Risk Management - Types of Risks

Now that we've covered the key tasks of risk management we need to understand that there are different types of risks which have different impacts and therefore need to be treated differently. The following list covers pretty much every risk you can think of, fortunately they don't always apply. For example, if you have been working with the same team in the same office for many years – the team environment risks won't apply. But it's good to be aware of all of the types of risks as it helps to understand all the things that can go wrong. It might seem a bit overwhelming to consider things from such a negative point of view but that's what risk management is about, it's trying to work out what all the problems are so that you can avoid them or manage them effectively. A lack of risk management is what leads to the high failure rates of projects.

It's important to understand that risks aren't just defined to the project, they also apply to the business, the suppliers, the people working on the project as well as the system and people that have to support and use the project. There are a lot of angles to consider, some of which won't matter, some of which will be significant and need action. These can all be captured under the following five categories.

  • Project Risk

  • Business Risk

  • Production System Risk

  • Benefits Realisation Risk

  • Personal Risk

Project Risk

Put simply, project risks are factors that could cause the project to fail. They are the most significant of the risk types and has a number of sub types that need to be considered, these are

  • System or product complexity

  • Client or target environment

  • Team environment

  • Business project risk

System Complexity

This is about how big and complex the project is eg.

  • The number of features

  • The volume of content

  • The levels of workflow required

  • The levels of permissions required

  • The clarity of the requirements

  • The expected volume of traffic

  • The expected number of users

  • The expected response times

Each of these factors can impact on the project and what type of risks they are subject to. For example, a site with no workflow but a large volume of content and high traffic would need to consider performance as a major element wheras a smaller site that has an ecommerce component would have security as a high risk factor.

Target Environment

This is about where the end solution will be used and the nature of the users. Eg.

  • The level of internet access

  • The knowledge level of the users

  • Public or internal system

  • The level of interaction with the system required

  • The quality of the equipment being used, screen resolution/plugins required…etc

  • The degree of project sponsor buy-in and support;

  • The impact of the solution on the people using it

These days, internet applications are being used more and more both internally and externally therefore can have a significant impact on the business if they fail.

Team Environment

This would have to be one of the most important risk types. The team makes a huge difference to the success of a project. If you have a well functioning experienced team, it's a huge advantage. This risk type needs careful consideration. It can make or break a project. The main factors to consider are

  • Is the timeline fixed or flexible

  • Has the team worked together before?

  • Is the team experienced with ez publish?

  • Will the team stay consistent throughout the project?

  • Will outside contractors be required?

  • Is the team working together?

  • Is it a positive work environment

  • Does the team have the equipment they need?

A new team without experience is a recipe for disaster. Anyone new to a technology will have a learning curve that will increase the length of the project and impact on the quality of the outcome.

Business Project Risk

Along with the overall system complexity there's also the business project risk which is similar but not the same. It is about the business aspect of the project, not the end result. If the project is moving into a new area that hasn't been tried or tested, the risk is greater as there's no indication of how it's going to be accepted or if it will achieve the goals it's supposed to. There's a big difference in replacing a static website with one built with a CMS as apposed to a web application to be used to provide online quotes for insurance products. The factors to look for in business project risks are:

  • The intrinsic complexity of the business product;

  • The level of innovation;

  • The stability of requirements;

  • The required level of quality;

  • The level of compliance to processes or legislation

For a business, a complex project has a higher chance of failing as change within businesses can be difficult to introduce. If the level of innovation is high, there is also a risk as we are dealing with something new and unknown that might not work as expected. If we have to compile with certain legal criteria we expose the business to legal action if it’s not done properly.

Business risk

We've looked at the types of risks that can cause the project to fail but there's another level to consider, what happens to the business if the project fails? In some cases, eg. rebuilding an intranet, the impact won't be significant if the current intranet keeps working but if the project is the sole interface the business has to it's clients, the impact could cause the business to go under. What you want to look for in this type of risk is what exposure the business will face if the project fails.

From the financial perspective the business can loose money on the project if the benefits aren’t delivered. Strategically if the project fails it can mean the business misses an opportunity to be first to market with a new service offering. If the site fails to compile with legal requirements, the business could be exposed to legal action. If the site isn’t secure enough it can expose the business to financial loss. If the site fails to perform and keeps going offline, the image and reputation of the business can be affected.

Production System Risk

The business case for projects often fails to consider the ongoing cost of the solution.

A simple example is the need for server monitoring and security patches. A better example is the risk faced by not upgrading to the latest version of an application once the version you're using is no longer supported. But the best example is the training and support required for people using the system and any changes that might be needed. From the client's perspective, I've found that there's excitement and enthusiasm to get the solution up and running but when it comes to maintenance, it doesn't seem quite as important. Once it’s up and running, people move on to other projects and soon forget about solution they jus delivered. Just like a car, a web application needs regular servicing and tuning. Ignoring this can lead to performance issues if the site is not monitored and maintained. .

The things to look for are

  • The provision for support and maintenance

  • The experience of the production support team members;

  • The age of the production system and versions of software

  • The level of supporting documentation and training.

The higher the risk of the production system, the more likely the system will fail and take longer (or more effort hours) to fix. For some web applications, outages literally cost the business money so if attention isn't paid, the client will end up paying one way or another.

Benefits Realisation Risk

Although it's often forgotten once a project is underway or has been delivered, there is always a reason for the project in the first place. The reason a business undertakes a project is to realise benefits in one way or another, whether it be increase in sales or improving efficiency. It's all too easy to get caught up in the details of the project and forget the bigger picture, especially when you're struggling to get content and deliver the project on time.

What needs to be considered is how realistic it is that the business will get the benefits they hope to achieve – the factors to consider include:

  • The number of different stakeholders, clients and external partners involved

  • The need for culture changes / training / acceptance of the new solution

  • The degree of management buy-in

  • The time-frame for benefits realisation; and

  • The size of the benefits to be realized.

The more stakeholders there are, the more people that will have input and need to be consulted on decisions slowly the process down. If there is a need for changes to the way the business run, there’s a chance people will reject the new process in favour of the tried and trusted method. If there isn’t enough time to realize the benefits of the solution, it might be considered a failure. If the expectations are the solution will solve lots of problems there will be greater pressure to get things right.

Personal Risk

This is also often forgotten, especially by management (unless you are management!). What is it going to mean to you or your team if this project fails? No doubt this is something that is going to be in the back of your mind and it's important to bring this to the surface so that management or your client is aware of the situation. And this is a serious type of risk, people can get hurt, financially by loosing a job or their health can suffer due to stress not to mention potential legal exposure. The pressures of work can have an impact on physical and mental health not to mention professional and personal relationships. Some people under too much pressure will literally break down. Is any project worth that?

This risk is not just on the Project Manager although they are the most likely target for stress. It can affect everyone on the project. If the Project Manager is unable to negotiate with the client (be in an internal or external project) and the deadline can’t be moved, then the pressure moves to the development team who are asked to work longer and longer hours to get the project done. This can lead to burn out and people resigning which ofcourse impacts on the project and on both businesses involved (if an external project). There’s the factor of morale as well, when morale is down, people don’t perform as well and it can be harder to get things done.

Specifically, the factors for the Project Manager that need to be considered if the projects fails are:

  • The impact on your personal life

  • The impact on your professional life

  • How much your skills will be stretched

  • The physical and emotional impact

  • Potential exposure to legal action