Once you’ve arrived at the point where you are ready to implement risk management in your business, it’s worth taking a bit of time to identify what needs to happen next. One of the useful things to do at this time is to consider what might trip you up and undermine your efforts around launching an embedded risk culture.
Below we discuss 7 common pitfalls for businesses starting out with risk management – and these can affect your organization even if you’ve been working with risk management approaches for some time.
Let’s dive in.
1. Risk Champion is Too Junior
The first issue faced by many businesses is that out the outset of implementing risk management methods, the person chosen to be the risk champion doesn’t have the credibility to be able to make a substantial impact in the role.
If your risk champion doesn’t hold a credible senior role or is only available to work in the champion role tangentially to the rest of their responsibilities, you’ll find that risk management doesn’t get the attention you hoped.
You need to ensure that the person appointed has sufficient time to dedicate to the role and has significant influence within the business.
2. Too Many IT Systems
When risk management is fragmented, it becomes hard to manage across a portfolio of projects. Too many disparate IT systems can do that: project delivery teams in various areas of the business may have the latitude to choose their own risk management tools.
It might feel like the easier thing to do when you are first starting out, thinking that you can join the approaches together in due course when risk maturity levels are higher. However, merging different technical solutions is a large job. It’s easier to manage a coherent risk portfolio if you start with the end goal in mind.
3. Risk Data is Inconsistent
Data quality is important for strategic decision making. One of the pitfalls for risk management is having inconsistent data, as that undermines your ability to see the whole picture and manage risk effectively across projects, programs and the organization.
Information that is out of date or incomplete creates problems for teams and the Project Management Office.
This can be addressed by setting standards for the level of detail that should be reported. Use project management or risk management tools to keep information consistent.
4. Risks Not Linked to Strategic Objectives
When organizations first start risk management, it’s common to see that risks are reported from the bottom up. In other words, project delivery teams record risk as it relates to their individual project.
This is a good start, but it means risks are disassociated from strategic objectives, so at an organizational level it’s impossible to see what impact risks are going to have on the business’ goals.
Software tools (or even simple spreadsheets) can be adapted to include a field for strategic objective, so that risks reported at project level can be tagged with the objective they are related to. This is useful information for the Project Management Office and helps with identifying the wider impact of risk.
5. Risks are Not Aggregated Effectively
Simply totaling the risk exposure for all risks on a project gives you a very unlikely scenario. And yet, this is often how project teams calculate the aggregate exposure for risks.
As you can imagine, totaling all the risks this way for all the projects gives a very pessimistic view of what the organization’s exposure is likely to be.
It’s harder, but more effective, to build in a measure of likelihood. Take a pragmatic view and aim to calculate confidence in the risk exposure to give you a more realistic idea of exposure across the portfolio.
6. Risks are Only Captured Bottom-Up
As we saw above, risks are often captured from the bottom up. This makes sense as it’s the way project managers work and it’s an effective way of managing risk at the project level.
However, when risks are only captured bottom up it doesn’t give you the full picture. Ideally, risks should be identified by senior levels of management too, and these fed into the same risk management tools as in use by project teams. This provides a view of risks that the company is exposed to cross-departments.
This helps build out a risk hierarchy. Some project-level risks may feed into departmental or organizational-wide risks. Capturing risk at all levels helps improve transparency and consequently shape the management actions that can be taken.
7. Only Capturing Financial Risks
It’s easy to get stuck with project teams and executives only identifying financial risks. Financial risks are easy to identify. They often feel the most important and the most in need of mitigating action. They are easy to quantify and report. But they aren’t the only type of risk that your risk registers should be focused on.
Reputational risk, the impact on customer service, the shifting marketplace and other factors should be reflected in the way risks are reported and captured. It’s not adequate to assume that everyone knows about these and is already working to address them. They can be as damaging to your organization as a financial risk if they are not adequately managed, so having transparency around these risks and their impacts is essential.
Which of these do you think will be a problem in your business? And can you now see a way to address the issue before it becomes a hindrance?