The nature and character of risk can influence your project in a big way.
To begin, it is perhaps useful to define what risk means. Drawing on the M815 project management module, I have found the following two definitions:
‘The potential of situation or event to impact on the achievement of specific objectives.’ (APM, 2019, p. 215)
‘An uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives.’ (PMI, 2017, p. 10)
Fundamentally, risk can influence your choice of project model, and directly influence how you gather requirements. If everything is known, and you are not going to be doing anything risky, you might opt for a simplistic project model. If there are elements of your project that you know nothing about, and have never done certain tasks, you might choose an iterative approach.
When you have chosen a project model for your project, you can then start to think about how risk will potentially influence the different phases of your project. To do this well, you need to a number of things:
Write your risks down. By doing this, you will begin to create what is sometimes called a risk register.
- The next task is to consider how important your risks are.
- You the need to consider how to deal with those risks.
- In some cases you may choose to mitigate against risks. In other words, if these risks were to appear, you need to know how to respond to them.
- After having done this, you then need to make some changes to your plan. You might, for example, choose to add more slack into certain elements of your schedule if you need to use some of your mitigations.
When it comes to TM470 you should be carrying out risk planning from the very start of your project since it can guide what you do. Importantly, LO3 directly relate to how you deal with risk:
L03. Identify, list and justify the resources, skills and activities needed to carry out the project successfully. Identify and address any associated risks
To gain a distinction, you must have
… identified the resources, skills and activities, the timely availability of which is essential. Has judged risks appropriately.
Module materials
There are a number of sections within the TM470 module materials that you should look to.
Section 2.5 Risk in project lifecycles: This section relates to the point that the structure of your project may well be driven by risks.
Section 3.2 Risk Assessment: This section encourages you to consider risk in two different ways: impact, and likelihood. There are three different levels of each. A practical suggestion is offered; you might want to think about creating a risk table (which is a bit like a mini risk register). The decision on how you present and summarise your risks is, of course, up to you. It is, of course, dependent upon your project.
Section 3.3 Risk management: This is about how you deal with the risks that you identify. Do you avoid a risk, find a way through, or accept that something is a risk?
Risk analysis
In the TM470 FAQ a fellow tutor, Karl Wilcox, has written about the notion of risk analysis, which extends what is mentioned in sections 3.2 and 3.3. Karl begins with a simple question: where do risks come from? Karl offers some practical advice:
‘One primary source is the list of resources that you need for your project (which is why we ask you to provide one). Since you have identified a need for each of those resources, the lack of any resource will affect your project plan to a greater or lesser extent. Some might be trivial but you should definitely go through all your resources and ask yourself whether each one should have an entry in your risk register or not.
The other main source of risks is "external events". Obviously, you need to be a bit sensible about this and really just consider events that apply specifically to you, so illness, illness of a family member, unexpected work commitments, etc.
Finally, there is a smaller source (that may not be relevant to your particular project) but is there a possibility that some part of your project turns to be impossible? (Or more likely, prohibitively difficult). Do you need to develop new skills? (Another reason we ask for a list of these…) What if it turns out that something just doesn't "click" and you find that skill too hard? Are there any possibly technical or legal or ethical issues that might arise?’ (Wilcox, 2024)
Karl relates a number of potential risks to the different tables that you have been asked to create. For each skill or resource, is there an accompanying risk?
How do we deal with, or mitigate our risks? Karl offers some practical advice, which I abridge for brevity:
‘These [mitigations] can take many forms, from exploring alternatives, adding in contingency time, or sometimes carrying out activities specifically to minimise risk, or at least to bring forward a better understanding of them. … Active steps include things like taking backups of all your work to mitigate the risk of hardware failure, or replacing a laptop that you know to be a bit flaky. If you need input from other people, can you at least get some time in their diaries now, rather than leaving it until later to find out they are not available?
In reality, especially with the limited timescale (and limited personnel resources!) of a TM470 project the most likely response to a risk actually arising is "do fewer things", but again you can prepare for this. Are there parts of your project that you can consider as "stretch" goals, to be achieved if everything goes well but that can be set aside if things go ill? Can you perhaps arrange your plan so that a crude "prototype" of your final deliverable can be developed early, so at least you will have something working if things fall apart at a later stage?’ (Wilcox, 2024).
Karl’s comments about ‘stretch goals’ is both interesting and useful. Another way to think of this is in terms of what a ‘minimum viable product’ might look like. Here we can see an implicit link between the project model and risk. For example, if things do go ‘ill’, we may well wish to curtail a final iteration (if we adopt an iterative lifecycle, of course).
