Risk management for software implementation

Introduction to risk theory

PRINCE2 defines risk based on its sister methodology MoR (Management of Risk) as: “a set of events that, should they occur, will have an effect on achieving the project objectives”.

We often hear that risk management is important, but why should you spend excessive time planning for potential events that might occur when you already have your hands full with project planning?

If delivering your project on time and on budget interests you, risk needs to be a key part of your planning process and monitored throughout the life of your project. Having a strategy for risk management ensures that when faced with a challenge, you can still move your project forward to meet deadlines without wasting billable time and resources.

If nothing else, having a risk plan will help your team have confidence in you as a leader, knowing you have a thought-out plan to deliver the project despite potential setbacks.

So, let’s first discuss risk management's place in project management.

This article is one part of a series of articles discussing the PRINCE2 methodology for project management. Read more here: 7 Things Successful Project Manager Must Address in Their Project Brief.

Risks & Project Management

Risk management appeared in management literature as early as the 1920s. However, it was only in the 1990s that the concept received more mainstream recognition in the project world. This is partially attributed to the 1996 release of PRINCE2. The PRINCE2 methodology is essential knowledge for both the aspiring and experienced project manager, as it is the most used method worldwide for managing risk.

A risk management plan is typically developed in the initiation stage of a project. However, that does not mean that it isn’t relevant throughout the lifecycle of a project. One common mistake inexperienced project managers make is forgetting to use the risk management plan as a living, breathing document. As your project evolves, so will the arising risks.

Although unmanaged risk will open your projects up to experiencing delays and running over budget, there is the lesser talked about side of risk management. Risk management isn’t only about identifying the weaknesses and challenges of your project. Instead, a comprehensive approach to risk management will allow managers to identify strengths and opportunities they can use to the project’s advantage.

A common acronym for managing risk is SWOT, which stands for strength, weakness, opportunity and threat. To learn more about completing a SWOT analysis, continue reading as we explore the risk management process.

Note: Risk is an umbrella term for threats, opportunities, strengths and weaknesses.

Software as a Project Management Tool

An ever-increasing number of firms rely on powerful project risk management tools to help manage their projects. Professional services automation software today is a project management powerhouse – providing everything from invoices based on staff timesheets to comprehensive reports you can trust to help inform future business practices.

Much like hiring a skilled employee, good software has the ability to make your firm more profitable and allows project teams to get back to the things they do best. Rather than waste time completing monotonous tasks.

Now that professional services firms have access to programs designed especially for project work, they can plan their projects on software in accordance with their risk management approach, monitoring risk in real-time and making actionable changes with a click of a button to get their projects back on track.

To help you identify how your risk management software can help you identify, monitor and act on risk, we will cover the five steps of the risk management procedure from PRINCE2. Using this guide, we will pinpoint how you can upgrade your risk management processes with software.

5 steps of the risk management procedure

The risk management process consists of five steps: risk identification, assessment, mitigation, monitoring, and reporting. These are the basic things you need to consider when planning for risk in your project.

Identifying potential incidents that have potential risks, both negative (threat) and positive (opportunity), that will impact the project’s goals is the first stage in the risk management process. Common project goals are often - meeting project checkpoints and bringing in revenue.

As you begin to identify risks for your project, it might be useful to return to the SWOT (strength, weakness, opportunity and threat) analysis. To help get you started thinking about your project, here are a few things you can put under each category. Inviting specialists to brainstorm with you is beneficial as they can identify more risks than you, as a project manager, can anticipate.

Strengths (internal – things we can control)

• Team members with advanced skills and knowledge.

• Low overhead costs.

• Experience from a similar project.

• Sufficient financial resources.

• Strong workforce management.

Weaknesses (internal)

• The project is particularly complex.

• Strained resources due to other projects.

• Poor communication between specialisations.

• Resistance to new methods of working.

• New contractors unfamiliar with our processes.

Opportunities (external – things we can’t control)

• The possibility of working on future projects with this client.

• A favourable financing method, i.e., advanced payments.

• Increased reputation in a new market.

• More capital for future ventures.

Threats (external)

• Legislative changes.

• New competitors in your market.

• Increased supplier cost.

• A natural disaster.

• Loss of key employees.

• Client dissatisfaction.

• Customer inability to pay

When completing your SWOT analysis, try to be as accurate as possible and keep the titles brief and self-explanatory. Clearly identified threats and opportunities allow you to be detailed when it comes to the assessment and planning stages.

