Risk Management

Any project, big or small, comes with some inherent risk. It is part of venturing into unchartered territory – to build and create something new. As the systems grow more complex, the interaction between their components becomes non-linear and indeterminate, creating many opportunities for failure. In these systems risks are created through the interaction between the emerging system capabilities and the business processes it is intended to serve. Whilst it is impossible to eliminate risk completely, it is possible to manage risk to our advantage by rigorous risk analysis and risk management techniques serving to defuse problems before they arise.

RISK IS CREATED BY FAILING TO DEAL WITH CHANGE

Risk management seeks to anticipate and address uncertainties that threaten the goals and timetables of a project. The uncertainties may include questions of material and parts quality; delays in delivery of sufficient materials to meet project needs; budgetary and personnel changes; and, incomplete knowledge or research.

Risk Categories

Risk categories can be used to separate the risk of successful project deployment from the risk of
deploying the project successfully. This may seem like a trick phrase, but there are several
subtleties here¹:

• Having the software system operate in a successful manner does not imply that the system itself is successful. Since the users of the system assume that the deployed software will somehow aid in their work day, the system must not only work, it must add value to the user’s environment.

• Having met the user’s needs while deploying the successful software system is not sufficient. The business operation must also benefit in tangible and measurable ways

In our proactive approach to risk management, we prefer to start with an impact assessment, deliberately taking the business perspective to identify major management concerns and issues. This step helps focus on the key risks while avoiding being sidetracked by lesser risks. In practical terms, we would typically facilitate a risk workshop involving senior people from Technology and the Business, the output being a business impact report.
The next step is a full risk analysis to identify potential threats and vulnerabilities relating to the most serious impacts previously identified, and address them to eliminate not only the immediate threat,  also the root causes for them to exist in the first place.

Contingency planning

With the best will in the world, despite all the controls implemented already, some impacts are so severe, some threats so strong and some vulnerabilities so difficult to eliminate that the organization faces unacceptable residual risks. We believe that contingency planning is an integral part of risk management, not a separate activity. Wherever practicale, we prefer to help clients implement cost-effective controls to prevent risks, but detective and corrective controls (including contingency plans) are sometimes appropriate. How far we go along the road of specifying and developing contingency measures of course depends on the client’s wishes.