Sample Paper on Risk Management

Risk Management

  1. Introduction

Risk is ever present and spreads across nearly all aspects of life. For businesses, unexpected situations create significant loss exposures. Furthermore, for businesses that lack a strong capital background, a business risk can easily interrupt its operational activities, cause financial losses, and even lead to bankruptcy. As a result, management of risk to limit loss exposure is important for every business. This paper seeks to examine risk management in business and software development. In particular, the paper focuses on what risk management is from a business and software development perspective, types of risk, and goals of risk management. Similarly, the paper examines the importance of risk management in business success, the process for identifying and managing risk, and the strategies for managing risk.

  1. Risk Management

In general terms, risk is the probability of danger, an unforeseen situation that threatens instability and negative effects.  In the majority of economic publications, risk is defined as a negative deviation from the plan (Maylor 45). Therefore business risk can be defined as the probability that an event either foreseen or unforeseen may result in an unfavorable effect on the organization. In software development, risk can be defined as the possibility of potential problems occurring.


2.1 Software Development Risk Management

As already noted, there are numerous risks involved in developing high quality software within the budget and on time. However, it can only be worthwhile to undertake these risks if the risks are compensated for. A higher risk must give a greater reward for the risk to be undertaken. In software development, the probability of reward is quite high; however, the risk potential is equally high. This necessitates the need for risk management in software development. According to Gilb (23), if an organization fails to actively tackle the risks, then the risks will severely affect the organization. For a software development project to be managed successfully and the rewards achieved, an organization must understand the procedures for identifying, analyzing, and controlling these risks. This is the essence of software risk management.

2.1.1 Types of Software Development Risks

A software development project may face different types of risks. The first type of risks is technical risks. These risks involve problems in project size, processes, methods, languages and standards. These risks arise from lack of experience, language problems, excessive constraints, project functionality problems, poorly defined parameters, and over relying on organizations that are beyond the direct control of the project team. The second type of risk is the management risk. These risks include lack of management training and experience, lack of planning, problems in communication, organizational problems, control issues, and lack of authority. The third type of risk is financial risk, which includes cash flow problems, budgetary and capital problems, and constraints on return on investment constraints. Another type of risk is legal and contractual risks. These include changes in requirements, safety and health issues, changes in government regulations, and product warranty problems. Similarly, software projects also face personnel risks which include training and experience problems, staffing gaps, moral and ethical problems, employee conflicts, and productivity problems. Other risks include late delivery or unavailability of supplies and equipment, insufficient tools, slow response times, and insufficient computer resources.

2.2 Business Risk Management

            For businesses, risk management is important in securing the capital and other business property. However, risks also come with business growth opportunities. Consequently, risk management is not about avoiding risks completely, but understanding the various risk levels and appropriately engaging risks into growth and development. In terms of business operations, risk management involves a set of continuous initiatives that include awareness, identifying, evaluating, developing risk management methods, making decisions on the appropriate methods, implementing them, and managing them post implementation. Although businesses are encouraged to take risks, if a business fails to identify a manageable level of risks, it can lead to unsuitable methods, leading to loss of operations. Therefore, the emphasis of risk management is on a business’ capabilities to anticipate changes and not avoiding risk. Avoiding risk implies waiting for the event to occur and then react to it, instead of preparing for changes. In practice, many business organizations choose risk avoidance as their best risk management strategy. While this protects them from specific losses, the strategy also denies them profits and may create another risk (Biasi 12).

2.2.1 Types of Business Risks

Hazard risks – these are risks associated with the work environment and property. These risks can negatively affect safety and health of employees (The University of Newcastle 1). It is the responsibility of the company (employer) to address such hazards. It is worth noting that exposure to workplace hazards do not always result in negative health effects or injuries. Nonetheless, stopping such hazards from happening ensures that employees are not worried of being harmed.

Financial risks – these are risks related to financing. They include, but are not limited to, liquidity problems, interest rate risks, funding problems, credit risks, and pricing risk. Uncertainties in financing can benefit one business but create losses for another. For instance, for the recent drop in oil prices can improve the financial statement for a transport company, but this change in prices can result in significant losses for a company that supplies oil. The effects and degree of exposure a business may suffer from financial risks is determined by the scale of the business` financial transactions (CPA Australia 6).

Operational risks – these risks are often in the form of human risks because of the fact that human error can result in operational failures. Operational risks also incorporate risks from an organization’s internal activities that involve people, operational systems, and products and services (Global Association of Risk Professionals 4).

Strategic risks – these risks imply the possibility of a loss occurring because of poor strategic planning, poor decision making, or from inconsistency and inappropriate implementation of the strategic plan. Strategic risks threaten a business’ earnings, its viability, and capital availability. Given that a strategic plan indicates a business’ strategic direction, vision, and objectives, the lesser the strategic risks, the better the organization. As a result, business managers should focus on identifying, assessing, and managing their risks (Iverson 23). Strategic risks are a significant component of business risk management.