When identifying risks, analysing your past project performance can help you recognise things in your planning that will impact the delivery of your upcoming project – negative and positive. However, to do this properly, you need robust, accurate data.

Reviewing lessons learned is a critical part of identifying risks. Software designed for project work can provide you with the past data you need to ensure you don’t repeat mistakes.

For example, when you look over past budget burn reports, ask yourself, did the team burn through the budget as expected, or did they run into hurdles causing unexpected costs to arise? Consider what caused this.

From this analysis, you may notice that the team ran over time and, therefore, over budget to pay for additional hours from your resources. However, digging deeper, you may discover that you didn’t have enough skilled contractors available for the project to be delivered on time. That, indeed, could become a risk in your next project.

Put simply, go over your past projects, look at what went wrong or right, and find out why. Then, whatever it was, write that down in your SWOT analysis so you can assess and formulate a plan for it.

In stage two, we take the things we identified in our SWOT analysis and assess them further. For this, we need to consider two actions, estimating and evaluating.

Let’s start with estimating.

There are many calculations you can use to assess risk. However, the most common is the “Expected Value” (EV) technique, which may be familiar to you as a financial concept used by investors to calculate the future anticipated value of a potential investment. Instead of using this calculation to estimate the future price of stocks, you can use it to evaluate the risk of your firm investing in this project.

The simplest Expected Value formula for a project is:

EV = ∑ P(Xi) × Xi

• ​EV – the expected value

• P(Xi) – the probability of the event

• Xi – the event

​In basic terms, your expected value will be the probability of the event occurring times ( x ) the impact of the event. You can then create a tangible cost for each risk.

For example, if the risk you are assessing is your old software crashing and losing your project data. This may result in you needing 4 extra weeks of work to get back on track. Risk management software can help you identify the accurate spend for this project over 4 weeks.

Project managers can shadow resource their entire project and forecast the speed at which they will burn through their budget. From this, they may discover that the cost of the project being delayed for 4 weeks is $200,000.

So, if you were to run an EV with an impact cost of $200,000, and a probability as high as 65%, your expected value of this risk is $130,000. For some large firms, this may be a risk they are willing to take, but for most firms, this will be a significant risk that needs to be mitigated. See our article on Change Management and Software Implementation to learn more.

Seeing risks monetarily helps make threats a real tangible issue that needs to be addressed and allows you to compare risks easily. It can also justify spending now to upgrade your software for a far lower cost than potentially being faced with a higher cost of a system that breaks down mid-project.

The evaluation stage is a simple extension of the estimations you have already made. Take the EV you calculated of $130,000, plus all the other EVs for each potential threat and add them together.

Once you have this number, start taking off the cost of opportunities. For example, if your total threat cost is $780,000, but your total opportunity cost is $620,000, your formula will look like this.

$780,000 – $620,000 = $160,000.

Try using this calculation on your own projects and see whether there are any that need to be addressed immediately. You can now use this number to compare projects and make strategic decisions regarding which projects to take on and which are too risky. Of course, this will be entirely up to your firm’s risk appetite, which you can define by a specific risk value after running these calculations across a few projects.

Step 3 is all about planning your resources. Failing to plan is planning to fail.

To properly plan for risks, you need to have your resources ready to respond. The objective of planning your responses is to reduce the threats and maximise the opportunities.

PRINCE2 offers 6 responses to threats and four responses to opportunities.

The 6 responses to threat are avoid, reduce, fallback, transfer, share and accept, while the 4 responses to opportunity are exploit, enhance, share and reject. Each approach is outlined below.

Threat responses

Avoid

Avoiding the threat involves removing its probability entirely.

Project risk example: If a risk is presented by an inexperienced engineer working without the oversight of a senior, include a senior in the resource pairing to ensure that you have mitigated any risk from inexperience.

Software tip: Use skills mapping to identify who has the ability to operate the machinery and resource them in place of the inexperienced engineer.

Reduce

Taking action to reduce the probability of the event occurring.

Project risk example: A risk is presented to an architecture firm through a flawed process to store documentation. The firm can implement a better document management process to reduce the probability of losing essential plans.

Fallback

Also known as a contingency plan, the fallback plan is a pre-prepared plan to reduce harm if the threat does occur.

