How To Choose A Risk Management Tool
What Is (Enterprise) Risk Management?
Enterprise risk management is a multifaceted process aimed at maximizing value by minimizing the impact of risks to a company’s capital and earnings, reputation and equity, and operational infrastructure and processes. Therefore, enterprise risk management is a company-wide initiative bringing alignment to strategic, operational, compliance, and reporting needs. There could be several different types of risks for an organization that may include but are not limited to:
- Strategic risks
- Regulatory risks
- Safety risks
- Operational risks
- Insurance risks
- Auditing risks
- Capital risks
- Political risks
- Economic risks
- Societal risks
- Technical risks
- Legal risks
- Environmental risks
- Ethical risks
- Demographic risks
Why is Risk Management Important?
Organizations exist to create value for their customers, shareholders, and stakeholders. Their survival depends on the impact of several known and unknown uncertainties emerging from many types of risks that challenge their ability to deliver value continuously. “If you don’t manage risk, risk will manage you. The latter won’t be pleasant for your project,” says Dr. Rajagopalan, our resident Enterprise Agile Evangelist in his book on “Organized Common Sense.”
The risk management process proactively identifies, analyzes, and controls the risk by establishing a risk appetite, risk tolerance, risk triggers, and appropriate risk response strategies to protect both the company’s project initiatives but also the company’s operational resources through business continuity and disaster recovery initiatives. Without the risk management processes, the company can neither continue to deliver value to customers, shareholders and stakeholders but also sustain value to them.
What Approaches Are Used to Manage Risk
Different types of risk require different types of expertise and can be managed under independent silos. However, there are universal approaches to managing risks:
- Risk Avoidance — averting risks by negating actions or processes that might exacerbate risks
- Risk Mitigation — reduce the impact of risk and minimize damage.
- Risk Transfer — transferring the weight of the risk away from the business via insurance, etc
- Risk Acceptance — accepting risks when the expected profit outweighs the expected risk.
- Risk Sharing - Collaborating with partnership arrangements to improve not only the likelihood of the positive risk but also ensure that the work will be completed collaboratively. This is the opposite of Risk Transfer.
- Risk Enhancement - Increasing the likelihood of the positive risk’s occurrence to maximize the benefit of the opportunity. This is the opposite of Risk Mitigation.
- Risk Exploitation - Enabling everything possible to ensure that the positive risk materializes to benefit the project or organization. This is the opposite of Risk Avoidance strategy.
5 Steps of Risk Management Process
A standard risk management workflow typically has the following five phases. These five phases are cyclical and iterative.
- Step 1: Identify the Risk. You and your team, in consultation with other business stakeholders, uncover, recognize and describe risks that might affect your project or its outcomes. There are many techniques to find the project and product risks. The risks identified can impact other projects as well as the programs and portfolios as well. During this step, you start to prepare your Project Risk Register.
- Step 2: Analyze the Risk. Once risks are identified, you determine the likelihood and impact of each risk. Frequently, qualitative risk assessment based on risk scales, such as critical, high, medium, or low, are used for the likelihood or the impact. You develop an understanding of the nature of the risk and its potential to affect project goals and objectives. This information is also input into your Project Risk Register.
- Step 3: Evaluate or Rank the Risk. You evaluate or rank the risk by determining the risk exposure, which is the product of likelihood and consequence. This risk score is a quantitative measure to prioritize the risks that require attention and can be plotted on a two-dimensional scale to visually indicate the priority. Depending upon the risk appetite of the organization and the risk tolerance of the stakeholders for the specific project, you make decisions about whether the risk is acceptable or whether it is serious enough to warrant treatment. These risk rankings are also added to your Project Risk Register.
- Step 4: Treat the Risk. This is also referred to as Risk Response Planning. During this step, you assess your highest ranked risks and set out a plan to treat or modify these risks to achieve acceptable risk levels. How can you minimize the probability of the negative risks or threats as well as enhance the positive risks or opportunities? You create risk response strategies, preventive plans, and contingency plans in this step. And you add the risk treatment measures for the highest ranking or most serious risks to your Project Risk Register.
- Step 5: Monitor and Review the Risk. This is the step where you take your Project Risk Register and use it to monitor, track and review risks. As the project progresses, some risks may become invalid or their likelihood and impact may change. Similarly, new risks may be identified requiring them to continue with their assessment, evaluation, and treatment.
