Risk management: Defining the threat and developing the framework

George Sifri outlines the steps his company took to define threats and opportunities and rate their possible impacts. Find out how you can prepare your company to handle risk.

Editor's note: This article was originally published on October 21, 2002.

A successful strategy for managing IT project risks must be built on a solid foundation of corporate understanding, commitment, and support. To establish that framework, a risk management strategy must begin with a three-part effort:

  • Establish a risk glossary for a consistent understanding of terminology.
  • Set up processes for identifying, analyzing, planning, monitoring, and controlling risks.
  • Identify the tools and techniques that would support the framework.

Defining risk terminology

For my company, the first step was to define and document what we meant by risk and the processes associated with risk management. It was a time-consuming step because the exercise of defining terminology triggered an inordinate amount of political and emotional sentiment. Nevertheless, we could not move ahead without it. The early understanding and agreement on terminology was a key building block needed for sending consistent messages across the organization concerning our risk management program.

We wanted to adopt a proactive management approach to risk management in order to be able to deal with risks before they became problems. In addition, we wanted to convey the message that we should also pursue opportunities. Thus, the definition of a risk should cover these three areas: an event in the future, a potential threat, or a potential opportunity. The definition that we adopted was as follows:

Every risk consists of three components:

  • An event
  • A probability of occurrence
  • An impact

We defined a risk event as a discrete possible future occurrence that may affect the project for better or worse. It could be a wanted event, an opportunity with a potential positive impact, or an unwanted event or threat with a potential negative outcome. We wanted to answer the question: What could happen, good or bad, to my project?

We defined the probability as the likelihood that this event will happen. We could express it as a numerical value between 1.0 (certain to happen) and 0 (impossible). We could also express it as a qualitative rating such as high, medium, or low. Frequently, we used quantitative and qualitative ratings interchangeably.

We defined the impact as the consequence of the risk, if it occurred. We could express it as a qualitative rating such as high, medium, or low. We could also express it as a numerical measure between 0 (not serious) and 1.0 (catastrophic).

Raising awareness

Once we defined the terminology, we began a campaign throughout the organization to raise the general level of awareness of the Risk Management Program. This was part of our strategy to manage the cultural change required in the organization and foster the involvement and commitment at an early stage. The campaign consisted of articles in our in-house bulletin, and formal and informal presentations to individuals and groups. In addition, we built a Web site that contained the latest versions of the relevant documents, discussion forums, latest news, useful links, contact information, etc. This was an extremely time-consuming activity that we had originally underestimated.

Building the risk management processes

Once we had achieved considerable progress on establishing the terminology, we started developing our risk management processes in cooperation with the external consultant, who offered several models for risk management that we could customize. This enabled us to develop a flexible framework that was tailored to our needs and saved us a considerable amount of time and effort.

Our risk management framework consisted of the following processes:

  • Risk management planning: Deciding how to approach and plan the risk management activities for a project
  • Risk identification: Determining which risks might affect the project and documenting their characteristics
  • Risk analysis: Examining the risks in detail to determine the extent of the risks, how they relate to each other, and which are most relevant
  • Risk response planning: Developing procedures and techniques to enhance opportunities and reduce threats to the project's objectives
  • Risk monitoring and control: Monitoring residual risks, identifying new risks, executing risk reduction plans, and evaluating their effectiveness throughout the project life cycle
  • Risk documentation and communication: Documenting and communicating risk information to facilitate the decision-making process

We had to compile information on risk tools and techniques that we could use in our framework. The external consultant helped us to catalog these tools and techniques in our risk management handbook. For each tool and technique, we included a brief description, when applicable, input and output, the process, resource requirements, and issues.

Piloting the risk management framework

Because my company has 45,000 employees across the globe, we decided to test the framework by piloting it in different areas of the business. Selecting the appropriate pilots was critical to the success of our project. We needed to identify pilots that represented typical projects such as building an infrastructure, upgrading a system, implementing a new process, acquiring a company, moving premises, or developing software.

The next challenge was how to measure the success of each pilot:

  • How could we prove that the framework was successful in identifying unforeseen risks?
  • How effective was the framework in enhancing productivity?

We worked with the external consultant on identifying metrics that enabled us to assess the effectiveness of the framework. For example, in the case of software development projects, we used the metrics defined in IEEE Standard Dictionary of Measures to Produce Reliable Software to assess the effectiveness of the process.

Obtaining feedback from the participants, who completed a questionnaire after the piloting exercise, was one of the major objectives of the piloting phase.

The marketing campaign

We used the successful pilots in our internal marketing campaign. We asked the individuals who were involved in these pilots to share their experiences with others. We used presentations, workshops, an in-house bulletin, and more.

One of our biggest challenges was managing users' expectations. They expected immediate benefits. We had to keep reminding them that the most valuable benefits were long term ones.


We knew that training was essential for the success of the framework. We had designed several training courses on general project management, and we fully integrated risk management training into these courses. We also provided specialized workshops on the various risk management tools and techniques. On these training courses, we utilized real projects that the company performed. This approach enabled us to assess the effectiveness of the framework in predicting unforeseen risks and enhancing the decision making process.

Up next

In the third and final installment of this series, George Sifri presents the lessons he learned through implementing a risk management strategy.

Get weekly PM tips in your inbox TechRepublic's IT Project Management newsletter, delivered on Wednesday, offers tips to help keep project managers and their teams on track. Automatically sign up today!

Editor's Picks