I am attending Product Camp in NYC and have proposed a mini-workshop about applying risk management to your product. Attendees at Product Camp vote at the beginning of the event to select which proposed sessions will be presented. In the interest of providing a little more details about risk management and some of what I’ll cover in my workshop, I am sharing with you the article-in-progress below.
Applying Risk Management to Your Product
Lucky you! You could be reading an article about any number of fascinating topics – like Going Social With Tweeting Product Personas, or How Facebook Will Make Your Life Fun, Easy and Rich – but instead you're reading about risk management. Lucky, lucky you! Risk management is a topic that somehow manages to strike people as both scary and boring at the same time – no easy feat. Go to a party and strike up a conversation with someone who tells you they do risk management. Feel your face fall. You're sure you're in for a dull conversation, something about bean counting and actuarial tables, maybe even life insurance? Will the conversation include the words "Have you thought about what would happen if you were to die tomorrow?" "Time for me to go refresh my drink," you say.
But managing risk gets right to the heart of managing a product and the company which makes that product. It is the language of investors (shareholders, angel investors, and venture capitalists). It is also the language of executives and corporate governance, and because of this, it's in your best interest to learn how to speak the language of risk management in order to be heard, understood, and effective at that level.
Scary and boring, you say? Well, I aim to change your mind. Risk management is too important for you to simply avoid for the rest of your working life. The good news is that it can be fruitfully applied to projects and products of all kinds. Once you go through an exercise in risk management, you go from scared and bored about risk – a heart beating too fast and a mind that is sluggish – to calm and engaged. And you're ready for the curveballs that might come your way.
Read on for 10 Steps to a Risk Assessment.
10 Steps to a Risk Assessment
Managing risk is a big topic, and I thought I'd provide a quick outline to walk you through the process of constructing a risk assessment.
- Why Do You Need This? Right from the very start, define why you are embarking on this risk assessment. It will provide a yardstick you can use to measure the priority of individual risks and justify (or not) any efforts to mitigate them. For example, the guideline to "Ensure that Version 2.5 launches by October 1 with full Forecasting capabilities" will help you quickly decide the impact posed by new risks as they are identified and devote the appropriate amount of effort to mitigating them.
- Devise Your Risk Categories. Create a set of categories that reflect your company's strategy for itself and the product. For example, if work with a specific alliance partner is critical to the product strategy — perhaps your company hopes to ultimately be acquired by this partner — you want to create a Partner category for risks that primarily impact the partner relationship or the ability of the partner to acquire your company in the future.
- Define the Risks. Identify each risk and assign an appropriate category to it. For example, you might be worried that “Delays agreeing upon the design of the Reconciliation capability hold up completion of the new Electronic Payments module." This might be categorized as Project Risk, having mainly to do with a dependency within the project plan.
- Estimate the Impact. The impact is how much harm would result if the risk should occur. You measure this without considering the likelihood of it occurring. Go through each risk you have identified and determine whether the impact is High, Medium, or Low. If you're hesitating between two levels, err on the side of caution and select the higher impact.
- Estimate the Likelihood. Estimate how likely it is that the risk will occur, as High, Medium, or Low. Don't underestimate. If a similar event has occurred in similar projects, such as a product launch or development release, in the past, and it has occurred more than rarely, set this to High. If it occurred rarely, the likelihood is Medium. If it has occurred very rarely, set it to Low.
- Prioritize. Set the following combinations to High priority: High Impact and High or Medium Likelihood; Medium Impact and High Likelihood. Combinations of Medium and Medium or Medium and Low are Medium priority. The rest are Low priority.
- Define the Mitigated Likelihood. At the beginning, the Mitigated Likelihood is always the same as the Likelihood, since nothing has been done to reduce the likelihood of the risk occurring. As you take action to reduce the likelihood, you lower the Mitigated Likelihood to reflect this.
- Define the Mitigation Effort. Describe what you will do to reduce the likelihood of a risk occurring. For example, "Reconciliation fails to zero out the balance owed." might be mitigated by "Create a Reconciliation Analysis process that automatically alerts the payment processor and temporarily zeroes out the balance."
- Mitigate Your Risk. Beginning with the High priority risks, implement your plans for mitigation. If time and resources are limited, you can decide to only mitigate High priorities. As mitigation progresses, you reduce the Mitigated Likelihood.
- Report and Escalate. At regular intervals, report on the list of those risks you have chosen to mitigate. You can color code them as red for unmitigated, yellow for partially mitigated, and green for mitigated. At important intervals, highlight any continued risks and explain their impact. If your company chooses not to mitigate certain high priority risks, that may be a risk that the team is willing to take. But it should be taken knowingly and approved by the management team.
With these ten steps you can be confident that you have measured risk and are managing to the extent desired by the management team.
Article-in-Progress? What Exactly Does That Mean?
There’s a whole lot to be written about risk management. As I work on covering all the necessary aspects — concepts, how-to’s, process, choices — I put up those portions which are ready. As you read this article-in-progress, be sure to let me know what questions you’d like to see answered by sending me an email at Jacques.Murphy at ProductManagementChallenges.com or click here. Who knows, your question might even appear in the Dear Product Manager column.
— end (so far!) —