Tuesday, 22 March 2011

Risky Business: How to Get a Handle on Risks (and not then rule your life)


Whether you are starting an insurrection in North African country, ousting the head of an esoteric lodge or creating a new tarot deck - life is full of risks. The statistics around people injured or killed by household appliances is downright scary. So how can you improve managing risks?

For that matter, how do you make sure that reviewing your risks will not lead to paralysis by analysis? These questions and more will be addressed below including some example risks around building a golem (which any Trainee Golem Builder worth his or her clay is sure to have done already, I hope).

Project Management bit
Let’s start with some Project Management basics for risk management. Here is a handy diagram slightly adapted from the PMI (Project Management Institute) PMBOK (Project Management Body of Knowledge) 3rd edition, pp241.


OK that’s a whole load of information in one diagram so let’s break it down.

Identification:
This simply means finding out what the risks are. It’s best to time limit this investigation as you could be writing down risks all day. One simple technique if you’re doing this in a group is to give everyone some post-it notes and pens. Then for the next 5 minutes everyone writes down one risk per post-it. At the end of the 5 minutes each person puts up their post-it notes on a wall or white board and gives a brief summary. Once everyone has had a turn – then you open the meeting up for discussion. That way even the quiet people get to have their say via the post-it notes before they get drowned out by the louder people during the discussion phase.

Qualitative Risk analysis:
Following on from the example technique for identifying risks above using post-it notes, now divide the wall or white board in to quadrants by drawing a cross with an X and Y axis. Label the X axis Impact (low at left end and high at right end). Label the Y axis Probability (low at left end and high at right end).

Then ask everyone to get up once again and move their post-it notes in to the quadrant that they think fits the best. For example, “forgetting to ‘deactivate your golem before Shabbat” is low probability but high impact. The probability is low as you’re not allowed to ask the golem to work on Shabbat. But if you forget and the risk becomes an issue, the effects of the golem running amok and rampaging through the neighborhood will have a big impact.

Quantative Risk analysis
To be honest I’m not an expert in Quantative Risk analysis as the organizations I’ve worked in have rarely if ever put a price on risks. However, the theory behind this kind of analysis is to work out what the organization should spend or set-aside to cover the cost of the risk happening (i.e. becoming an issue).

For example, you need virgin clay to make a golem. However, unless you know of a location where there is clay by a riverbank that has never been used before you may have to rely on local experts. Hence you interview each one in turn trying not to freak them out too much with your inquiries about virgin clay. The risk you assess is how much time and money are you wasting should you chose to follow the lead from the wrong local expert.

Response Planning:
If you’re really in to Project Management and do it for a living or aspire to be one, I would recommend that you use a Risk Register. This is a ‘living’ document that captures your risks at the start of a project and is reviewed and updated on a regular basis. If you manage to do that last bit of regularly reviewing and updating then you are indeed a god amongst Project Managers.

Here is a quick explanation of how to address risks:

Negative:
  • Avoid – do something to make sure it does not happen
  • Transfer – pay or get someone else to handle the risk
  • Mitigate – take some action to reduce the likelihood of the risk happening
Positive: (also known as opportunities)
  • Exploit - do something to make sure it does happen
  • Share – spread the opportunities
  • Enhance - take some action to increased the likelihood of the risk happening
Acceptance (both) – do nothing.

Monitor & Control:
This separates the Men from the boys, the Women from the girls and the Master Golem Builders from the Trainee Golem Builders. Actually reviewing your risks and taking action is THE reason why all of the above risk analysis has been done.

Otherwise you’ve got a beautiful Risk Register gathering dust that is out of date within a short time period. To make matters worse, you’re stakeholders having seen the first (and only) version of the Risk Register think you’re on top of your risks and expect everything to go swimmingly.

Well, if you’re in to gambling it could go swimmingly. Then again, you could end up swimming with the sharks. A smart PM reviews and acts on risk updates. A smart mystic or magician uses their bag of tricks to get extra reducing negative risks and highlighting positive risks (aka opportunities) whether by using sigils, spells, prayer, amulets or other means.

In Closing:
Now you’ve read all the way to the bottom you’re a risk management expert. Well at least in the theory part - all that remains for you to do now is to put it in to practice.

Finally, this post has grown a bit longer than I’d intended. So I’ll add an up to date Risk Register for Golem Building in a future post. My closing thought for you is: “Now face the fear and do it anyway!”