3.0 Importance of Risk Management to Business Success

Effective risk management permits a business to identify the strengths, opportunities, weaknesses and threats associated with its projects. By formulating plans for unforeseen events, the business is able to effectively respond when they occur as a result the goals are not affected. The success of any business is determined by how well it achieves its strategic goals, and the achievement of these goals depends on how the business manages its risks.

Through risk management planning, a business is able to ensure the success of its projects by identifying its internal and external risks including their likelihood of happening, potential effects and corrective actions. As a result, a business can effectively address high risk events that would otherwise increase its costs, disrupt its schedules or cause performance challenges.

Moreover, given that risk management involves preparation. A business is able to communicate its plans to project sponsors, team members and other stakeholders. This ensures that all business projects proceed smoothly in a systematic manner without interruptions. Through identification and formulation of mitigation strategies, a company ensures that its employees are able to effectively respond to emerging challenges that require their intervention. Similarly, risk management enhances prospects of success my highlighting and eradicating negative risks. This permits business projects to be completed on time. As a result, the business is able to meet its budget and fulfill its objectives. Through effective risk management a business is able to maximize its profits while reducing costs on those processes/ activities that do not generate return on investment.

For business engaged in software development risk management is equally important. Software development is often recognized as a high risk undertaking that is susceptible to failure. Such projects face many risks some of which can be easily identified and some that are very project-specific and therefore hard to identify and manage. As a result, risk management in software development ensures an organization succeeds by preventing disasters, avoiding the need for rework and ensures a win-win situation. Even though not all risks originate from software development practices, all risks can have adverse impacts on the software development process. In addition, some software projects can be tools for achieving information technology driven organizational change. As a result, the achievement of business objectives may be heavily dependent on the success of these software projects.

3.0 Goals of Risk Management

            There are many risk management goals. However, the common ones include:

  • Integrating risk management into the organization`s culture and the organization`s decision making processes
  • Balancing the costs of risk management with the expected benefits
  • Managing risks in line with best practices and demonstrating due diligence in decision making
  • Using pilot projects to formulate organization-wide risk management implementation strategy.
  • Other goals include reducing costly claims, freeing up resources for important activities and ensuring sufficient risk financing (Wisconsin1).

4.0 Process for Identifying and Managing Risk

The process of identifying and managing risks both in business and software development projects are similar. The process involves various stages as discussed below.


4.1 Identification of Risk

            Here, potential risks are identified using a checklist followed by the evaluation of the likelihood of each of these events occurring. Some firms formulate their risk checklist based on their past projects` experiences. Other than the checklist, previous experience of the project team, the company`s project experience and input from industry experts are useful resources in identifying potential risks. Similarly, sources of risks can be identified based on their specific categories that include but not limited to technical, personnel, financial and operational. For example personnel risks include lacking the required personnel to perform the project or lack of key personnel on the project. According to Hillson (87) it is important to use a risk break down structure to organize the identified risks into specific categories using a table with more detail given on the right side of the table. This helps in identifying which areas risks are more concentrated. However, it is worth noting that while the Hillson`s method can be useful in identifying known risks, it can restrict the ability of the project team to identify unknown risks that cannot be easily seen within the risk break down structure.

4.2 Evaluation of Risks

            After identifying all the potential risks, the project team begins evaluating each risk based on the likelihood that the risk event will happen and the likely loss linked to this event. Risks are not equal; some risks have a greater probability of happening than others and the costs associated with each risk event can significantly vary. As a result, the risk must be evaluated to determine its likelihood of occurrence and the extent of loss it can cause to the project. Developing criteria for determining high impact risks can enable the project team to focus on a small number of critical risks that need mitigation. For instance, assuming high-impact risks are those risks that have the potential to increase the cost of the project by 4%. The project manager will only focus on the events that satisfy this criterion when formulating the project`s risk mitigation.  In summary, risk evaluation deals with understanding which risk events have a greater likelihood of happening and have the largest negative impact on the project. Figure 1 below shows how rating of risks can be done

Source: (Cox 212)

After the evaluation of the risks, the risk events are ranked based on their impact and likelihood as low, medium or high. The mitigation plan is developed for those risk items that have high ranking both in terms of impact and likelihood (Cox 212).



4.3 Strategies for Managing Risk (Risk Mitigation)

            Following the identification and evaluation of the risks, a risk mitigation plan (strategies) is developed. This is simply a plan for reducing the impact of the unforeseen event. There are various strategies used in managing risks as discussed below.

