Risk Management Blog

Risks are tricky and we can't always avoid them. Sometimes, though, we can make them less likely to happen and/or less damaging if they do. This evasive action is called risk mitigation.

 Before you can do any risk mitigation, you will  have to identify what (known) risks you're facing.  Not all risks will be worth addressing with a mitigation plan, so having an estimated of probability and impact for each will help decide where it makes sense to spend resources.

 Look at several factors as you decide whether to create a mitigation plan for a risk:

  • Is the risk probability high enough that it's worth trying to lower the likelihood? 
  • Is the potential impact great enough that it's worth working to reduce it?
  • Is the cost of mitigation worth the change in probability and/or impact?
  • Will the mitigation lower the probability and/or impact enough to justify the cost of the action(s)?

 

If the decision is that a mitigation plan (and of course execution of the plan) makes sense for the individual risk, the next step is to balance that plan against mitigation actions for other risks on your list.  Depending on resourcing, you might need to choose which risks to actively mitigate.  This isn't as simple as picking the risks with the highest probability/impact combinations; factoring into the equation is how *much* you can actually mitigate a risk compared to how much you can mitigate other risks.

 If you don’t have a good idea of what a specific mitigation plan will involve it will be worth the effort to have at least the outline of a plan for comparison purposes.  One mitigation plan might contain several mitigation actions.  At a minimum, your plan should include:

 

  • An overview of the mitigation plan
  • Specific steps to be taken including:
    • Who will perform the steps
    • Whether the steps will be repeated
  • Reporting and monitoring

When you have a plan, you will want to double check the costs associated with the plan to ensure that the trade-off between those costs and the actual risk mitigation is worth executing the plan.  To do a thorough analysis, you will probably need to add information to your plan.   This information might include resources required and the cost of the resources, level of effort needed, and opportunity costs.

 When you've decided to go with a plan you should put it into action as soon as possible.  Timing information might also be included in the plan, especially if an action can't be taken until a certain point in a project.

 Now you have a mitigation plan to make the risk less likely (or less damaging) and you're executing to the plan. But how do you know it's working? If the mitigation actions aren't lowering or eliminating the risk it doesn't make sense to continue them.

For each action taken, you need to understand what indicators will change.  For example, suppose you are having issues with hiring - you aren't getting enough responses to your open requisitions and this issue raises the risk that you will not be able to staff for a big project in time.  In this case you need to track the number of responses per time period (and possibly the quality of applicants) - the risk is mitigated if you get a sufficient number of responses to be able to hire for the project in the timeframe needed.  The first task is to get a baseline - how many responses per week per position are you getting now?  And if you can dig into the past a bit you can see trends that will help you evaluate your mitigation actions.

 Here's where the reporting and monitoring part of the mitigation plan comes in.  As soon as you start executing the plan, start measuring the responses.  For example, you've only been posting on your company website and you're getting very few applicants.  Your mitigation plan might be to post on LinkedIn or another service.  There's a cost with using a recruiting site, so your plan only includes one site at a time.  Once you start posting on LinkedIn, track the number of applicants per position.  If the number increases enough to get hiring back on track you're doing well.  If the number of applicants doesn't increase, you'll probably stop posting on LinkedIn and look at backup plans - posting on another site, for example.  Both the baseline and the continuing measurements are critical to ensure that your plan is actually addressing the risk.

There may come a time when the risk has been resolved enough to stop the mitigation action - for example, hiring for the project is complete and you have no further large hiring efforts in the near future.  Some mitigation actions will continue until the project is complete.  Knowing that threshold in advance will make your mitigation plan even more effective - and cost-effective.

 

 

Every business venture, from initial filing to product announcement to hiring, carries risk.  And while we certainly focus on risk for the big ticket items, we tend to ignore the possible issues for anything smaller than a product launch-- and then get caught unaware when something goes wrong.f course, not every possible risk is worth worrying about.  Sure, the volcano under Yellowstone might erupt but the changes are vanishingly small and there's no way to predict or avoid it.  But other things, like running over budget or being leapfrogged by competitors, or even setting up some kind of process that ends up causing an exodus at your company, are worth trying to get ahead of.

 Where do you start trying to figure out what might go wrong and whether it's worth worrying about?  Fortunately, there's a process for that.

 Let’s back up a bit.  Before you start looking at what might go wrong you’ll need to understand how you (and probably your organization) feel about the importance of what you’re doing.  Will you damn the torpedoes and full speed ahead no matter what the risk (for example, a new start-up trying to get the first product out)?  Is it a bet-the-company proposition?  Is it a trial balloon that won’t be worth too much risk because either the reward is small or the possible damage is too serious to continue?  The answers to these questions won’t help you identify the risks, but they will help you decide what to do about risks once you see them.

 Now that you’re thinking about what’s important to your project, process or decision, brainstorm the things that could go wrong.  If you understand the parameters of the endeavor you’ll be able to more easily see what could derail those parameters, so think about the goals while you're brainstorming.

 Let’s assume you have a list of possible issues – or maybe disasters.  The next thing to do is to decide whether they are in fact issues or actual disasters and whether you should do anything to address them.  The question of where on the scale of issue to disaster a risk falls is called impact.  Once you know the impact of a risk, take a look at how likely it is to happen – probability.  You can see that some things may have a big impact – like the Yellowstone eruption – but a small probability.  You might not want to do anything more about those risks except track them.   Some things might have a big probability but they really won’t do much harm and you can see you’d be able to recover.  You might not want to spend time on those either.

 But for those risks in the sweet spot of high likelihood and large impact, you want to be prepared.  Know what they’ll look like if they happen and any warning signs you expect to see.  Is there a way you can make them less likely or less destructive?  And is that way worth the trouble, money, and/or time?

 And what if the risk becomes reality?  Contingency plans can help you out there.  Knowing what you’re going to do if it happens means you’ll be working on recovery immediately.

While you’re figuring all this out and then applying what you’ve learned, you’ll have to take some time to understand who needs to know about the possible risks and what you’re doing about them.  Risk reporting starts with just a red/yellow/green flag and can run the gamut from that high level to a complete risk register and all of your plans and measurements.

The real story here is that you ignore risk at your peril. Using a straightforward process you can anticipate and evaluate potential risks, determine the danger level, reduce the impact and/or probability of some of them, and be ready to respond if an identified risk comes to pass.  All you have to do is think about risk in an organized way and then pay attention as you go along.

 

   I've been working with ThoughtLeaders LLC to create a Risk Management class - if you'd like to learn and practice a step-by-step process, check it       out at https://www.thoughtleadersllc.com/services/risk-management/