Transformation Preparation - Risk Management

Transformation Preparation - Risk Management

Introduction

A risk is a potential event or condition that, if it occurs, could negatively impact achieving goals and objectives. Risks can arise from various sources, such as operational inefficiencies, organizational maleficence, financial uncertainties, executive ignorance, strategic misalignment, or other external factors like regulatory changes and market dynamics.

In my experience with enterprise transformations struggling to deliver on the promises of their business case, ROI, etc., risk management is not always a well-disciplined management process to ensure risks are identified, qualified, quantified, monitored, and mitigated. While risk management is the first letter in RAID log management, it is often the least attended item until that risk is realized as an issue.

As an organization embarks on the transformation journey, it's crucial to understand that when a risk is not managed correctly, it can escalate into an issue and a growing liability. This liability can manifest as financial budget overruns, potential legal consequences, reputational damage, or operational disruptions. Failing to address these consequences can significantly impact the organization's long-term viability.

The transformation journey is inherently uncertain, and the failure to proactively identify, assess, and mitigate risks can lead to severe repercussions. Therefore, every organization member must understand their role in effective risk management. By addressing potential threats before they materialize into significant liabilities, we safeguard the organization's long-term viability, making each member's contribution vital.

Thus, the best place to start with a robust risk management process and discipline would be the transformation assumptions. These should be meticulously documented in the business case and other transformation documents, providing a clear starting point for effective risk management.

Assumptions and Corresponding Risks

The best place to start identifying and capturing transformation risks is with the assumptions that should be available in one of more sources that include the following:

  • Transformation business case
  • Request for Proposal (RFP), Invitation for Bid (IFB), and respective proposals
  • Statements of Work (SoW) with external Stakeholders and SIs
  • Transformation charter
  • Transformation plan, schedule, schedule dependencies, etc.

Transformation assumptions are the foundational hypotheses on which the entire business case and execution plan are made. These assumptions include market conditions, regulatory requirements, technological capabilities, stakeholder engagement, resource availability, and timeline demands. Assumptions are the bedrock of the transformation strategy, providing a framework for planning and decision-making.

However, if these assumptions are inaccurate or overly optimistic, they can quickly evolve into substantial risks. Organizations can preemptively identify potential risks by examining, validating, and documenting these assumption risks at the outset and continuously throughout the transformation process. This proactive approach allows for developing contingency plans and mitigation strategies, transforming potential pitfalls into manageable challenges.

Ultimately, the evolution of transformation assumptions into transformation risks is a natural part of the journey. The key lies in the organization’s ability to anticipate, identify, dimensionally score, monitor, and address these risks before they escalate into critical issues, safeguarding the integrity and success of the transformation endeavor.

Risk Dimensions

Risk dimensions are the various factors that characterize and influence the nature, impact, and likelihood of risks evolving into issues. Understanding these dimensions is crucial for effective risk management, allowing organizations to prioritize and address risks systematically. Common risk dimensions often include the following:

  • Probability: The likelihood that a risk event will occur. This dimension assesses the chances of the risk materializing and affecting the project.
  • Impact on Transformation Delivery: A risk’s potential consequences or severity to the transformation delivery timing if realized as an issue with required correction action steps. This includes both quantitative impacts (e.g., resource, time, and quality cost) and qualitative impacts (e.g., reputational damage).
  • Impact on Post-Transformation Support: A risk’s potential consequences and severity of impact on supporting the organization after the transformation completion due to additional technical debt and total cost of operations (TCO).
  • Estimated Cost of Impact: The estimated cost of the issue’s impact includes the effort and time required to execute the corrective actions to mitigate its effects. This estimated cost should consider the current ‘burn rate’ incurred by the transformation periodically.
  • Targeted Date(s) for Risk Mitigation: The date(s) planned for the risk to be mitigated or ‘stepped down’ to reduce the severity of impact on delivery or post-production support and probability of occurrence.
  • Detectability: Identifying or detecting a risk before it happens or its impact becomes significant. Early detection can influence the effectiveness of mitigation strategies through thorough documentation of assumptions or a detailed plan and schedule, which is actively managed.
  • Manageability: The extent to which a risk can be controlled or mitigated through proactive measures. This includes the availability and efficacy of risk response strategies and plans.
  • Interdependencies: The relationships and interactions between risks. Some risks may trigger others, creating a cascading effect that can amplify the overall impact.
  • Stakeholder Perception: How different stakeholders view and assess the risk. This dimension considers the varying levels of concern and tolerance among those affected by the risk.

