hygiene zone
quality tools
quality techniques
human issues
quality awards
quality extra
visitor tools


Stay Informed
Sign up below to receive our Occasional Newsletter.

We Respect Your Privacy!

Web SaferPak
SaferPak: Food Packaging Safety, Food Safety, Business Improvement and Quality Management
       Home     About     Contact

Fundamentals of Risk Management
By Jeff Crump - EnterpriseCM, Inc.

“There is nothing more difficult to plan, more doubtful of success,
nor more dangerous to manage than the creation of a new system.”
- Machiavelli

Clearly the great Italian philosopher and political strategist was not talking about your latest offshore development project but his wisdom is clear - change begets risk and the risk needs to be managed.

Over the centuries companies have taken great strides to minimize their risk exposure during whatever business change they are about to experience. Managing risk is vital for projects both large and small. And knowing how to effectively manage risk is big business. All of the major consulting companies have entire practices dedicated to risk management.

This paper will help you understand what risk is, its levels, the types of risk, a framework for effective risk management, the responses to risk, and the risk of inaction.

Risks can be defined as many things but at the root of every definition is the fact that risks represent uncertain outcomes. These outcomes can be either negative or positive. They can represent positive opportunities (opportunities for excellence) as well as negative threats. Risk management is a widely recognized discipline or practice that can be applied across many business boundaries. In the context of offshore development or changes to the current business practice of conducting software development, risk management is concerned with the analysis of the impact of the changes that are uncertain, and reducing the probability or impact if they are deemed negative.

Risk management requires having practices in place to identify and then monitor risks; convenient access to dependable, current information about risks; the correct balance of control in place to deal with the risks; and decision-making processes that are supported by a framework of risk analysis and evaluation.

Levels of Risk
There are arguably four levels of risk:
Strategic - risks involved in ensuring business survival and long-term security or stability of the organization
Program - risks involved in managing interdependencies between individual projects and the wider business environment
Projects - risks involved in making progress against project plans
Operational - risks involved in technical problems, supplier management and so on.

Higher levels of risk feed into lower levels; strategic risks will have implications at all the other levels, while operational risks are localized and limited in scope.

A risk may appear initially on one level but subsequently have a major impact at a different level. If a risk grows outside agreed upon limits, it should be decided that it no longer represents, say, an operational risk and may now affect the project as a whole.

Depending on the scale of the change you are planning, you will have to analyze risks at one or more of these levels.

Types of Risk
Different organizations will face different types of risk. Some types or risk are as follows:
Strategic / Commercial Risks
Economic / Financial / Market Risks
Legal and Regulatory Risks
Organizational Management / People Issues
Political / Societal Factors
Environment Factors / Acts of God (force majeure)
Technical / Operational / Infrastructure Risks

Framework for Effective Risk Management
For organizations interested in an institutional perspective of an effective risk management framework, the Carnegie Mellon Software Engineering Institute provides the following guidance:

Global Perspective • Viewing software development within the context of the larger systems-level definition, design, and development.

• Recognizing both the potential value of opportunity and the potential impact of adverse effects.
Forward-Looking View • Thinking toward tomorrow, identifying uncertainties, anticipating potential outcomes.

• Managing project resources and activities while anticipating uncertainties.
Open Communication • Encouraging free-flowing information at and between all project levels.

• Enabling formal, informal, and impromptu communication.

• Using processes that value the individual voice (bringing unique knowledge and insight to identifying and managing risk).
Integrated Management • Making risk management an integral and vital part of the project management.

• Adapting risk management methods and tools to a project’s infrastructure and culture.
Continuous Process • Sustaining constant vigilance.

• Identifying and managing risks routinely through all phases of the project’s life cycle.
Shared Product Vision • Mutual product vision based on common purpose, shared ownership, and collective communication.

• Focusing on results.
Teamwork • Working cooperatively to achieve a common goal.

• Pooling talents, skills, and knowledge.

Responses to Risk
When risks have been identified, you will need to evaluate them (assess the probability that they will occur and their potential impact) before deciding what to do about them. How much risk you take will depend on the benefits you hope to achieve, as well as your organization’s cultural attitude to risk and its ability to limit the exposure to risk.

Responses to risk can be to:
manage down the risk by taking actions to prevent the risk from occurring
transfer some aspects of the risk - perhaps paying a third party to take it on; note that business and reputational risk cannot be transferred
tolerate the risk - perhaps because nothing can be done at a reasonable cost to mitigate it
treat the risk - take action to control it in some way
terminate the risk - by doing things differently and thus removing the risk, where it is feasible to do so.

Risks of Inaction
Renowned management expert, Peter Drucker, said, “People who don’t take risks generally make about two big mistakes a year. People who do take risks generally make about two big mistakes a year.” The conventional wisdom is that sometimes not taking a risk is a risk.

As well as gauging the level of risk inherent in your proposed change, you should also offset the risk of inaction. If you decide that change is too risky and terminate the change in process, what will be the result? If things continue as they are, what will eventually happen?

Be aware that not changing, or procrastinating, is an action with consequences for your organization, just as the change is. By the time change has become cheaper, easier to achieve or simply inevitable, the change required may be much greater in scope, or so urgent that a step-by-step approach is no longer possible.


Jeff Crump is a tech-savvy leader with nearly 20 years of information technology experience including enterprise change management, ChangeMan consulting, project management, customer relationship management, sales and business development, managing international professional services groups, and delivery efforts for high-tech commercial and government customers. Jeff is a Director of EnterpriseCM, Inc. (ECMI), a collaboration of powerful technology, process improvement expertise, and veteran change management professionals. ECMI brings together Enterprise Change Management thought leadership and real-world implementation experience to offer customers educated, informed and seasoned consultation services. Jeff can be contacted Toll Free: +1.866.788.5383, Direct: 1.480.710.0953, E-mail: JCrump@EnterpriseCM.com, Web: www.EnterpriseCM.com.





Back to previous page












top of page

home :: about :: contact :: terms

© 2006 SaferPak Ltd.