Project risk example: A threat to a software development consultancy is their head developer taking leave at a crucial part of the project. The firm can fall back on its contingency plan and commission a contractor for a week’s worth of work so that they don’t fall behind schedule. Reducing the overall impact of the threat.

Software tip: Use Projectworks to know in advance when staff are taking leave through an integrated system that allows annual leave to be viewed on the resources calendar. 

Transfer

Moving the risk onto another party.

Project risk example: Your consultancy firm’s office has been rocked by an earthquake, making the building no longer safe to work in, and a large amount of the project has been lost due to damaged hard drives. A rare threat – but still a threat. This is when insurance comes in handy. Now you can shift the threat cost to your insurance company.

Software tip: Use software that stores your information on the cloud so that if a natural disaster does afflict your office, you don’t lose your data.

Accept

Not the most popular response to risk, but some threats you may need to accept.

Project risk example: If you are working in the engineering consultancy space and there is a potential that the materials you need for the project become more expensive due to demand. You may accept this risk, as the opportunity presented if you can complete the project is much higher than the threat of a cost increase.

Software tip: Use the project burn report to forecast how a change in material cost will affect your project.

Share

Share is a response you can use for both opportunities and threats. Share is common for projects undertaken by professional service firms where both parties share the loss if the costs are exceeded.

Project risk example: A new legislation comes into effect that means that the project needs to backtrack and re-do part of the product which is no longer relevant. You may decide to split this cost with your client.

Software tip: Use shadow resources to plan out how your project might look if it needs additional work due to specification changes mid-project.

Opportunity responses

Share

As stated above, for this response, you may opt to share the unexpected additional profits or expenditures with your client.

Exploit

Exploit is simply expressing that you want to seize the opportunity when it comes your way.

Example: If you plan extra resources in case your employees are sick, and no one is sick, you can use the extra resource to get ahead of schedule and deliver a stage early.

Enhance

Enhance is slightly different from exploit as it takes it one step further.

Example: If you have extra resources planned that you would like to use to get ahead, you might add two additional resources to your project, so the likelihood of working faster than planned is enhanced.

Reject

See the opportunity and decide to reject it. Why would a firm choose to do this? It could cause you to lose focus on your main objective, or the return on investment could be too low for you to consider it an opportunity you want to exploit.

Example: The project team is developing a new internal financial management app for a client, and they have the opportunity to make the app play music when it opens. Just because the opportunity exists, doesn’t mean it’s worth pursuing.

Step 4 is all about who will monitor the risk.

You will need to assign each risk both a risk owner and a risk actioner.

The risk owner is responsible for managing and monitoring risk.

The risk actioner isn’t responsible for monitoring risks but instead carries out the response once the risk occurs.

If you are a smaller firm, this may be the same person.

Risk management software that allows the risk owner to see the project’s progress at a glance and produce powerful real-time reports will increase their ability to identify threats on the horizon. In addition, fast identification from the risk owner allows them to alert the risk actioner quickly, giving them more time to act.

Once informed of the risk, the actioner also needs to act quickly, which can be achieved simply with workforce management software. As timelines move, they need to be able to move resources and re-forecast their revenue to ensure the project remains profitable.

For example, in the worst of circumstances, if the whole project team becomes sick, the risk actioner could shuffle their hours between projects to ensure they prioritise the project due earlier and push back a less urgent project. This ability to move resources around on multiple projects allows the risk actioner to be agile and creative with their response.

Unlike the other risk management steps, communication can be infused throughout the risk management process. Communication is the best way to reduce risks, as you can’t begin to manage risks if you aren’t even aware of their existence.

It is also best practice to communicate all your identified risks and responses to your clients. They will expect you to have a plan for all possible risks, and having one will give them further faith in your successful project delivery. Addressing potential threats, even if they aren’t favourable for your firm, will put you in the best place to manage them. To build long-lasting relationships with your clients, honesty is the best policy.

Using software to export real-time reports to show to clients and the project team will keep everyone on the same page. Showing clear reports with real data will save you time trying articulate risk, and instead improve communication between firms and their clients.

Risk is never static

Project managers must continue to identify, assess, plan, implement and communicate changes to their clients throughout the project lifecycle.

Bookmark this page if you need to come back later in your project for a refresher. Thank you for reading our guide on risk management. We enjoy being able to create these articles for our professional service firms network, and hopefully, it has been helpful for you.

If you aren’t a Projectworks customer yet but would like to know more about how you can use software to support your risk management, you can request a free trial of Projectworks here.