Risking it All: How Proper Risk Assessment & Risk Management Helps System Implementation Projects Succeed
Risk assessment, or risk identification, describes the process of uncovering and managing possible threats to a project or asset, which will adversely affect an organization’s ability to achieve its business objectives. The practice of risk assessment helps to mitigate, minimize or completely eliminate these risks, and therefore – if done right – can help your project or asset management succeed.
Understanding Project Risks
Typically, organizations find that changes to their human resources, financial and other administrative systems are a huge undertaking. Significant staff and financial resources are required to be dedicated. Top management is fearful of an unsuccessful implementation project. They fear the risk of cost overruns, delays in the implementation time, the need for additional staff resources and lost employee morale. They also fear the unknown risks not yet identified, and the list goes on.
The primary objective related to risk assessment in a system implementation project is frequently “not to exceed the budget or time proposal in the implementation.” Examples of risks that could occur during a system implementation project that could push the project over its budget or time allocation are:
These and many more risks could adversely affect the success of the implementation project. These risks can be managed if they are identified. But far too many risks remain unidentified or are ignored by the steering committee, executive sponsor, project manager, and project team.
Further below is a method described that can be used to effectively identify and assess the risks in your implementation project. If you’d like to jump directly to this method, click here.
But first, let’s understand a few key concepts about risk assessment.
Risk Assessment Theory
It is important to understand the elements of risk in its assessment. In general, we are not specifically concerned with the amount of risk during a project. Rather we are concerned with the amount of our exposure to risk. In other words, if there is a risk that is being adequately managed or controlled, then our exposure is low and that risk is not one that “keeps us awake at night.” Consider this simple demonstration that shows the relationship between risk and exposure:
For example, if our objective is to drive to work safely and on time, one risk would be of running out of gas. If we had made sure the gas gauge registered full before leaving home, this risk would be well controlled and we would have very little exposure to the risk of running out of gas. On the other hand, if we had not checked the gas gauge, running out of gas could represent a huge exposure to meeting our objective.
It is also important to understand that we are not concerned with risks that are not related to our objectives. For example, there could be a large risk that the stock market will decline, but that risk is not related to our objective of driving to work safely and on time.
Another important point in understanding the concept of risk is that it is composed of the severity of a risk if it occurred and the likelihood of it occurring. Therefore:
For example, with our driving to work objective, an identified risk could be a traffic jam. If a severe traffic jam occurred one day out of every twenty, the risk would be considered high impact (I will be very late) and low likelihood (5 percent chance). On the other hand, an identified risk could be that the line at the coffee shop is longer than normal. If this long line occurs four days out of every five, but it only adds 10 minutes to my commute, then the risk would be considered low impact (I would not be very late) and high likelihood (80 percent chance).
Any risk identification method is only as good at identifying risks as the people who are doing the identifying. In other words, if the project team is asked to identify risks that could keep the implementation project from being successful, they will do a better job of identifying risks if they have been through other implementation projects. For example, a person who had never been in a car would not be able to accurately identify and assess all the potential risks to driving to work safely and on time.
Method for Effective Risk Assessment
In order to effectively assess and manage your project’s risk, you need a solid strategy for the implementation project team to follow.
Typically, the executive sponsor or project manager takes on the role of Risk Facilitator. The Risk Facilitator begins the risk assessment by interviewing the key project decision makers to identify the primary project objective(s), the related risks and the controls that are already in place to manage those risks. Objectives might be to get the system implemented within the planned time frame, within the budget and to implement all the functionality identified in the project plan. Risks for getting the system implemented within budget might be the lack of experience of the project team, the demand by users to increase functionality, and the lack of strong executive sponsorship. Controls related to the lack of experience of the project team might be scheduling them for formal training, supplementing them with professional consultant expertise and closely monitoring how each inexperienced team member is progressing compared to the original project plan.
The Risk Facilitator then documents these objectives, risks and controls into a Risk Framework as follows:
The Risk Facilitator then organizes a 4 to 8 hour risk workshop for all the key project decision makers (including project team members and consultants). This workshop should be held in a location that facilitates uninterrupted participation by all workshop attendees.
The workshop should cover the following areas:
Explanations of sections:
Validate Risk Framework – The workshop participants should review the objectives, risks and controls that were prepared by the Risk Facilitator. The Risk Framework should be adjusted as necessary so that there is consensus that these adequately cover the main project objectives, risks and controls.
