Risk. I love that word. Every wonderful thing that’s ever happened to me has been born of risk.
When we talk about risk management in business, we’re not just talking about the bold, brave business moves that may fail but could also take us to new heights. We’re also talking about the very negative occurrences that are likely to happen if we don’t foresee and prevent them.
Risk can come from an internal or external source, and there isn’t a project in the world that isn’t susceptible to risk. Thanks to risk management, companies can minimize known threats as much as possible, prevent project failure and stay in the client’s good graces. Companies can also experience successes they’ve never dreamed of.
Why You Should Prioritize Project Risk Management
- You’ll handle unexpected issues in a proactive way, which can keep you from losing money – and may even earn you money.
- You can take advantage of the opportunities that arise.
- Team members will be thrilled that they don’t have to fix problems that could have been prevented.
- Projects will be delivered by the due date and within budget, and they’ll have the level of quality your client expects.
7 Principles of Project Risk Management
It’s a huge mistake to assume that zero problems will occur during the course of your project. This isn’t confident; it’s ignorant. Smart companies write risk management into the project itself, as well as into employee training and even daily operations. Let’s go over seven principles of risk management.
1. Define the Scope of Work for a Project
A project’s scope of work (SOW) should include:
- Client information
- Contractor information
Those are just the basics, though. Your SOW should be as detailed as possible so that your client knows what falls within the scope of work and what doesn’t. Answer questions like, “What will happen if the client asks for changes after accepting the project as completed?” or “How will the project timeline be impacted if the client doesn’t provide necessary information on time?”
A new SOW should be written for each project. Every client and contract is going to be different, and if you use a generic template, you’re going to miss something.
2. Identify Risks as Early as Possible
Being able to see risk coming down the line requires keeping an open mind and thinking about the future of a project, not just its present state.
Employees are a great source for this. They have varied experiences and can pinpoint when you need risk management. Hold one-on-one meetings and team-wide sessions to ask for feedback and advice. Also, speak with other industry professionals who have worked on similar projects. Find out what went wrong in their projects and the issues they were able to prevent through risk management.
Ultimately, you want to go through every step of the project and discuss any concerns or possible problems. There’s no suggestion that’s too silly or far-fetched at this point – this is a brainstorming session and all ideas are welcome.
Project areas to assess for risk management include:
- Client requirements
- People (for example, if a core team member gets sick)
- Weather and natural disasters
You can breakdown these categories further if you want. For example, the “schedule” category can be broken down into different website design deliverables and then risk can be assessed for each one.
3. Identify Opportunities, Too
Just as you can foresee where a project may go haywire, you can foresee where it could fly should it not fail. Prepping for opportunities is an important part of risk management.
Let’s say you’re creating a landing page for a client. You’re working with a marketing team to drive traffic to that landing page; once visitors are there, you’re hoping they’ll convert thanks to your phenomenal design and sales copy. On the one hand, you can prepare for the landing page not converting nearly as many people as you hope or the signup form taking too long to load.
But what about if everything goes the other way? The marketing team’s ad does so well that they’re begging for a bigger budget to get even more traction. So many people convert on the landing page that the website can barely handle the influx of traffic. These are great problems to have, and they have to be planned for just like the negatives.
4. Assign Importance to the Risk
Rate each risk. Using a scale of 1 to 5 is easiest, with 1 being the least impactful and 5 being the most impactful. First, answer the question, “How likely it is that the risk will occur?” and rate it on that scale. Then, rate the impact of the following: time, cost and quality. If it’s a positive risk, you can also rate it in terms of its benefits, as in, “How beneficial will this risk be if it occurs?”
Doing this will help you prioritize which risks to mitigate first and tell you which ones can be put on the side or even ignored completely. If there’s a risk that’s highly likely to occur and that will have a major negative impact, it needs your attention. If there’s one that’s not very likely to occur and will only have insignificant outcomes if it does, you can leave that for later or even skip it completely.
There’s a gray area.
Let’s say you’re designing a website for a new client. This is the first time you’ve worked with her and you already know you don’t want to work with her in the future – her demands are high and unrealistic and her budget is low. She wants a robust website, but she can’t afford it – and she doesn’t seem to understand that. You’re going to have to deliver less than what she’s asked for, sticking to the basics and necessities and leaving out the bells and whistles.
Here’s the risk: unless you deliver what she wants within her budget (which you’re not willing to do), you are going to seriously disappoint the client, and she probably won’t hire you in the future. The likelihood of this happening is a 5.
