Risk analysis and mitigation seem to typically be motivated (like so many things) by money. In the case of risk mitigation, the motivation is to avoid potential cost. It’s a great motivation, but how do you measure that cost?
Too many organizations make risk mitigation decisions based on simple numbers. While this is easy for the obvious, high-risk issues (we’ll be sued for $18M if we don’t do “X,” we’ll lose a $65M/year contract if we fail “y”), those issues tend to be significant enough in scale (even without analysis) that the risks associated with them are identified and managed by default as part of a typical corporate culture. It’s certainly crucial to deal with these things, but that risk identification practice does not translate to the smaller issues organizations need to deal with everyday – and those smaller issues can add up to a significant total very quickly.
Ongoing contextual data collection for as many activities as possible gives an organization the best chance of identifying these smaller risks – and the effort does not have to be expensive. Simple data collection, such as asking stakeholders to evaluate expected opportunity losses, can yield very powerful results with some lightweight business intelligence behind them. Keeping data collection efforts simple and focused gives the best response rate, and also tends to yield the best data.
The effort can pay for itself fairly quickly (for those still worried about ROI) – this method let us find a small opportunity loss that was replicated across many projects – expected loss x probability of loss x number of incidents took three small numbers and translated them into one large potential expense to the business, which we were able to avoid.