Select risks for assessment – Since there will probably not be adequate time in the workshop to discuss all the objectives and related risks, the group should determine the most important 8 to 10 risks, depending on workshop length, to be further considered.
Discuss risk history, consequences and controls – For each of the risks selected for assessment, the participants should discuss the history of that risk (has it occurred before, when, what caused it?), its consequences (what bad things happened when the risk occurred or what bad things could happen if the risk does occur?), and the controls that are already in place to minimize the likelihood that risk will occur, or will minimize the impact of it does occur. The goal is to discuss these risks thoroughly enough for the participants to gain a consensus understanding of the risks.
Rank impact and likelihood – For each of the risks discussed, the participants should vote on the likelihood that the risk will occur and the impact expected if the risk occurs. Participants should consider the discussion of consequences to determine the impact and the discussion of controls to determine the likelihood. Use a 10-point scale, as pictured in the Impact / Likelihood Chart below with 1 being low likelihood/impact and 10 being high to rank each risk as follows:
A risk can be viewed in the model above as being more important as it moves toward the upper right of the model. There is no way to objectively measure most risks, so professional judgment and group consensus must be used to quantify impact and likelihood. If the participants’ votes on impact and likelihood are all similar, then that is a good indication of consensus understanding of the risk. On the other hand, if participants’ votes vary widely, there has not been enough discussion of the controls and consequences related to the risk to reach a consensus.
Determine acceptability of exposure – After each risk is plotted on the Impact / Likelihood Chart, the workshop participants should determine whether each risk has an acceptable level of exposure. For each risk that is considered unacceptable, project management needs to give further attention about how to manage the risk better.
Identify contributing factors – For each risk that was considered as having an unacceptable level of exposure, the workshop participants should brainstorm a list of contributing factors (i.e. factors that increase or decrease the likelihood of a risk occurring or that increase or decrease the impact of a risk).
For example, in our example of getting to work safely and on time, there is the risk of oversleeping. Contributing factors that could make the likelihood or severity of the risk greater or lesser might include whether you use a snooze button, how lenient your boss is about tardiness, and the reliability of your spouse in letting you know you are late. Another risk would be the risk of your car breaking down. Contributing factors might include your diligence in maintaining the car, the distance you need to travel, and how frequently you take public transportation.
Rank contributing factors for significance and controllability – For each risk, rank the contributing factors by their significance and then again by their controllability. This ranking should be done with a consensus vote of the workshop participants. Significance is the amount that each contributing factor affects the likelihood or impact of the related risk. For example, for the risk of getting in a traffic accident, the weather is a more significant contributing factor than quality of your windshield wiper blades. Controllability is the amount that the workshop participants can control the contributing factor. For example, weather is a significant contributing factor to the risk of a traffic accident but is not very controllable. On the other hand, your ability to telecommute is a contributing factor that is much more controllable.
Develop risk mitigation plans – For each risk that was considered unacceptable, a person should be assigned responsibility to develop a risk mitigation plan and to monitor its execution. The plan is developed considering the contributing factors identified and ranked as described above.
Benefits of Risk Assessment
If risk assessment is done right, like with the method described above, the risks in your system implementation project can be:
a) identified properly,
b) handled in an appropriated way; and
c) minimized or avoided where possible.
To be specific, at the conclusion of the above described workshop, the benefits for the project team and workshop participants will be:
For best results and continued risk management, it is desirable to review the status of each risk periodically at project team meetings and at each steering committee meeting. It is also recommended to hold an update risk workshop once or twice during the project depending on the project’s duration. This will help stay on top of new or modified risks during the project continuation.
The risks that face software implementation projects are large and all too frequently cause a project to fail. There is nothing more important that project management can do to ensure project success than to do the best possible job to identify and assess the risks the project faces and then to put controls in place to manage those risks. If they don’t adequately identify and assess risk, they really will be “risking it all”.
For a personalized, free consultation, please contact me directly:
Kevin W. Harper, CPA
For continued tips on successful project implementations and more, subscribe to our newsletter (we will never spam you – promise!).
ConTroll - The Government Finance and Accounting Blog
We're helping local governments improve
their controls and administrative operations.
Kevin W. Harper is a certified public accountant and has decades of audit and consulting experience, entirely in service to local governments. He is committed to helping government entities improve internal operations and enact controls that will minimize risk and improve day-to-day functions.
Stay in Touch!