Risk Management
Read this article, and pay attention to the section on attitudes toward risk. Think about your industry. Is it risk-averse or open to taking smart risks? What about you, personally?
Risk response planning
Having identified 'green' and 'red' risks you now need to look at what your response will be to each of the red risks. There are a number of fairly standard definitions of response types that can be summed up as follows:
| Response and Description | Examples |
|---|---|
|
Risk avoidance Also known as risk removal and risk prevention. Altering the plan so that the circumstances which may give rise to the risk no longer exist. |
Risk: You plan to build a new sports centre on a green field site but there is a risk that the council will refuse planning permission and delay the project. Response: You decide to build on brown field site on a former industrial estate. This incurs additional cost in terms of demolishing old buildings and removing hazardous waste. |
|
Risk mitigation Also known as risk reduction. Reducing the probability or impact of the risk. |
Risk: You won't be able to attract technical staff for the project. Response: Offer a salary supplement to project staff. |
|
Risk transference Moving the impact (and ownership) of the risk to a third party. |
Risk:You are aware that colleges are the target of an organised gang stealing hardware. Response: You decide to outsource some of your servers to a hosting company. |
|
Risk deferral Deferring aspects of the plan to a date when the risk is less likely to occur. |
Risk: You are undertaking a major review of student administration processes and a new head of the organisation wants to implement an immediate re-structure. There is a risk that staffing resources won't be aligned with the new process. Response: Postpone the organisational restructure until the process review is complete and staffing requirements are known. NB Apologies to those who know this scenario is unrealistic and the opposite always happens – we can but try… |
| Risk acceptance | Dealing with the risk via contingency rather than altering the plan. |
Even from these very basic examples we can see that, in all cases, the risk response costs money. This stage of the process can be quite iterative because until you know how you are going to respond to a risk you can't be sure what it will cost you in terms of time or money.
For example you may decide 'Losing a programmer won't lose us as much time as we thought. We don't need to take three months to recruit another because we can use a recruitment agency with a pool of programmers on their books if we are prepared to pay their 20% finder's fee'.
Risk response actions don't only occur when a risk happens – some of the above responses are preventative measures that are taken as soon as you identify the risk. At this point you may revisit your risk log to assess the status of a risk once the preventative or mitigating actions are complete. This is sometimes known as residual risk.