Risk is definitely not a FAD, and definitively not a topic going away. Just like other topics that have become more and more visible over the years, such as data analytics, and business architecture to name a few, you definitely cannot sleep on risk. If you really think about it, almost every process that is executed has some level of risk associated it. The hope is there are controls in place to mitigate the risk.
As members on project team who work to develop solutions to solve business problems, many times we are so focused on finding the right solution, we may not think holistically on what risks a particular solution may pose to the organization. Furthermore, is that risk a risk the business is willing to accept, or prefer some other action or discussion to occur.
I remember when I first started working on projects as a project manager, developer, and/or business analyst, the main risk discussed was the “triple constraint”. The triple constraint is a focus on scope, time and budget in regards to the project as a whole. There is a focus on not allowing scope creep, missing deadlines, and going over-budget. However, risk is more than that. There are many different types of risks to consider as solutions are considered, or chosen, to meet business needs. Such as, operational risk (risk associated with the company’s operations), reputational risk (a negative event that may threaten an organization’s reputation), credit risk (risk of default on a debt), financial risk (risk of losing money), and compliance/regulatory risk (risk of non-compliance with laws/policies that could result in fines or legal actions) to name a few. When building solutions these items need to be considered.
For example, let’s say you build a mobile app solution which allows individuals to quickly access all of their different email accounts in one place. The mobile app provides a phenomenal customer experience as customers rave about how it’s so much easier to log into one interface than into multiple. You have multiple customers downloading the application and loving the experience. Then, 30 days later the customer is informed that in order to keep using all the functionality the application offers they have to pay a monthly subscription. Now, when the customer originally downloaded the app, this particular information was not disclosed. Customers thought the app was free with no strings attached. Customer were not aware there was a 30-day trial period unlocking all the features, and after 30 days some of the functionality would no longer work, unless they paid for the subscription. Here is where the risk comes in. Due to this experience, you may have imposed reputational risk, financial risk, and potential compliance/regulatory risk as examples, to the organization. Customers are now upset after the 30 days and the organization is receiving bad reviews, and you are losing potential revenue because you didn’t disclose upfront all of the terms of using the mobile app. The focus was getting a product out the door to beat the competitors to market, or to stand out. It stood out alright!!! Just not in a good way.
When thinking of creating solutions to meet business needs, risk has to be a part of the conversation. You do not want to build solutions that pose risk to the organization though you may have successfully installed the solution. Though the need may appear to be met, once risk enters into the equation, it may very well not be met at all.
There are many different ways to uncover risks, but here are a few ways to get you started as you continue to transform your organization:
Process Mapping – process mapping is a great way to uncover risks, and determine if there are controls in place to mitigate the risk. As you review processes you can analyze each step to determine what could go wrong during that step. After, determining what could go wrong, you then determine what controls do you have in place to (1) catch something going wrong before it does(preventative control), (2) advise someone that something has already gone wrong and it needs to be fixed (detective control), and/or (3) put a control in place after analysis of the detective control, and the root cause has been determined (corrective control). Process mapping is one of the most powerful techniques that allow you to uncover a lot, and normally a good first place to start.
Failure Modes & Effective Analysis (FMEA) – In addition, leveraging an FMEA to evaluate the process is a great way to have one centralized location to capture where failures may occur in the process, how severe those failures are, and how frequent those failures may occur.
Past Audits – if your organization has had audits conducted in the past, this is another great place to review the audit materials to determine where risks have been found, and if there were sufficient controls to mitigate the risk. These reports can provide a lot of insight on where in the organization problems have arisen in processes.
Observation – observing processes, and being a part of processes that are conducted in the organization, can give you a hands-on experience to help you identify where risks may reside in the organization. Put yourself in the shoes of the customer and determine if you the solution you are interacting with is the type of experience you as a consumer would desire.
As you continue to build world class solutions, consider what risks the organization may pose, and what controls need to be put in place to mitigate those risks. Risks are not necessarily a bad thing if controlled correctly, and depending on the type of risk being discussed. However, risks can become VERY bad when not identified and addressed appropriately.
The BA Martial Artist 🥋