that this risk is worth the investment to mitigate and that one, with low likelihood and low impact if triggered, is a reasonably acceptable risk because resources are better spent on higher risk problems.
Risk management is one of the deepest areas in project management, and the longer the project, the more complicated it gets. Normally you work with a risk register, a document any solid project must have.
The document is a list of risks usually ranked by severity/probability. A good project manager normally has 5-10 risks covered in the risk register, along with responses (actions that should be taken in case the risk happens).
Basically, a risk register consists of:
Known knowns-things we know that we know
Known unknowns-things that we know, but forgot
Unknown unknowns- things that exist but we don’t know about them
Risk means uncertainty. To understand what sort of risks the project may be subjected to, depends on what the project is about. Projects that deliver products have associated risks also.
For example, consider three different products: an anti-locking braking system (ABS), a disk delivered gaming software, and an online game that does not require personal information. These three products have different risks associated.
Failures of an ABS system can cause bodily harm. Even if the ABS doesn’t have a hard failure that results in bodily harm, returns of products and replacement of the product in the field is quite costly, or it can be. Therefore the risks associated with this are likely high.
The delivered game, has material associated with the product delivery, but if the product fails, nobody gets hurt. The last instance of the online software product that has no access to your personal information is the least risky. There are no material consequences, and the software is on a server that can be easily updated.
Tolerance to risk and therefore risk response is situation dependent. Risk has two components:
Probability- the chances of the thing we identify as a risk coming to pass
Severity- how bad the consequences will be should the event come to pass
Independent Project Management Consultant and blogger at PM by PM
A Project Risk Management Plan is a plan of plans. It documents a plan for all the risk management activities in a project.
It includes many things, not limited to:
A list of risk management activities.
Responsible persons for identifying, prioritizing, mitigating, and controlling risks
Time and budget allocated for risk management activities
There is a misconception that a Risk Management Plan is a plan for mitigating individual project risks. It is not a plan to mitigate or respond to individual risks. It has a much wider scope, as described.
Here is a small list of the specific risks that I have seen in various projects.
Poor understanding of customer requirements
Optimistic duration estimations
Inadequate training and/or skills of project management software
The purpose of a risk management plan is to develop solutions for problems before they’re in front of you. Being proactive and doing things well the first time around will save your company loads, as correcting mistakes is costly in more ways than one.
Discover whether a project is a good idea for your company right now by learning how to conduct a feasibility study.
Grace Pinegar is a lifelong storyteller with an extensive background in various forms such as acting, journalism, improv, research, and content marketing. She was raised in Texas, educated in Missouri, worked in Chicago, and is now a proud New Yorker. (she/her/hers)