Ever been involved in a project that was a high risk, high return project that never got off the ground? Or the high risk project that did get off the ground, briefly. Before it disappeared with much acrimony as the potential risks were realised and the hunt commenced for the guilty?
Opportunities are wasted and investments frittered away through the lack of even the merest attention to risk management. The deficiency of application of risk management principles either sends organisations into paralysis by analysis or riding their luck to whatever consequence fate seems to have in store.
Risk analysis can be complex. However, simple risk analysis is not difficult to carry out and is very effective. It begins unsurprisingly with an analysis of the risks attendant to the desired outcomes of pursuing the opportunity. Analysing these risks, clarity about the desired outcomes is necessary. Sometimes this is a stumbling block with opportunities presenting a range of favourable outcomes.
Whilst it is not mandatory to arrive at a singular outcome, the more outcomes that are considered to be desired, the more difficult it becomes to analyse the risk. As a rule of thumb, have no more than three outcomes to analyse for risk. Desired outcomes need not all be numeric in nature, but it helps if they are.
Having determined the desired outcomes, next complete a brainstorm of all of the things which could go wrong and prevent the opportunity being realised. Ensure that all the possible, not just probable, external and internal events such as poor processes, personnel changes, poor quality, government decisions, competitor actions, supply disruptions and natural events are taken into account.
For each event listed as one of the ‘things which could go wrong’, determine the probability and the impact of event, from high to low, against each of the desired outcomes. The probability of each event occurring is assessed against norms in the organisation, industry, country and geographical region in which the risk analysis is being carried out. The impact is assessed directly against the desired outcomes.
The probability and impact allow the event to be placed in a two by two matrix of low to high probability and low to high impact.
Low probability, low impact events are unlikely to occur often, and even when they do they don’t have a large impact on the desired outcomes. They are best monitored to ensure continued low levels of risk.
High probability, low impact events occur often, but don’t have a high impact associated with them. These events are sometimes called ‘nuisance events’ and are best tackled using a quality improvement program such as Six Sigma.
Low probability, high impact events don’t occur often, but when they do there is a serious impact. Because they don’t occur often, it is sometimes difficult to effectively manage these events to lower levels of probability. These are the events to take insurance against, for example with process failure events by ensuring there are backup processes or capabilities available in case of failure.
High probability, high risk events are identified as having a high probability of failure and a high impact on the desired outcome. These events are prime candidates for urgent re-engineering of processes, procedures, policies and design to eliminate the probability of the event occurring.
A trap that organisations undertaking risk analysis fall into is basing their analysis on poorly quantified data. Data can be categorised in four increasing levels of reliability. First is internal opinion, the equivalent of a few sales people sharing opinions about their sales market around a bowl of grog. Second is external opinion, the equivalent of a few sales distributors expressing an opinion about their supplier’s market. Third is internal fact, the equivalent of internal sales data. Fourth is external fact, the equivalent of census figures.
Being reliant on only internal opinion puts the risk analysis process at risk! Organisations need to prepare for a risk analysis by gathering as much data as they can across the range of data reliability. If internal opinion is to be relied upon, then organisations need to tap a wide cross section of opinions and use a strong facilitator who is able to surface all opinions and then challenge inconsistencies in opinions.
Having completed a sound risk analysis and developed a contingency plan for the risks some organisations still take poor options. Some leave it at the analysis and do nothing about the high probability, high impact events, implementing a project thinking the analysis is enough. Sounds stupid, but it happens. Conversely, in risk averse organisational cultures, decisions are made to do nothing about the events and carry out more analysis.