While we self-quarantine, practice social distancing and adjust to the new world order wrought by the COVID-19 virus, we can take away multiple business lessons from this pandemic. Today, the topic is risk management.
The practice of risk management has been a cornerstone of project management for decades. It involves the identification, assessment, mitigation strategy and tracking of risks that can have an adverse impact on an organization.
It is important to note that “organization” in this context can refer to a project team, a company or even an entire country. For the purposes of this article, we’ll discuss the first two, as the COVID-19 pandemic has provided a fascinating (albeit grim) platform for illustrating the strengths—and limitations—of key risk-management strategies related to project teams and a company at large.
The answer is out there… in the matrix
The risks of any given event are commonly quantified by assessing two key characteristics:
- The likelihood of an event actually occurring
- The severity of the consequences of an event if it does occur
Looking at the risk-assessment matrix, we see that risks that are deemed both likely to occur and have severe consequences would justifiably garner the most attention.
Before the current COVID-19 virus hit, many firms—and even industries—would have classified the risk of a pandemic as severe in consequences, but very unlikely. As we’re learning amid our economic shutdown, most enterprises put very few risk-management efforts in place to deal with such a pandemic.
Those that did have risk-management plans in place related to the broader consequences of a disaster like a pandemic were far better prepared to react to and survive our current reality than companies that had no disaster recovery plans in place at all.
Understanding how probability can lead to greater risk management
To illustrate how this subtle but important shift in risk definition can (and should!) influence how you develop your risk-mitigation plans, I’ll start with a quick review of the theory of probability.
Let’s say you are flipping two coins and recording the outcomes of each. (For the more persnickety reader, assume that the coins are evenly weighted, cannot land on their edge, etc.) You have four potential outcomes (A, B, C or D):
Now, to make it a little more interesting, let’s say that I offered to buy you dinner if Coin 1 AND Coin 2 come up heads, but you had to buy me dinner if they didn’t. That would be a bad bet for you to take, as the probability of both coins coming up heads is only 25%:
But if I said, “OK, I’ll buy you dinner if Coin 1 OR Coin 2 comes up heads. Otherwise, you buy.” How would this influence your decision on taking that bet? Your chances of winning jump from 25% to 75%, just by changing that “AND” to an “OR.”
With this example in mind, let’s circle back to risk management and how the probabilistic theory could apply. Instead of coins, let’s look at three potential risks that could impact an office building:
While the probability of any three of these risks actually occurring may be moderately low, the probability that the staff may need to work from home for one of these three reasons is significantly higher because it is a consequence that is shared by the three risks—and any one of these risks eventuating would trigger this consequence.
Specifically, a pandemic OR a flood OR a fire would force the staff to work from home, making this particular consequence more likely to occur than any of the other consequences identified in the example. To that end, it would be reasonable for the risk-mitigation plan to identify and address any mitigating activities in the event that the staff would be required to work from home.
The lesson? By focusing on the likely consequences of high-level risks, project managers can identify common patterns in these consequences and develop mitigation plans to address them. These plans can then be repurposed when extremely unlikely, but extremely consequential risks to your project suddenly become your reality.
Adapting risk mitigation to disaster preparedness
While it’s a bit late to start planning for the COVID-19 pandemic, it’s always the right time to start identifying the likelihood of other severe risks and start strategizing how to mitigate their effect on your organization.
Starting with what you’ve learned from this current crisis, I suggest you create and maintain a risk log of those factors (should they occur) that could negatively impact your business, your customers and your employees. Then answer the following two questions for each risk identified:
- What is the probability of this happening?
- What is the impact it will have in the worst-case scenario?
Next, chart the consequences (as in the grid above or in a Venn diagram) to identify those consequences that overlap. The most severe overlapping consequences should be at the top of your risk mitigation planning list. Over time, you can work your way down to the less severe, but still mission-critical consequences so that you are well prepared for a host of calamitous events that may occur.
In my next article, I will show you how to develop a simple spreadsheet that takes consequences into account. As this pandemic has made abundantly clear, risk mitigation is not optional. You can’t stop the next catastrophe, but if you have a comprehensive mitigation plan in place, you can most assuredly blunt its impacts. Stay well, everybody!
CMK SELECT 