Risk management in IT | Bunch Consulting

Minimizing the impact of any potential problems on your project is one of the key aspects of risk management. We would like to share our experience in this topic with you here.

You’ll get to know how to create a successful risk management process in your company, how to qualify the risk, and choose the response. And, last but not least, we’re sharing with you our sample Risk and Likelihood matrix.

Risk – what is it, and where does it come from?

No matter what your IT project is about, there are risks connected with it. Be it financial, organizational, or technical issues that might interfere with executing the release plan. Preemptively anticipating risks related to your projects is as important as doing it in your daily life (like – “Hey, I’m in Australia, and I love spiders. Oh! What a marvelous spider, I’ll take it home to France!”. You won’t do that, since you know it might be dangerous, and even if it wouldn’t kill you - you’ll be stopped at the border).

What is a risk management strategy, and why do I need it?

Let’s dwell on what risk management is. We would describe it as a process of identifying, assessing, and controlling any possible threats to your company’s capital and earnings.

The goal of a risk management strategy is not an elimination of all risks because it’s simply impossible. You manage risks to know which risks are worth taking and might lead to getting to your goal.

How should I create a risk management strategy?

Intertwine it with the strategy and goals of your company. To achieve it, the risk managers have to define what amount of risk are you ready to accept to realize your organization's objectives. The next step to take is examining the relationship between the risks and the cascading impact they might have on your company’s strategic aims.

Where can the risks come from?

There are a lot of sources, starting with financial uncertainties, legal liabilities, technology issues, strategic management errors, accidents, and last but not least, natural disasters.

Qualifying the risk and responding to it

We started our article with the connection between Risk Management and Australia, and we’d like to stick to this example. Imagine you’re backpacking and see a cute kangaroo with its mother. Would you come and pet it? Probably not. Why? Because you’ve calculated the risk – the mother kangaroo might want to protect her baby and kick you… The same applies to qualifying the risk in project management. Obviously, the questions to ask yourself need to be modified but the process – qualifying the risk and determining your response – are similar.

Qualifying the risk

The key questions to ask yourself at the first stage are:

• What is the risk?
• How to recognize it in case it occurs?

Then, you need to assess the probability of these events – is it high, medium, or low? Also, examine the seriousness of the threat they present to your project – high, medium, or low. Think of the signs that you should be looking for. Of course, you should pay more attention to a risk that is highly probable to happen and poses a serious threat to your project than to a less probable one.

Determining the response

The risks with high probability-impact scores should be considered in the first place. The possible actions encompass:

• adding funding to the project plan to mitigate the risk of costs increase,
• adding risk to the project and scheduling for it,
• adding resources to the project to avoid any potential shortage of resources,
• developing tactics to avoid the risk.

Of course, if you’re conducting a risk assessment, all the risks should be documented, and the high-scored ones added to the project timeline to track them at the right time.

4 methods of approaching risk

How to approach risk in IT project management? This is a question that any start-up founders should ask themselves. Being prepared for all the possible scenarios and dealing with risks in a structured, planned, and measured manner is what will save your project from failing when any of the anticipated risks occur. It is not enough to brainstorm with your team on all the possible risks – you have to follow the ICED acronym – identify, categorize, evaluate, and document them. Once you’re ready with it, you can employ the following methods to respond to the risk:

Reducing the risk

Mitigating risks is one of the most frequently applied methods. It might be the best strategy if the risk poses a significant threat to your business, where avoiding and accepting it won’t work. Lessening or eliminating the hazard is essential if you estimate its probable impact as costly for your business.

Avoiding the risk

This approach aims at eliminating the probability of the risk materializing. In case there is no imminent threat to your business, it might be even reasonable to resign from fixing a poorly working product.

Accepting the risk

Sometimes it’s not possible to avoid the risk. When the probability of it occurring is low, or the estimated impact on long-term overall strategy is insignificant, you can decide to accept the hazard.

Transferring the risk

In case you feel that your team might lack the skills or time to develop a proper risk response, there’s one way to deal with it. Delegate it to someone who has done it many times and knows many scenarios, and case studies.

Create your perfect risk management process

Until now, you’ve surely realized the importance of risk management in your enterprise. It influences a variety of aspects, starting from business continuity, profitability, and protection of your company’s assets. An effective risk management process requires 5 steps, described below.

Identification

The effectiveness of dealing with risks is determined by being aware of them. Describe the risks and designate the people responsible to deal with them. At this point, concentrate on four areas: operational risks, financial risks, hazard risks, and strategic risks.

Assessment

This step focuses on the probability of the risk materializing. Take into account the likelihood and impact of the potential dangers. It’s crucial to figure out which hazards require the most attention and how fast you will need to act if they happen.

Treatment

There are 4 most common ways to deal with the risks – reducing, avoiding, transferring, and accepting them. We described them in detail in our previous post. The more severe the issue is, the more complex your plan on how to respond to it should be.

Monitoring

Risk management should be treated as an iterative process, a flexible plan that has to be revised and adapted if necessary. The person responsible for risk monitoring needs to constantly update the team on the status of work.

Reporting

Decide on the format and frequency of reporting early in the process of risk management. Then, execute. We all know it’s not that easy, but reporting on all previous stages will give you an overview of the situation and justify any changes you need to make.

Risk and likelihood matrix

We’d like to give you a sneak peek into what our Risk and likelihood matrix looks like. You can find it on our website in a sample of a Finance App Project estimate.

• As you can see, the vertical axis is called “Impact “, and the horizontal axis represents the “Likelihood” of a risk happening.?
• Let’s have a look at the 25, marked on the matrix. Both its impact on business and likelihood of happening are rated 5, which gives us a Risk score of 25. It could reflect a risk that a “Cross-platform development could be unsuitable for future requirements”. Since it’s a payment app, the future functions, like e.g. fingerprint login or face recognition, required by payment providers might be not compatible with some of the platforms. The recommended action here is to consult every feature with the tech team before including it in the development plan.
• No. 12, marked here, is likely to occur but has a moderate impact on the functionality. It might be a design-related issue, not influencing how the app works but causing some inconveniences to its looks. You should be ready to fix it, however, it doesn’t have to be on the top list of potential risks.

What about no. 3, do you have any idea about a potential risk it could stand for? Let us know in the comments!

What else should I know about risk management in IT?

That’s it! At this point we’d suggest delegating it to a team of experts. Risk management in start-ups is one of the components of our Start-Up Kit as well as a part of our standard Project Management Strategy – let us know what we can do for you at [email protected]. Multiple successfully finished projects provided our Bunch with valuable experiences in risk assessment and management.?