Risk Register to Manage Risks
Risk Register is a tabular document that contains all the risks identified, assessed, evaluated, and treated within the project, program, portfolio, or enterprise. This document is constantly updated as a result of each stage in the 5-stage risk management process explained earlier. Additionally, the risk register includes the risk owner along with actionable steps and dates describing how the risk is treated.
While the format of the risk register may differ across the project and organizations depending upon the severity of the product, result, or service released to the customer, the risk register contains details about the risk such as the risk identifier, risk description, risk breakdown category, likelihood of occurrence, the severity of impact, risk exposure, risk owner, and response approach.
Risks in Agile Initiatives
Agile inherently includes risk as part of its risk-adjusted product backlog. Every requirement prioritized must be ready following the DEEP (detailed appropriately, emergent, estimable, prioritized) to be potentially included in the upcoming iteration incorporating as much stakeholder input as possible so that it can be converted to product backlog item (PBI).
The principle of timeboxing in Agile allows the schedule to drive the scope that the self-organized teams can commit. Built into the timebox is limiting the amount of uncertainty included in the requirements or user stories because of the singular focus on value delivered for a specific persona. Each element of the INVEST (independent, negotiable, valuable, estimable, small, testable) characteristic of the user story included in the iteration limits the extent of risk included maximizing the value at the end of the iteration.
Risks in Regulated Industries
The regulated industries, such as life sciences, medical devices, financial services, chemical engineering, manufacturing, aerospace, and government, require additional risk controls in place. When a risk becomes an issue in regulated industries, the result of such a risk is widespread, sometimes fatal to the end-users, and damaging to the enterprise brand reputation. The cost of recovering from such a failure is frequently very high.
One such control is the detectability of a failure beyond the probability of occurrence and severity of impact so that even when the risk exposure from probability and impact are minimal, extreme measures are taken if the detectability is high. One such risk management framework is the Failure Mode Effect Analysis (FMEA) that prioritizes risks based on risk priority number which is a product of probability, impact, and detectability.
7 Must-Haves For Your Risk Management Tools
- Identifies and records many risks challenging the delivery of product regardless of the product delivery framework while allowing users to choose from a pre-established risk dictionary
- Assesses risk on a qualitative scale to risks for both the probability of occurrence and severity impact based on multiple factors defined by individual business units
- Monitors and tests risks by defining key risk indicators (KRIs) and recording the effectiveness of risk response and risk management processes
- Synthesizes risks on risk heatmap using dashboards that monitor both risks and solutions with easy-to-understand visual reporting
- Empowers regulatory compliance by ensuring the company’s risk management processes meets all necessary regulatory compliance through tracking and audit
- Ensures the execution of key risk-based projects, while prioritizing value delivery by identifying and accounting for critical risk and issue management
- Supports document management for stakeholder collaboration and real-time reporting enabling problem-solving and decision-making.
SpiraPlan’s Risk Management Functionality Explained
SpiraPlan is Inflectra's enterprise Process Management Platform. SpiraPlan is an all-in-one solution that seamlessly combines world-class portfolio management, risk management, and requirements traceability features. SpiraPlan boasts a full set of capabilities for program management, release planning, baselining, resource management, and risk analysis. With integrated executive dashboards full of critical metrics, real-time charts, customizable reports, and templates, SpiraPlan offers a birds-eye view of your teams' progress. SpiraPlan is framework agnostic, with support for Agile, Scrum, Kanban, Waterfall, and hybrid approaches.
With SpiraPlan you can easily identify, assess, and manage project and program risks with an easy-to-use web interface. Risks are a unique artifact within SpiraPlan (separate from issues or defects) that have their own types (business, technical, schedule, etc.), attributes, and workflows.
Risks have special attributes for analyzing and categorizing how important they are:
- Probability - how likely it will be that the risk will happen. Each one has a color and weighting (called a Score) associated with it.
- Impact - how serious it will be if the risk happens. Each one has a color and weighting (called a Score) associated with it.
- Exposure - calculated by multiplying the Score of the Probability X Impact to give an overall value of how serious the risk is, adjusted for how likely it is.
- Component- the specific type of risk unique to the product or project following the risk breakdown structure or risk dictionary applicable to the organization within a specific industry
- Type - the specific category of risk applicable to the organization within a specific industry
Each Risk will have its own "details page" similar to the other artifacts, where you can assign the Risk to an Owner, associate with a Release and/or Component, as well have various other standard and custom fields:
One important field for Risks is the Review Date since Risks can change in impact or probability during the lifespan of a project and need to be constantly reviewed.