By evaluating risks across the dimensions, organizations can develop a comprehensive understanding of their risk landscape, enabling them to implement more targeted and effective risk mitigation plans and strategies. This multidimensional approach ensures that risks are holistically identified, analyzed, and addressed.

Scoring, Ranking, and Prioritizing Risks

In my experience, scoring, ranking, and prioritizing risks is one of the most critical but often neglected processes throughout a transformation. Thus, a regular cadence of reviewing risks and verifying mitigating actions was absent.

At a minimum, a scoring criteria should be established on the following dimensions:

  • Probability
  • Impact on Transformation Delivery
  • Impact on Post-Transformation Support

The basis of scorning can vary depending on the organization and its risk management knowledge, experience, and maturity. Typically, a scoring scale can range from 1 to 3 or 1 to 5 criteria. A score of one is the lowest dimension score, while the highest number is the highest dimension score. It is critical to note that each score must have a qualifying definition and justification for assigning that score to that dimension. Otherwise, the individual scores will based on the creator’s or assignee’s subjectivity.

The individual scores' results are then combined to calculate an overall delivery risk score and a minimum post-production risk score. These calculated scores aid in ranking and prioritizing risks to be reviewed for mitigation actions (and the status of those respective actions). In my own experience, I have leveraged the dimensions of probability and estimated cost of impact to communicate the potential financial impact of these risks to the executive stakeholders.

Yet these scores, calculations, ranking, prioritizing, and reviews are only as good as the disciplined cadence of these risk management activities.

Risk Review Cadence

Risks are only mitigated if they are reviewed regularly, and in my experience of transformation reviews and leading practices for successful transformation deliveries, transformations that met their business case goals and objectives had a disciplined management collaboration and communication cadence across the program, which included a regular risk review.

This risk review solely focused on the active risks maintained in a RAID log. Risk reviews are best conducted without a review of the other RAID items. In a disciplined and thorough management cadence, there should be a review of the open actions, issues, and decisions (AID) and another regularly scheduled review of the active risks.

The risk review focuses on preventing active risks from becoming additional items in the AID review. These reviews should require only those who created and those assigned to the respective risks to attend. Any additional attendees should be considered optional unless they support the risk mitigation actions.

The risks should be ranked and reviewed based on their calculated transformation delivery score and post-production score. These reviews should also include a review of the mitigation steps to reduce these calculated scores by reducing the probability of occurrence, severity of impact, or both.

Wrap-Up

Qualitative and quantitative risk management is a critical ‘must have’ when planning and managing an enterprise transformation. In a transformation's preparation and planning phase, a clear definition of risk, its respective dimensions, and scoring criteria should be established.

The best place to start capturing and documenting the transformation risks is with the transformation assumptions. Those assumptions can come from multiple sources, including the business case, SoWs established with business partners and individual team members. The respective assumption risk identifies the detrimental impact if the assumption is false.

A minimum set of risk dimensions should be established for scoring, ranking, and monitoring purposes. Each risk should have a mitigation plan that defines and delineates the ‘step down’ plan that reduces the probability of occurrence, severity of impact, or both. Regular risk log reviews should occur with those who created and assigned to each risk and addressed based on the highest score to the least.

Transformation preparation is the best place to begin a consistent, qualitative risk management practice. Yet the key to successful risk management is consistency in the scoring, reviews, and follow-up on mitigation plans. Maintaining this primary discipline can significantly increase the probability of transformation success.


To view or add a comment, sign in

More articles by Randy Spires

Insights from the community

Others also viewed

Explore topics