Every project faces a number of elements that risk its success. For instance, a lack of team-member availability, qualified resources, customer information, data, proven technologies, a clear scope – or deficiencies in a number of these areas – represents a risk.

To prevent risks like these from happening, or at least to be prepared when they occur, project leaders and other team members should assess the key risks of any project and determine how they can be addressed.

One format and approach frequently used to complete this risk management is a “light” version of the common failure mode and effects analysis (FMEA). These four steps cover how to create a risk-mitigation plan.

Step 1: Brainstorm Potential Project Risks and Potential Causes

In a meeting early in the process, the project team brainstorms and records potential risks. The leader guides this session with questions such as, “What can go wrong?” or “What might prevent this project from being successful?” These risks are recorded in a modified version of the FMEA (Figure 1).

Concerns from team members or other stakeholders also can be managed as risks. For example, if someone says, “We have tried to work on this issue before,” then the risk “solutions cannot be found” can be included in the project FMEA. This shows that the team members’ concerns are taken seriously.

For each risk, the DMAIC (Define, Measure, Analyze, Improve, Control) phase during which it is most likely to occur is identified. Risks that are not specific to a phase can be assigned to the category “General.”

The team also identifies potential causes for each risk. This will help to better determine corrective or preventive actions during Step 3.

Figure 1: "Light" Version of FMEA Risk Mitigation Plan
Figure 1: “Light” Version of FMEA Risk Mitigation Plan

Step 2: Rate Potential Risks

Next, the team rates each risk according to its probability of occurrence and its impact on the project using the following categories: 

  • 1 = low probability of occurrence, low impact on the project
  • 2 = medium probability of occurrence, medium impact on the project
  • 3 = high probability of occurrence, high impact on the project

The team discusses each risk until they reach consensus on its rating. Just because someone thinks a risk is a low probability (1), and another person assumes a high probability of occurrence (3), it is not correct to assign it a 2. 

Step 3: Prioritize Risks and Define Mitigation Actions

Team members prioritize potential risks by calculating the product of the probability of occurrence and the impact on the project. They can create a traffic light scale to indicate which risks warrant mitigation actions and at what priority (Figure 2). The matrix will not be symmetrical because high-impact risks are considered more critical than risks with a high probability of occurring.

Figure 2: Risk Categorization Matrix
Figure 2: Risk Categorization Matrix

The team designs a plan for each risk in the yellow and red zones, including actions required to mitigate the risk, who is accountable and a due date. 

Team members should always double check whether the actions are truly actionable and will really help to mitigate the impact or the probability of occurrence of the risk. In the best case, actions fully eliminate the risk. Second best are actions that reduce the probability of occurrence, while the third-best option is to define counter measures that work as a fall-back plan (i.e., if the team cannot prevent a risk from happening, they should still know what to do if it occurs). 

Step 4: Continuously Update and Review Project-FMEA

Assessing risk is not a one-off activity. As the project moves forward, the team continuously updates the project FMEA and checks off the completion status of mitigation actions. An example of a chart at this stage is shown in Figure 3.

Figure 3: Extract from Sample Project FMEA
Figure 3: Extract from Sample Project FMEA

The team assesses a new probability of occurrence for those risks that are adequately mitigated. Based on this rating, they can calculate and record a new risk status. The team also continues to identify new risks and addresses them as they arise. Deciding how and when new risks are to be addressed is best done during weekly status meetings.

About the Author