4.3.1 Avoidance

            Under this strategy, the risk event is completely avoided, thereby eliminating any probability of loss. Whereas this strategy is highly effective, in most cases it is not practical because every aspect of a business or software development project has some degree of risk, and avoidance of all risks would imply that a business project or a software development project cannot be undertaken. Risk avoidance should only be used when: the event is inherently risky; the probable risks are beyond control; and the task is not necessary in fulfilling the project`s goals. If risks are properly evaluated and ranked, then the project manager can easily decide on whether to avoid the risk (OSBIE 1).

4.3.2 Risk Control

            This is the actual management of risk by taking proactive measures to reduce the risks identified and put in place sufficient procedures to reduce the reduce the possibility of loss or the extent of such a loss. For example, if there are doubts as to whether a subcontractor can deliver, the business undertakes risk control by performing due diligence. This is the most popular strategy and when combined with other strategies it enables a business to address the various risk elements inherent in an activity (OSBIE 1).

4.3.3 Risk Transfer

            Under this strategy, all unwanted risks are transferred from the business to other organizations or persons. There are various ways through which risks can be transferred that include: by law (for example, joint and several liabilities); through a written contract or agreement between two parties (contractual transfer); or through insurance (OSBIE 1). For example, for a software development company, it is possible to transfer the risks to subcontractor by incorporating penalties into the contract for any software delivered that lacks the necessary reliability.

4.3.4 Loss Reduction

            This is an after-loss strategy that is basically a response plan that stipulates what will be done in the event that a loss occurs. An effective strategy reduces the extent of loss (OSBIE 1). For example, when an outside contractor is assigned part of the software development project, the business should assign its own project engineer who will participate in all stages of the project.

4.3.5 Segregation of Exposures

            This strategy is based on spreading of risks. A business can spread its risk exposure across various locations or by isolating particular risks, thereby reducing the likelihood of total loss (OSBIE 1). For example, a business can have a back-up medium of its data stored in different sites.

4.3.6 Self-Retention

            This strategy is useful in managing those risks that either cannot be insured because of very high risk factors or because the losses are too small and infrequent so that management can take care of them internally (OSBIE 1).

4.4 Tracking

The impacts and results of the risk mitigation must be tracked. Under tracking, data is gathered and compiled into information. Thereafter, it is reported and analyzed. As part of tracking, known risks are measured and triggers monitored. In addition, the successes of risk reduction initiatives are measured. Tracking can produce different results including: new identified risks that should be incorporated into the risk list, removal of risks that no longer pose serious threat to the project`s success.

4.5 Contingency Plan

            A contingency plan is an alternative approach for achieving a project`s goal when a risky event has been identified that may jeopardize the accomplishment of that goal. For example, there is a risk that truck drivers can strike, which may affect the project implementation. This is mitigated using a contingency plan that uses rail transport to deliver the required equipment for the project. If important equipment is delayed, the effect on the schedule can be mitigated by changing the schedule to give room for late delivery of equipment. A business can equally have a contingency fund, which is money set aside to be used when unexpected events increase the project costs. As a result, a project with a high risk profile typically has a huge contingency budget (Parkerand Alison 23).

In conclusion, the success of business and software development projects is largely determined by how well project risks are managed. Effective management of projects can only be achieved if risks are identified, evaluated, and registered. In addition, the severity of risks must be assessed followed by the development of mitigation strategies and contingency plans. Furthermore, the risks and the mitigation plans must be actively tracked. Risks should be identified early enough and this enhances the chances of delivering a successful business or software development project.



Works Cited

Biasi, Giani.What Is Risk Mitigation in: Qualified Remodeler, Chicago 37.9, (2011):12

Cox, Dorcas M. T. Project Management Skills for Instructional Designers. Bloomington, Ind.: iUniverse Inc., 2009. Print.

CPA Australia. Business and Management Centre of Excellence: Risk Management Guide for Small and Medium sized Business. 2009. Web. 15 Feb. 2015.

Gilb, Tom. Principles of Software Engineering Management, Wokingham, England:  Addison- Wesley, 1988.

Global Association of Risk Professionals.Operational Risk Management. 2011. Web. 15 Feb. 2015.

Hillson, David. ‘Using a Risk Breakdown Structure in Project Management.’ Journal of Facilities Management 2.1 (2003): 85–97.

Iverson, David. Strategic Risk Management. Singapore: Wiley, 2013. Print.

Maylor, Harvey. Project Management. Harlow, England: Financial Times Prentice Hall, 2010. Print.

OSBIE. ‘Ontario School Boards’ Insurance Exchange – Identify Risk Management Strategies’. N.p., 2015. Web. 15 Feb. 2015.

Parker, David, and Alison Mobey. ‘Action Research To Explore Perceptions Of Risk In Project Management’. Int J Productivity &PerfMgmt 53.1 (2004): 18-32.

The University of Newcastle.Risk Analysis – Section 2: What Is A Hazard?. 2013. Web. 15 Feb. 2015.

Wisconsin. ‘Enterprise Risk Management Goals and Objectives’. N.p., 2014. Web. 15 Feb. 2015.