This isn’t going to impact time or cost – the reason why you’re saying “no” to her demands is to work within the time and budget constraints – but it is going to impact quality, at least in the client’s eyes. Here’s another question, though: do you care? Maybe not. You don’t want to work with her again, so while the risk of the worst thing happening is high, the impact on the future of your business is low – you already know it’s coming and you’re fine with it.
The risk and present impact rated highly, but the future impact didn’t, so even though the numbers are up there, this doesn’t need a lot of your attention.
The opposite can also be true.
There may be something that’s seemingly small – unlikely to happen, not super impactful on time, cost or quality – but it’s still important to you, for whatever reason. For instance, let’s say you have a client who you’ve built numerous websites for. He’s always thrilled with your work. Now, he has a slightly different project for you, a website for an industry you’re not as familiar with as others. You’re pretty sure you can still deliver what he wants and that the client will be impressed. The risk of something going wrong is low. It’s still there, though, and you have such a fantastic relationship with this client that you want to prevent any and all risks possible. The risk assessment numbers are low, but the importance is high, so you’re still going to put it on your list of risks to prevent.
5. Figure Out How to Respond to the Risk
You’ve determined which risks need your attention right now. What will you do, though? What actions have to be taken and why?
The Triple-Why Method for Risk Management
In order to dig down to the root cause of a potential problem, I’m a big fan of asking yourself a 3-part series of “why?”
Let’s take the example of that client who wanted the world’s best website but had a tiny budget for it. We’ve already established that she’s going to be disappointed that she can’t get all the features she wants. One thing you cannot do for her is create a custom chatbot. Instead of simply saying, “Well, we can’t do it, so tough,” figure out why this is a problem:
- Why is this a problem: The client doesn’t have the budget for the custom chatbot she wants. She’s going to be upset that she doesn’t have this functionality on her website.
- Why: Because she wants a way for customers to get in touch with her immediately and she feels that live chat is the best way to offer that.
- Why: Because there are fewer hoops for the customer to jump through. They can contact her company without sending an email or picking up the phone first.
Okay. So we’ve determined that the real issue isn’t, “The client wants this thing she can’t afford.” The issue is that the client wants a way for customers to chat live with her company, and she’s assuming a custom-built chatbot is the only way to do that. Instead of saying, “Nope, sorry,” you can go back to her with an alternative she can afford, such as embedding Facebook Messenger into her website. You’ve now solved the real problem, that third “why.”
The 4 Ways to Handle Risk
Now that you know the root cause of the potential problem, there are four basic ways to deal with it:
- Avoidance: Prevent the risk from occurring so that it doesn’t mar your project.
- Mitigation: Take action to limit how much damage the risk can cause.
- Transference: Hire someone else to take on the risk. For example, you can hire a lawyer to look over a contract.
- Acceptance: This is what you’ll choose if the other three options aren’t available or realistic.
6. Maintain a Risk Log
Use a spreadsheet to keep track of the risks you expect. In addition to the risk assessment scales mentioned above, here are some fields to include and details to flesh out:
- The date of when you add the entry and any other dates that will matter, such as when something consequential happens
- Description of the risk
- Likelihood of the risk happening
- The person responsible for managing the risk, determined by who is most suited to that particular risk
- Proper response(s) to the risk
- High and low cost estimates for different risk responses
- Current status
The complexity of the risk log will coincide with the complexity of the project. For simple website design or development you’ve done hundreds of times before, an informal risk log will serve you just fine. For a project that’s large in scope and for a VIP customer, you’ll want a more formal and detailed risk log.
7. Regularly Review Project Risks
Every week, go over your risk log to update information, determine what to tackle next and add risks as they pop up. Risk management isn’t a one-time exercise; it has to be monitored and updated throughout the lifespan of a project.
Keep your log once the project is over and done with, too – you may be able to learn from it and more accurately predict future risks for similar projects. You may even be able to develop a go-to risk checklist for a future project based on a past one.
You’ll never be able to identify, plan for and prevent every single thing that could go wrong with a project. However, with savvy risk management, you can identify a high number of potential risks and make a plan to deal with them before they become a problem. Then, you’ll have more time to dedicate to the risks you didn’t see coming.
Are you looking for a way to keep all of your projects in order? Check out our article about Asana, including an in-depth overview and use case recommendations.