Assessing risk is a big part of ensuring an IT project implementation is successful and can also be used to determine which of multiple solutions to a business problem is the best one.
Risks are elements of a project that have the potential to derail successful implementation. Generally, if you have several options to solve a business problem you will go with the one that has the least risk; all other things being equal. The solution you finally chose will still have some risk but you at least have put some effort into understanding what the risks are and can take measures to minimize their impact on your project.
A risk assessment is the process of identifying all the nasty things that can happen to your project then evaluating each of them with respect to their seriousness and likelihood of occurrence. I find it helpful to bring together project stakeholders and have a discussion to identify risk since it tends to be hard to think of everything on your own. At this stage, don’t rule anything out. You will quite quickly narrow your list of risks down to a number of key ones worth mentioning while others can simply be discarded as so remote that they don’t warrant consideration. Also make sure that you have your IT mission and vision in mind as there can be risks that directly impact your strategic direction.
Once you have identified risks, evaluate each one in terms of their seriousness and likelihood. In the insurance industry, seriousness and likelihood are supported with copious amounts of research and statistics wherein a quantitative assessment can be done. Less opportunity is available for such quantitative analysis in IT so your assessment will be more qualitative. I believe in keeping things simple so I use a rating of Low-Medium-High for both seriousness and likelihood. You could also use something like the graph below (if you don’t see the graphic click here) and have stakeholders place a point where they think the risk should fall. After, you could overlay the graphs and see clusters indicating a consensus assessment for a risk.
Once you have evaluated seriousness and likelihood it’s time to grade each risk depending on their combined seriosness/likelihood score. If you are using the graph, the action required to limit the risk depends on which quadrant your assessment score fell. If you are using the Low-Medium-High method then you grade each risk based on the following table which, in turn, corresponds to the required action:
It is good project management practice to review your risks periodically and evaluate whether their condition is changing. It is possible for a low level risk move to be a high one as the project develops and thereby requiring a different course of action.
So, in summary, to assess risk of your project do the following:
- Identify risks particularly those that have the potential to impact your mission
- Evaluate each risk based on seriousness and likelihood of occurance
- Grade each risk according to the seriousness and likelihood rating
- Plan action according to grade
- Re-assess risks frequently to monitor change
Take these steps and you’ll go a long way to implementing a successful project and minimizing surprises!
