Risk is not the enemy!
In most languages, the term “risk” carries a very negative connotation. In fact, clients often tell me, whenever I bring up this topic as it relates to their organization or projects, that the term “risk” makes them anxious and they would rather avoid talking about it. However, “risk” is not the problem. Avoiding discussing risks and addressing them is what can get you in deep trouble.
First of all, “risk” is just uncertainty. It can be positive uncertainties (opportunities) or negative ones (threats.) Therefore, know that when you start identifying risks, there will be some nice surprises in there. A positive risk or opportunity might be, for example, getting more work later on from a new client, if you perform well for them in the current project.
The best way to address risk is by making a list. This task not only helps you identify the risks, but it has a great psychological effect by simply demystifying them and dealing with them head on. Once you have identified as many risks as you can think of, list them any way you want, such as alphabetically, by category, by type (opportunity or threat), or by priority.
Next, after finishing the list, determine their probability, which can be in a percentage (%), or on a scale of 0.1 to 0.9, or as “high,” “medium,” or “low.” Once the probability has been established, determine their impact. This is important because a risk may have a high probability of occurring, but even if it does occur, their impact to you, or to your project, might be low. The impact can also be determined as “high,” “medium,” or “low,” or on a scale of 1 to 10 or 0.1 to 0.9, etc. For larger projects, I recommend using a numeric system, because you might want to determine the probability – impact (P-I) score, which requires multiplying probability and impact, such as:
Probability: 0.9 (90%)
Impact: +0.8 (an 8 on a scale of 1 to 10) – the plus sign means this is an opportunity.
P x I score would be 0.72 (0.9 x 0.8)
The last two steps will entail 1) developing responses (strategies) for each risk, for example how to mitigate the potential threats, or enhance the probable opportunities; and 2) identifying signs that the risk might actually be occurring, which are called “triggers.” Remember, a risk is an uncertainty and it may or may not materialize. Therefore, you need to track your risks and adjust their probability, impact, response, etc. as needed
The best approach to keep track of your risks is by using the “risk register.” An example is provided below:
Additionally, as required or desired, an evaluation of the expected monetary value (EMV) for each risk can be completed. This is determined by multiplying the “P x I” score by the total value of the risk. For example, Risk R1, shown in the table above, might mean 100,000 € in new work. Therefore the EMV would equal +0.63 x 100,000 € = +63,000 €.
Of course, the actual risk is either worth 100,000 €, if more work is awarded to you, or 0 €, if the new work never materializes. However, at the start of the project, when uncertainty is high, we can only guess at the outcome of all risks and weigh that estimation accordingly. In this case, for example, this risk is worth +63,000 € and, therefore, is worth tracking, exploiting and trying to get it to happen.
Good luck with risk management and remember to always address “risk” head on!