Special features of risk management of startups and IT projects

I have some news for you: when working on a project, you are always at risk. The most common one is not to meet the deadlines or the budget. Sooner or later, the risk will catch up, and you will have to decide whether to ignore it and hope that you will get out of it or take some risk under control and begin to manage it.

Risk management

Risk management is the adoption and implementation of decisions that reduce the likelihood of force majeure on the project or allow you to manage the budget towards the developing risk. It’s a real thing, it came from economics, it’s friends with probability theory and the Monte Carlo method. People write big heavy-going books about it that are in no way applicable in real life. Therefore, no matter how useful risk management is, you are unlikely to see it being used in small and medium-sized companies.

To begin with, the risk management is a 5-step process:

  1. Searching for major risks.
  2. Assessing their importance.
  3. Finding ways to reduce risk.
  4. Estimating the cost of these measures.
  5. Assessing the appropriateness of these measures at a given risk level.

Search for major risks

There are risks that are more or less expected and there are the ones that are completely unexpected, a.k.a “known” and “unknown” in scientific circles.

Known risks (a.k.a – controlled) occur when there is some information: if you have already worked in similar conditions and, therefore, know when the gun might go off. Or at least you have heard things and have a slight idea of what to do with the consequences.

Unknown risks (a.k.a – uncontrollable) are those that you can’t even imagine because of lack of information. They occur on new projects and while working with an unfamiliar team. These risks are difficult to detect and be prepared for.

To detect and register unknown risks, you need to discuss the project with your team. Preliminary, you’d better talk to them about your goals, objectives and deadlines, familiarize them with any known risks. Also, it might be a good idea to ask each participant to brainstorm what other problems may arise.

All brought-up ideas are accepted without exception and comments. Of course, you probably won’t elicit all unknown risks in such a way, but you will at least find some. The reasons for risks are different: force majeure, human factor, etc.

When you realize the scale of possible (or not so) risks, you have to choose those among them that are manageable, because trying to cushion the blow everywhere is expensive, inefficient, and you still can’t foresee EVERYTHING.

To select the most promising risks, you need to evaluate their importance.

Talking about startups, it makes sense to highlight technical risks in addition to the main risk groups.

Technical Risks of Startups

I would identify 5 technical risks:

  • The development team does not have an experienced technical leader
  • Incorrect estimation of the scope of work and unwise team composition
  • Excessive operational issues
  • Choosing the wrong technology stack
  • Development and regular deliveries

Special features of risk management on the project and the product

It is absolutely necessary to separate the concepts of risk management on the project and the product.

A project is a temporary activity aimed at creating a product.

The main risk here is the inability to complete the project as expected because it can be affected by any of the following:

  • Lack of resources.
  • Lack of expertise.
  • Lack of access.
  • Legal restrictions

What might help:

  • Search for restrictions and bottlenecks
  • Identification of restrictions
  • Documenting assumptions
  • Defining the work stack on a critical path
  • Matching stakeholders expectations

A product is a solution offered on the market that solves some problems or satisfies some needs.

The product risks may vary depending on whether the product is B2C or B2B and be one or some below:

  • The relevance/validity of the idea
  • Unreasonably high price
  • Technical implementation (for example, low performance)

What might help:

  • Strategy (analysis of the market, competitors and end-users)
  • Finding compromises regarding ASR (Architecturally significant requirements)
  • Definition of quality indicators

Possible limitations on the project

The following is a project management triangle (a.k.a a triple constraint) which is a typical project management model.

Project triangle

If you change one of the parameters, it will affect the others.

Some factors that influence the project:

  • Technology being used
  • Third-party solutions being used on the project
  • Compliance with timelines and deadlines

Dependencies and the critical path of the project

Dependencies are the relations of previous tasks to the following tasks. Tasks can have several previous tasks and several following tasks. The most common type of dependencies is end-to-start.

The critical path method (CPM) in managing project timelines is a step-by-step process management system of an individual project and an entire business. Having determined all the actions on the defined critical path, it is possible to adequately assess future costs and make a project timeline forecast.

If the critical path method is a control and planning system, then the critical path is the longest chain of tasks in this system. The name speaks for itself: all tasks within the path are critically important and cannot be delayed/expired/forgotten without harm to the project. Let’s see how it works in reality and can be displayed in a Gantt chart:

Gantt chart

Critical path processing in advance

If risk can affect the project, all stakeholders and project management should be notified in a timely manner. In this case, you need to conduct a risk analysis to understand what project parameters (such as time, cost, amount of work) might be affected. Since risks can always be transformed into money, it is better to always leave a buffer if possible. Buffers need to be put in the project roadmap.

Types of risk

Negative risks are risks that can lead to a worsening of the situation (change the product for the worse, increase the testing time, increase the cost of work, reduce quality).

Positive risks are risks that entail the opportunity to improve the product, reduce the time of work, reduce its cost, and also improve its quality. Positive risks may occur from random events (for example, the product release period has been extended by law). They can also arise when we become aware of negative risks (for example, we suggest that we underestimate the cost of work, and this leads to extending the deadline; in fact, we evaluate it correctly or even overestimate it).

How to respond to risks

Negative risks.

Risk aversion involves changing the project management plan in such a way that we exclude the threat posed by a negative risk, protect the project objectives from the consequences of the risk, or weaken the objectives that are at risk (for example, reduce the content of the project).

The transfer and sharing of risks involve the transfer of the negative consequences of the threat together with the responsibility for responding to the risk partially or completely to a third party. In this case, the risk itself is not eliminated.

The transfer of responsibility for risk is at its best efficiency when it comes to financial risks.

Risk transfer almost always involves the payment of a risk premium to the party accepting the risk.

Mitigating (reducing) risks involves reducing the likelihood of risk occurrence, reducing the consequences of a negative risk event to acceptable limits – the risk will either not come true or will come true but with lesser consequences.

Taking preventive measures to reduce the likelihood of risk occurrence or its consequences is often more effective than efforts undertaken to eliminate the negative consequences after the occurrence of a risk event.

Positive risks.

Exploit strategy. This strategy can be chosen to respond to risks with a positive impact if it is necessary to ensure that this opportunity is seized.

This strategy is designed to eliminate all the uncertainties associated with upper-level risk with the help of measures to ensure the emergence of this opportunity in various forms.

A reinforcing strategy measures the magnitude of an opportunity by increasing the likelihood of its occurrence and/or its positive impact, as well as by identifying and maximizing the main sources of these positive risks.

Risk Registration

It is imperative to document all project risks.

  • Name, Description
  • Category (Technical, Managerial, External)
  • Risk probability (very low (0.10), low (0.30), medium (0.50), high (0.70), very high (0.90))
  • Risk impact (very low (0.05), low (0.10), manageable (0.20), high (0.40), very high (0.80))
  • Risk assessment (probability * impact)
  • Risk management plan
  • Action plan
  • Responsible person

Risk management matrix

Risk management process

Risk management plan (documentation of risk management activity on the project) Continuous risk identification (review of project risks with the client and the team) Conducting a quantitative and qualitative risk analysis Monitoring and implementing agreed plans of risk response

Conclusions

Taking into account all possible risks will require significant work effort at the initial stage (when you debug the processes of risk identification and analysis and determine the strategy) and regular work on updating them in the future. It is difficult to find universal solutions along the way as they will depend on the size and specifics of your project. One thing I know for sure: risk management makes it possible to control the consumption of resources and, ultimately, to save time and money of your client.