It is worth noting that Karl takes all this pretty seriously:
‘So I don't see the "Risk Analysis" part of TM470 as simply being a "paper" exercise, in which the construction of a risk register listing risks, likelihood, impact and mitigation for a dozen or so factors is presented in TMA01 and then ignored. That may well gain you some of the marks but it can actually be a genuinely useful exercise that will affect what you do and how you do it and give you a much better chance to complete the project to your own satisfaction and gain better marks all around!’ (Wilcox, 2024).
The Risk Register
Following on from Karl’s FAQ, fellow tutor Trevor Forsythe shared a forum post with his TM470 students, outlining what types of information that you might hold in a risk register. His post had been based the PRINCE2 approach to managing risk (PRINCE2, 2024).
Trevor began by writing: ‘this is one of those learning outcomes that is regularly reviewed, and we are looking to see how students assess and manage risk. A quick search of the Internet will identify a number of risk templates either in word or Excel formats. There is no mandated template to use so you will have to identify one that you think works for your project. As an example, a risk register could contain the following …’
What follows is an abridged and edited version of what Trevor shared (which draws on the PRINCE2 original):
- Risk identifier: Provides a unique reference for every risk entered into the risk register, typically a numeric or alphanumeric value.
- Date registered: The date the risk was identified. This is helpful with knowing whether the current version of the risk is the one that is up to date.
- Risk category: The type of risk in terms of the project’s chosen categories (e.g. schedule, quality, legal, technical, learning, hardware).
- Risk description: The risk in terms of the cause, event (threat or opportunity) and effect (in words of the impact) e.g. "my hardware could fail and I lose all my software development".
- Probability impact: It is helpful to estimate the inherent values (pre-response action) and residual values (post-response action). These should be recorded in accordance with the project’s chosen scales.
- Proximity: This would typically state how close to the present time the risk event is anticipated to happen (e.g., imminent, within the management stage, within the project, beyond the project). Proximity should be recorded in accordance with the project’s chosen scales.
- Risk response: Actions to be taken to resolve the risk. These actions should be aligned with the chosen response categories. Note that more than one risk response may apply to a risk. For example "regular backups of software and configurations will be made into a cloud storage system e.g. OneDrive or Dropbox”.
Materials from other modules
Although TM470 is primarily intended to build on your earlier level 3 studies, if you have previously studied TM254 Managing IT: the why, the what and the how, it is worthwhile visiting Block 3, Part 6: Software quality, risk and risk management. In this block, there are three sections which have particular relevance to TM470, which are: Section 3.1 Categories of risk, Section 3.2 Risk assessment, and Section 3.3 Risk management. It is also worth noting that the TM254 module website (which you may still have access to, if you finished studying this module only a few years ago) has an extensive glossary, which defines the terms: risk register, risk mitigation, risk management, risk exposure, risk reduction, and others.
Although risk isn’t explicitly studied in TM353 IT systems: planning for success, it might be useful to review Block 3, Part 3, Part 3 – How to recover from failure: Business Continuity Planning, which includes a Business Continuity Management Toolkit.
Looking forward to the OU postgraduate module, M815 Project Management, sees the link between risk and project planning and management discussed and handled in quite an extensive way. Risk management is, of course, a subject all of its own.
Summary
Risk can guide not only what is done, but how things are done. In TM470 LO3 indicates that you need to demonstrate your understanding of risk, and how it relates to your project. For the sake of TM470, a practical approach is necessary. It is important to keep things simple (since the project only lasts for a relatively small amount of time), but it is important to make sure that risks are clearly and carefully considered. A practical recommendation: create a risk table, and keep it updated throughout your project. When you get to the end, make sure you reflect on your approach to risk, and what you learnt from it.
References
Association for Project Management (APM) (2019) APM Body of Knowledge. 7th edn. Princes Risborough: Association for Project Management.
Prince 2 (2024) Prince2 wiki: Risk Register. Available at: https://prince2.wiki/management-products/risk-register/ (Accessed 15 April 2024)
Project Management Institute (PMI) (2017) PMI Lexicon of Project Management Terms. Version 3.2. Available at: https://www.pmi.org/pmbok-guide-standards/lexicon (Accessed: 15 April 2024).
Wilcox, K. (2024) Risk Analysis - what makes a good one? TM470 FAQ.
Acknowledgements
Many thanks are ended to Karl Wilcox and Trevor Forsythe whose words have directly found their way into this article. Thanks are also extended to the TM470 module team, and the other module teams that are mentioned: TM254 and TM353.