A simplified risk management methodology – and especially the risk matrix of impact against likelihood – can be extremely useful in HR and other projects, even when your company does not officially require you to use them.

Having had business, leadership and project management roles in my career – in addition to the global HR jobs – I’ve done a lot of risk management.

Both in the informal sense – because running any business or project is risk management – but also in the formal sense. Many of the large companies for which I have worked have well-defined risk management procedures. Often run by the Finance departments or indeed also from a health & safety perspective.

There is nothing wrong with these formal procedures. Although, like auditing, there can be a tendency by some of the ‘risk guardians’ to make the experience less than motivating. But they can be invaluable and energizing exercises as well. One of my positive examples was when I worked for the huge New Zealand company as part of the totally new European management team, embarking on a new strategic direction whilst keeping the existing business going (and moving countries and replacing 90% of the people).

However I have also learned how useful a simplified risk management methodology, and especially the risk matrix of impact against likelihood, can be in different smaller projects, and particularly HR projects, even when you are not required to use them. And even more valuable in organizational or national cultures where project management skills might not be well developed or embedded in the DNA.

Two recent examples have been launching a distance (E-) learning system in Kazakhstan and setting up a world-class technical training centre in Siberia.

The classic six steps for risk management are as follows:

  1. Understand the business – What is the business and the environment in which it operates?
  2. Clarify objectives – What does the business want to achieve?
  3. Identify risks – What are the uncertainties associated with achieving the objectives?
  4. Assess risks – What risks are the most significant?
  5. Respond to risks – What do you choose to do about the risks?
  6. Review risks and your actions regularly – What might be changing which could affect the nature or impact of the risk?

For HR Projects these first two steps will probably be combined in a single question – Which is the project that needs to be achieved?

Risks themselves can be many and varied and their identification is often the result of a brainstorming session. What can go wrong? What is the worst that can happen? The list is not totally comprehensive but various areas where risks can arise could be: financial; tax; regulatory; people; systems; technology; reputation; shareholders; competition; authorities; legal; legislation; HSE; IT; security; markets; operations; supply chain; asset integrity; strategy; decision making; change management ability; knowledge; senior management support; systems; natural disasters.

When assessing risks, as I mentioned above, the two criteria are usually impact and likelihood. Now I have worked for companies with many defined levels of impact in monetary terms and different levels of likelihood, but the easiest method is to use a 3×3 matrix, with low, medium and high impact and likelihood. You then concentrate on the top right corner: the high impact/high likelihood, the high impact/medium likelihood and the medium impact/high likelihood boxes.

Now some of your colleagues will feel the need to define in detail what high, medium and low really is. But the important thing to remember is that the discussion is usually more important than the final position. Understanding what your colleagues think and judge the assessment of risks to be, sharing information, exploring different viewpoints, to come to a common understanding.

I have also seen that the step of choosing what to do about the risks can also be misunderstood. In many of the groups with which I’ve worked, especially for HR projects, people think you need to mitigate or treat all of the (important) risks. This may indeed be the case, but there is actually a choice of four different ‘treatments’ (and a range of different words used by different companies to label them).

  • Take/Accept/Assume the risk: acknowledge the existence of a particular risk and make a conscious decision to accept it without engaging in special efforts to treat it; often the case for low likelihood/impact risks although not exclusively
  • Transfer/Move the risk: maybe you don’t need to accept the risk as yours; maybe you can transfer the risk to someone else or another part of the organization or stakeholder, who will accept the accountability, responsibility and authority for that risk
  • Terminate/Stop/Avoid the risk: the risk could be too great (too ‘risky’) and the action or project is stopped; or to a lesser extent the programme requirements or constraints might be adjusted (for example financial, or timing or technical requirements) to eliminate or reduce the risk.
  • Treat/Mitigate/Control the risk: the most common approach; implement actions to minimize the impact or likelihood of the risk

And another misunderstanding I often see is that once a risk is identified, people may want to spend the same amount of time and effort mitigating it, even if it is low likelihood and low impact. Concentrate your time and effort on the most important risks.

Finally review the risks and actions regularly to see if anything is changing and if your mitigations remain effective. For some of the HR projects where I have used this approach, we reviewed once a week. Although many of the corporate risk management systems expect a formal review session every six months.

I mentioned using this approach with my young and fairly inexperienced team in Kazakhstan launching a distance (E-) learning system. I was keen to have as one of the major risks ‘personnel’, because we had a project manager working more-or-less full-time and learning as he was going, but almost everyone else had other jobs, knew even less about the topic and couldn’t have taken his lead role. Even though he himself dismissed the likelihood (although agreed about the impact) we spent time as a group talking about how we could mitigate this risk (including the carrot of setting up a separate E-learning group upon launch, with him as the manager).

And then it happened. Halfway through the project he was offered a job with another company for much more money that was impossible to turn down, and he left with about a week’s notice. So we moved into the rest of our planned mitigation. We had a few hiccups, but which project doesn’t, and we launched on time, within budget, as planned.


Submit a Comment

Your email address will not be published. Required fields are marked *