Fundamentals of Risk Management

EnterpriseCM, Inc. :: 2415 E. Camelback Road. :: Suite 700 :: Phoenix, AZ 85016 www.EnterpriseCM.com :: Info@EnterpriseCM.com

Fundamentals of Risk Management There is nothing more difficult to plan, more doubtful of success, nor more dangerous to manage than the creation of a new system.

Machiavelli

Clearly the great Italian philosopher and political strategist was not talking about your latest offshore development project but his wisdom is clear change begets risk and the risk needs to be managed. Over the centuries companies have taken great strides to minimize their risk exposure during whatever business change they are about to experience. Managing risk is vital for projects both large and small. And knowing how to effectively manage risk is big business. All of the major consulting companies have entire practices dedicated to risk management. This paper will help you understand what risk is, its levels, the types of risk, a framework for effective risk management, the responses to risk, and the risk of inaction.

Risk
Risks can be defined as many things but at the root of every definition is the fact that risks represent uncertain outcomes. These outcomes can be either negative or positive. They can represent positive opportunities (opportunities for excellence) as well as negative threats. Risk management is a widely recognized discipline or practice that can be applied across many business boundaries. In the context of offshore development or changes to the current business practice of conducting software development, risk management is concerned with the analysis of the impact of the changes that are uncertain, and reducing the probability or impact if they are deemed negative. Risk management requires having practices in place to identify and then monitor risks; convenient access to dependable, current information about risks; the correct balance of control in place to deal with the risks; and decision-making processes that are supported by a framework of risk analysis and evaluation. Levels of Risk There are arguably four levels of risk: Strategic risks involved in ensuring business survival and long-term security or stability of the organization Program risks involved in managing interdependencies between individual projects and the wider business environment Projects risks involved in making progress against project plans Operational risks involved in technical problems, supplier management and so on. Higher levels of risk feed into lower levels; strategic risks will have implications at all the other levels, while operational risks are localized and limited in scope. A risk may appear initially on one level but subsequently have a major impact at a different level. If a risk grows outside agreed upon limits, it should be decided that it no longer represents, say, an operational risk and may now affect the project as a whole. Depending on the scale of the change you are planning, you will have to analyze risks at one or more of these levels.

FOR PUBLIC USE EnterpriseCM, Inc. Fundamentals of Risk Management

Types of Risk Different organizations will face different types of risk. Some types or risk are as follows: Strategic / Commercial Risks Economic / Financial / Market Risks Legal and Regulatory Risks Organizational Management / People Issues Political / Societal Factors Environment Factors / Acts of God (force majeure) Technical / Operational / Infrastructure Risks Framework for Effective Risk Management For organizations interested in an institutional perspective of an effective risk management framework, the Carnegie Mellon Software Engineering Institute provides the following guidance: Global Perspective Forward-Looking View Open Communication Integrated Management Continuous Process Viewing software development within the context of the larger systems-level definition, design, and development. Recognizing both the potential value of opportunity and the potential impact of adverse effects. Thinking toward tomorrow, identifying uncertainties, anticipating potential outcomes. Managing project resources and activities while anticipating uncertainties. Encouraging free-flowing information at and between all project levels. Enabling formal, informal, and impromptu communication. Using processes that value the individual voice (bringing unique knowledge and insight to identifying and managing risk). Making risk management an integral and vital part of the project management. Adapting risk management methods and tools to a projects infrastructure and culture. Sustaining constant vigilance. Identifying and managing risks routinely through all phases of the projects life cycle. Mutual product vision based on common purpose, shared ownership, and collective communication. Focusing on results. Working cooperatively to achieve a common goal. Pooling talents, skills, and knowledge.

Shared Product Vision

Teamwork

Responses to Risk When risks have been identified, you will need to evaluate them (assess the probability that they will occur and their potential impact) before deciding what to do about them. How much risk you take will depend on the benefits you hope to achieve, as well as your organizations cultural attitude to risk and its ability to limit the exposure to risk.

FOR PUBLIC USE EnterpriseCM, Inc. Fundamentals of Risk Management

Responses to risk can be to: manage down the risk by taking actions to prevent the risk from occurring transfer some aspects of the risk perhaps paying a third party to take it on; note that business and reputational risk cannot be transferred tolerate the risk perhaps because nothing can be done at a reasonable cost to mitigate it treat the risk take action to control it in some way terminate the risk by doing things differently and thus removing the risk, where it is feasible to do so. Risks of Inaction Renowned management expert, Peter Drucker, said, People who dont take risks generally make about two big mistakes a year. People who do take risks generally make about two big mistakes a year. The conventional wisdom is that sometimes not taking a risk is a risk. As well as gauging the level of risk inherent in your proposed change, you should also offset the risk of inaction. If you decide that change is too risky and terminate the change in process, what will be the result? If things continue as they are, what will eventually happen? Be aware that not changing, or procrastinating, is an action with consequences for your organization, just as the change is. By the time change has become cheaper, easier to achieve or simply inevitable, the change required may be much greater in scope, or so urgent that a stepby-step approach is no longer possible.

For More Information: Please contact us via phone (+1.480.710.0953), email (Info@EnterpriseCM.com) or visit us on the Web at www.EnterpriseCM.com.

FOR PUBLIC USE EnterpriseCM, Inc. Fundamentals of Risk Management