What is it?
Mapping out what could go wrong, assessing the impact of the risk in terms of both the process and outcome, and determining how to manage risks.
The initial risk assessment involves identifying actual and potential risks so that these can be reduced as far as possible. Risks can be classified in a number of ways - for example, financial, technical, and socio-political
It is worth considering all potential hazards at the outset, irrespective of their perceived likelihood. Once the initial portfolio of risk has been identified, you can systematically consider them (and their reduction) in terms of both their probability and consequence
- Risks can be associated with the failure of the project to achieve its objectives, unintended negative effects on the target audience or other stakeholders, organisational for the core team and other interested parties, and changes in the broader environment - for example, the introduction of new government policy
- Risks may also be reputational, informational, or judgemental (especially where there is a low burden of proof). Each of these could expose you to the charge of unprofessional behaviour and therefore need to be considered fully at the outset
Some risks can be anticipated and prevented (or at least managed) while others are uncontrollable to a lesser or greater extent. The important thing is that to be forewarned is to be forearmed
An important element of the initial risk assessment is to identify the nature of risk and how it can be managed. It is also worth noting that identifying and managing risk is likely to be an on-going process
Why do this?
There are potential risks in any project. By developing a risk portfolio at the outset you will get a sense of their number and range.
The purpose of risk analysis is to identify what could go wrong, to assess how it could go wrong, and to determine how these risks can be managed. The risk assessment will:
- help to determine the adequacy of resources
- help to determine expertise requirements in the core team and advisory or steering group
- help to determine external expertise that may need to be recruited
- lead to more informed decision making, for example, in selecting appropriate interventions
- help prepare contingency plans
- help to avoid unpleasant surprises
How might you do this?
The initial risk assessment can be undertaken by the core team as it develops the challenge statement and initial timeline.
Some elements of risk will be known from experience. Some are general - for example, all projects have the potential to run out of time or over budget. Others may be specific to the particular issue or target audience, as when advertising campaigns aimed at reducing drug abuse among young people have the opposite effect. You need to identify areas where more information is needed, and be aware of previous related work – there is no point in re-inventing the wheel, particularly is someone else has already done a lot of the spade work. As new stakeholders become involved and new information becomes available, the initial risk assessment will be continually updated.
The following approach can be useful:
- Assess the types of risk which should be monitored
- Technical Risk - including failure to deliver and follow-on difficulties where completion is contingent on achieving milestones early in the project
- Financial Risk – may include cost overruns, reduction in budgets, professional indemnity risks
- Social/political Risk – may include changes in legislation/regulatory framework and other external factors which affect the target audience. For example, a programme aimed at reducing smoking in public places is now redundant, as UK legislation now forbids it
- Reputational risk – may cause damage to the organisation’s intangible assets or the reputation of members of the team. There might also be risks associated with professional indemnity
- Decide what actions can be taken to manage potential risks
Determine information needs
Information is required both to assess the level of risk (in terms of its probability and consequence) and to provide the basis for risk reduction and management
Allocate responsibility and timescales
It is important that team members have clear responsibilities for risk management and information collection to specified timescales.
As new information becomes available and decisions are made, the nature of potential risk may change. New risks may be identified and take priority.
Keep coming back to the risk assessment as the work develops. Some risks will become less important and new ones will emerge
- Try to identify a few key people and ask them who else they would recommend that you should talk to and/or other information you might want to access
Take time and care over the risk assessment as it can be a complex process
Getting it wrong is bad enough, but being accused of not spending enough time on the issue can be worse
- An initial risk assessment document
- Recognition of the main sources of risk involved
- Proposed actions for eliminating or reducing these risks
- A list of actions ascribed to individual team members to identify the information they need to gather