The risk probabilities and impacts can be customized by a project template administrator.
The default workflow for risk in SpiraPlan has been created to implement best practices out of the box:
As with all artifacts in SpiraPlan, you will be able to customize the steps, transitions (actions), and permissions associated with risk workflows, as well as specify which fields are required, hidden, or disabled at each workflow state.
Further to that, as part of the Risk Treatment process, you can also create SpiraPlan project tasks to identify, prioritize and assign the specific activities that will need to be performed to successfully mitigate the risk. The mitigations and tasks are both tracked back to the parent risk.
Typically the Mitigations list is used to identify the ways that the risk can be addressed, whereas the tasks are the specific actions that different project members will need to take to act on the mitigations. The tasks have a status, priority, effort, and date and will be visible in the standard SpiraPlan task lists and Kanban board.
Risk Audit Trail
Using the built-in SpiraPlan history tracking feature, Risks also include a full audit trail of any changes made to the risk, for both standard and custom fields:
In addition, when you make changes to the status of the Risk, moving it through the risk management workflow, the system will enforce rules such as the need to add comments, add mitigations, specify the probability and/or impact:
The risk workflow operations also support electronic signatures for those customers that need to maintain a validated system.
SpiraPlan lets you link risks with other artifacts in the system. For example, you have a new feature that you plan on implementing, and you need a way to capture and track all the risks associated with it. Alternatively, you may want to associate risk with a requirement that has changed frequently or a test case that will be used to test the likelihood of a risk occurring.
The association’s tab on each risk page lets you link risks to other artifacts in the system.
Each association will contain the type of artifact being linked to, whether it is dependency, or simple relationship association, the date it was created, who made the association, and whether it is a cross-product association or not.
Risk Reporting and Risk Map
One of the key aspects of risk management is the ability to display the risks to management to ensure that they are adequately understood and that appropriate mitigations are in place. To make this easier, the SpiraPlan project dashboards include two risk widgets:
- A risk register that lists the most important risks (measured by their composite exposure score)
- A risk map sometimes referred to as a risk heat map, displays a colored matrix of risk probability vs. impact and plots the number of risks in each intersection. Clicking on a value will open up the main risk list page with the filters set to that intersection.
In addition, SpiraPlan includes a risk summary and risk detailed report in the standard SpiraPlan reporting menu that lets you generate risk reports in HTML, MS-Word, MS-Excel, PDF, and XML formats:
SpiraPlan - Non-Feature Differentiators
Risk Management is just one differentiating functionality SpiraPlan is famous for.. The platform is loaded with other functionality that will guarantee the success of your mission-, safety- and business-critical applications. Here is a list of non-feature differentiators SpiraPlan offers.
- Deployment: AWS or private cloud for SaaS clients
- Air-gapped installation
- Licensing: Concurrent licensing model
- Contracts: Monthly, annual and multi-year contracts
- Payments: Multiple payments methods (including reseller options for government purchasing)
- Pricing: Flexible pricing
- Security/Other: MFA, OAuth, Odata, Dark Mode
Free With SpiraPlan Purchase
- Support: 1-year support (phone, 24-hour email)
- Integrations: Over 60 plugins for leading and legacy tools
- Unlimited storage
- Unlimited API calls, projects, programs, products
- Migration paths from many legacy and modern tools
- Limited post-purchase in-person training
- Getting Started Videos, free tutorials
- Source-code management tool - TaraVault
- Exploratory testing extension for Chrome - SpiraCapture
Additional Paid Services
- From On-Premise to Cloud: Quick and easy migration from on-premise installation to Inflectra’s secure cloud and vice-versa
- Implementation services: Technical consulting and configuration, including migration assistance, workflow setup, platform customizations, consulting help,
- Capacity Building:
- Live training (in-person or virtual)
- Self-paced/on-demand recorded training
The Inflectra Promise
Easy To Migrate
It's super easy to switch to our tools. Migrate your legacy data, documents, spreadsheets, and more. (Don't worry, we also have a ton of ways to export your data.)
No credit cards, no contracts, no hassles. You can trial all of our products in the cloud or on your own servers, and all for a generous thirty days.
Service You'll Love
Best practices baked into every product, dozens of integrations, common sense options, first-class support every time. That's what our customers love about working with us.