Risk Management: Why Bother?

Risk management is now considered a staple process in many organizations and has become an increasingly important component of regulatory compliance (reference). Our experience suggests, however, that the concept is still not well understood. 

What is risk?

The word "risk" is used in a specialized sense when organizations are discussing risk management. In this context, a risk is an "uncertain event." All organizations, especially businesses, deal with uncertainty. Here are a few examples:

• You plan to release your product in a new region but find out that a competitor has beaten you to it.

• Your new software system promises to slash your operating costs, but the loss of key staff means it is delivered way behind schedule.

• Your new office fit-out will improve productivity, but a sudden bump in the supplier price means it runs over budget, erasing the savings you wanted to realize.

These sorts of scenarios will be familiar to anyone in the corporate world. In all instances, the original plan was upset by uncertainty. 

While uncertainty is ubiquitous, not all uncertainties matter. We are usually only concerned with uncertainties that may result in monetary loss, capability delays, overspend, injury, share price reduction, reputational damage, and so on. 

Given this caveat, a good definition of risk is "uncertainty that matters." (reference) This definition aligns well with the PMBOK (Project Management Book of Knowledge), which defines risk as "an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives." The ISO 31000 standard gives a broader, though still compatible, definition of risk: “the effect of uncertainty on objectives.”

It is worth noting that uncertain events can be negative (threats) or positive (opportunities). This particular article is more concerned with negative risks.

Can we ignore risk?

Given risk is ubiquitous, it might be tempting to ignore it, and many companies do just that. This approach could be dangerous as risks can present a severe threat to your projects and your business. For example, a large McKinsey study found that the average software project exceeded its budget by 66%, overran its schedule by 33%, and delivered a 17% shortfall in benefits. And the average nonsoftware project underdelivered benefits by an extraordinary 133% (reference).

Can these metrics be equated with poor risk management? The answer is "yes," almost by definition. Except in the case of sabotage, any unwelcome deviation from the plan (cost, schedule, benefits) is necessarily due to uncertainty. In other words, it is due to the realization of risks (whether identified ahead of time or not).  

It is easy to see how such massive variations to a project can ultimately impact profitability, reputation, share price, and so on. But the situation is even worse. The McKinsey study found that a staggering 17% of projects perform so poorly that they threaten the organization's very existence. 

And the above examples only deal with project risks. The umbrella term Enterprise Risk Management (ERM) captures broader organizational risks, with experts recognizing poor ERM as a common factor in many major corporate failures and scandals. (reference)

Risks can reduce profitability, damage your reputation, tank the share price, and even destroy your company. Few organizations can afford to ignore them. This is why ISO 31000 states that managing risk is “part of governance and leadership, and is fundamental to how the organization is managed at all levels.” It also states that risk management will "create and protect value in organizations."

Managing Risk and Jira

We've seen that risk is "uncertainty that matters," and that ignoring risk is not a viable strategy. We can now define risk management as:

...the systematic process of responding to risks in order to increase the likelihood of achieving our objectives. 

This definition tells us a few things:

1. Risk management is a systematic process rather than an ad-hoc approach.

2. Risk management involves responding to risks rather than ignoring them.

3. Risk management should increase the likelihood of achieving our project and organizational objectives.

If you are already using Jira to manage your projects, it makes excellent sense to manage your risks with it as well. Here's a quick summary of the benefits:

• Better data integrity through access control and data validation
• Superior flexibility through custom tooling and inbuilt workflow management
• Higher risk visibility through integration with the rest of the project documentation

Risk Register by ProjectBalm

When we realized the benefits of integrating risk management into Jira, we created Risk Register by ProjectBalm.

Our goal was to automate best practice risk management techniques, and do so via an elegant, usable interface that works with you, and not against you. Risk Register will help you to identify, analyse, treat and monitor risks more easily and effectively than ever before.

If you are experienced at risk management, you will find in Risk Register a tool that works the way you want it to work. If you are new to risk management, our documentation and videos will take you through the whole risk management process, giving lots of useful examples.

Risk Register is fully compatible with risk management standards such as ISO 31000, and can also be used for governance, risk, and compliance (GRC) programs such as Sarbanes-Oxley and PCI.

Over the last few years, we've grown to become the most popular risk management solution in the Jira marketplace and we are now an Atlassian Platinum Partner. Why not try out Risk Register by ProjectBalm for yourself?