Principles Of Risk Management

By Bob Norton

Risk is the possibility of suffering loss

Risk Management Paradigm

In a world where 90% of VC backed businesses, and as many as 70% of major IT projects fail, managing risk must be a major job of the CEO and all management teams. Risk must be aggressively managed at all levels of the organization. Though the scope and cost will vary, employees need to be empowered to take risks. It is an integral part of constant improvement, for without improvement any company will eventually die in today's fast changing world economy. It follows then that taking risks must also be an acceptable part of any corporate culture, as there is no progress or reward without some risk.

Risk is ALWAYS there it can come from both known and unknown factors. It is impossible to bring risk to zero because the unknown factors, by definition, can never all be know. i.e. you can never prove that risk does not exists just like you can not prove any negative.

The known factors are the easiest to assess and manage and generally come from the following areas:

  1. Your own staff and insuring their skills are up to par with competitors and the market

  2. Known competitors improving their products

  3. New competitors entering your market

  4. Failure of your product in various ways:

    1. Customer expectations

    2. Technical failure

    3. Integration failure

    4. Training failure

    5. Adoption failure (causes by improper access to some segment of users to train)

    6. Poor product ROI (real or perceived)

    7. Declining development productivity

    8. Inability to evolve product due to baggage and legacy issues (at customer sites or in product)

    9. Poor sales model or one not adjusted to changing circumstances

  5. A Change in marketplace needs (disruptive technology or shift in customer desires)

  6. Lack of addiction (constant use of product is a longer term goal)

All those ways to fail and this is by no means a comprehensive list! Although there are many ways for your product to fail shown in D above, this is actually a better problem to have, because you have some control over the factors here. You can manage these risks more easily than outside factors. A typical risk management paradigm illustrates a set of functions that are identified as continuous activities through the life cycle of a project.

Functions of Risk Management

Each risk goes through these functions sequentially, but the activity occurs continuously, concurrently (e.g., risks are tracked in parallel while new risks are identified and analyzed), and iteratively (e.g., the mitigation plan for one risk may yield another risk).

find and locate risks before they become problems.
risk data into decision-making information. Evaluate impact, probability, and timeframe, classify risks, and prioritize risks.
risk information into decisions and mitigating actions (both present and future) and implement those actions.
risk indicators and mitigation actions. Provide information and feedback internal and external to the project on the risk activities, current risks, and emerging risks.
for deviations from the risk mitigation plans.
Note: Communication happens throughout all the functions of risk management.

In a development project, the loss describes the impact to the project which could be in the form of diminished quality of the end product, increased costs, delayed completion, or failure.

Risk Versus Opportunity

Risk and opportunity go hand in hand. Many projects strive to advance current capabilities and achieve something that hasn't been done before. The opportunity for advancement cannot be achieved without taking risk. Risk in itself is not bad; risk is essential to progress, and failure is often a key part of learning. In fact the best way to success is often to fail more and faster. But we must learn to balance the possible negative consequences of risk against the potential benefits of its associated opportunity.

Risk Management is a practice with processes, methods, and tools for managing risks in any project. It provides a disciplined environment for proactive decision-making to:

  • Assess continuously what can go wrong (risks)

  • Determine what risks are most important to deal with

  • Implement strategies to deal with those risks, including your backup plan

  • Teach all your managers to constantly look for the top few risks to monitor

The continuous aspect of risk management is that is it always there and must be managed. There are seven principles which help provide a framework for effective risk management and allow you to objectively access how complete a view you have on each risk:

  1. Global perspective (do not look only in your backyard for threats)

  2. Forward-looking view (understand where the market is going, not just where it is)

  3. Open communications - No one can see everything communications within your team is essential

  4. Integrated management - This can mean many things, but communication at all levels both vertically and horizontally is NOT optional.

  5. Continuous process - Always accessing and reassessing top risks as things change

  6. Shared product vision - Vision is key (read more on vision)

  7. Teamwork - A flat organization with EVERYONE talking is required


Risk management is one of the most important and most often ignored aspects of getting a new company or product to profitability. You must be honest with yourself about what factors are out of your control and how to manage them. You must also be willing and able to access where you might be wrong in any of your premises that would impact the business and have an idea what you could do if each one proves true. This can be from assuming you can get a high price, that proves unachievable to not understanding the the customer does not even want to use your product for some very subtle reason that you only discover late in the game. Constant contact with customers is the best way to manage many risks. An advisory board of customers can be really helpful in this process too.

It is too easy to get tunnel vision and "not see the forest for the trees" if you cannot be totally objective, and most people can not, then get outside help to access business and market risks. Although this is not practical on an ongoing basis it is a great starting point to identify the key risks and begin an internal process to access each risk that could literally destroy your business. Once these are identified you can assign the task of monitoring and alleviating each risk to key executives as these may not fall on obvious departmental lines.

Bob Norton is the author of four books on growing companies and CEO of C-Level Enterprises, Inc.  which helps companies grow more rapidly with products, training and consulting.

The diagram and some structure and text for this article were provided by The Software Engineering Institute (SEI). Additional material and editing has been done by C-Level Enterprises to incorporate specific philosophies developed by us. The SEI is a federally funded research and development center sponsored by the U.S. Department of Defense through the Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics [OUSD (AT&L)]. As such this material is available for publication freely.

The SEI's core purpose is to help others make measured improvements in their software engineering capabilities. More information is available at