Risk rating says "minor", but is it really?
As a project owner or governance group member, you rely heavily on the risks (and risk ratings) presented to you. A project with a high risk profile might keep you up and night where as a low risk profile lets you sleep easy. But how often has a low risk project blindsided you with a low rated risk that turns into a huge issue? Can you really trust the risk profile presented to you?
On a scale of 1 – 10 how likely would you be to recommend us to a family member or friend? Scales, such as NPS are a very popular way of measuring satisfaction. Through volume of responses and familiarity these can be a very effective tool to understand the customer. But how effective is a scale when you only have a single response? Statistically very questionable, you may be able to establish a result if the responded answered extremely low or high, but if they responded in the middle the customers intent is much harder to establish. It would be fair to say that a single anonymous NPS response is unlikely to be valuable. You certainly would not report this to the business as an indication of how good or bad your customer service was.
The world of customer service has an answer to the NPS problem. Many companies now follow an NPS survey with follow up questions to better understand the intent of the score. Doing this adds weight to single responses, providing clarity of intent. You can understand why a customer scored you the way they did and you can use this additional information to respond or even to scale their original response. Companies like Qualtrix provide a globally bench-marked satisfaction survey that takes NPS to the next level in the form of the Temkin Experience Rating. The result is a system that provides highly actionable data, that ensures a business is delivering customer experience within expectations.
If the value of an NPS score can be enhanced with additional detail, how can this be applied to risk. The answer is that it already has. Corporate risk frameworks typically use matrices to clarify the criteria for rating the likelihood and impact of a risk. Impact matrices are a very effective tool and allow for a more accurate assessment of risk that is consistent across risk owners. However, this approach is seldom applied to management of project risks. Project risks remain inconsistent between owners and subjective, often putting millions of dollars at risk. So how do you improve the accuracy of your project risk management?
Utilise a Consequence Matrix Take a leaf out of corporate risk management an ensure that all project risks are scored using a consistent consequence matrix. A matrix takes low, medium and high impacts to the next level by clearly defining what these terms represent. This approach means anyone assessing a risk can assess it against the same criteria and will be more likely to provide a result consistent with another assessor. The result, governance can trust what it is seeing. Matrices are not limited to impact and can also be applied to likelihood and control effectiveness. Simply applying a consequence matrix to impact assessment can be a huge leap forward. Make sure your matrix is appropriate for use. A corporate matrix can seldom be applied to a project because the impact and timescale of a project will not naturally align with long term strategic risks.
Use multiple assessors There is safety in numbers (check out The Wisdom of the Crowd - https://youtu.be/iOucwX7Z1HU). Rather than using a single person to assess a risk, leverage the entire project team. 5 people scoring a risk will provide a much more accurate picture of the risk that a single person. Even more value can be derived by using assessors from a cross functions project team; people from both the business and IT teams. One of the important things about assessing a risk in this way is blind assessment, an individual can easily be swayed by the score of a superior and this needs to be avoided. At 6risks.com we call this kind of assessment “Wisdom of the Team” and it allows awareness and contribution toward risk to be shared amongst the team.
Failing to manage your risk is in itself a key project risk, so don’t get caught short. Using the two approaches above will support your project, not only by broadening awareness within the team but also providing greater confidence to the project governance group or owner.
Blind team assessment and risk matrices can be difficult to manage, but both are features included with 6risks.com. Join our mailing list for early access and updates.
References and Reading
Tempkin Experience Rating - https://experiencematters.blog/temkin-experience-ratings-overview/
The Wisdom of The Crowd - https://youtu.be/iOucwX7Z1HU
How to develop a consequence matrix - https://riskmgtandins.com/how-to-develop-a-consequence-matrix/