You + Analyst for two months only to work on that topic? That's paradise!
This is a good article to get you started: https://hbr.org/2012/06/managing-risks-a-new-framework
One approach could be building a risk matrix.
The one axis would be broken down risk into these categories:
- Controllable risks - stuff that you are actually able to influence
- Uncontrollable risks - stuff that you are not able to influence (natural disasters, war, ...)
Then, you break it down further:
- Controllable risks
- Preventable risks: Risks that are arising from within the company but are not taken for strategic reasons. Examples could be things like:
- not setting up geo-redundancy for data centers
- not staffing projects adequately
- depending on a single supplier
- ...
All of these have no strategic benefit, are maybe only a bit cheaper or faster. The goal of risk management here is to eliminate them as much as possible by putting in the appropriate measures. The approach is mostly rule-based: If this... then that... - If you want to set up a new data center, make sure you have to redundant fibre connections from two providers. If you work with this machine, wear safety goggles...
- Strategy risks: Risks that are consciously taken to implement the chosen strategy. Examples could be:
- Competitive risk from entry into a new market
- Financial risk from financing a joint venture
- M&A risk
These risks are not entirely undesirable, because they are consciously taken to achieve the returns aimed for in the chosen strategy. Here a rule-based approach does not work. Here the role of risk management is to put tools and procedures in place to minimize the probability of the negative impact occurring (like doing a proper due diligence in an acquisition)
- Uncontrollable risks: You cannot prevent these from occurring. Hurricanes will hit, terror acts will occur. Here the goal of risk management is to minimize the impact once the risk does occur.
Once you have the one axis done, you can do the other one. Here you can use a million and one other categories:
- Operational Risk
- Schedule Risk
- Budget Risk
- Business Risk:
- Technical Risk
- Information Security Risk
- Infrastructure Risk:
- Quality and Process Risk
- Resource Risk
- Supplier Risk
- ...
And then you fill the matrix with content. The approach on what to do with these different risks will more or less fall out of the first axis: prevent from happening, minimize the likelihood of happening, minimize the impact
Tools you might use later in the project to actually manage the risks are things like: scenario planning, war-gaming, stress testing, risk audits, certifications, ...
Hope this helps,
Elias
You + Analyst for two months only to work on that topic? That's paradise!
This is a good article to get you started: https://hbr.org/2012/06/managing-risks-a-new-framework
One approach could be building a risk matrix.
The one axis would be broken down risk into these categories:
- Controllable risks - stuff that you are actually able to influence
- Uncontrollable risks - stuff that you are not able to influence (natural disasters, war, ...)
Then, you break it down further:
- Controllable risks
- Preventable risks: Risks that are arising from within the company but are not taken for strategic reasons. Examples could be things like:
- not setting up geo-redundancy for data centers
- not staffing projects adequately
- depending on a single supplier
- ...
All of these have no strategic benefit, are maybe only a bit cheaper or faster. The goal of risk management here is to eliminate them as much as possible by putting in the appropriate measures. The approach is mostly rule-based: If this... then that... - If you want to set up a new data center, make sure you have to redundant fibre connections from two providers. If you work with this machine, wear safety goggles...
- Strategy risks: Risks that are consciously taken to implement the chosen strategy. Examples could be:
- Competitive risk from entry into a new market
- Financial risk from financing a joint venture
- M&A risk
These risks are not entirely undesirable, because they are consciously taken to achieve the returns aimed for in the chosen strategy. Here a rule-based approach does not work. Here the role of risk management is to put tools and procedures in place to minimize the probability of the negative impact occurring (like doing a proper due diligence in an acquisition)
- Uncontrollable risks: You cannot prevent these from occurring. Hurricanes will hit, terror acts will occur. Here the goal of risk management is to minimize the impact once the risk does occur.
Once you have the one axis done, you can do the other one. Here you can use a million and one other categories:
- Operational Risk
- Schedule Risk
- Budget Risk
- Business Risk:
- Technical Risk
- Information Security Risk
- Infrastructure Risk:
- Quality and Process Risk
- Resource Risk
- Supplier Risk
- ...
And then you fill the matrix with content. The approach on what to do with these different risks will more or less fall out of the first axis: prevent from happening, minimize the likelihood of happening, minimize the impact
Tools you might use later in the project to actually manage the risks are things like: scenario planning, war-gaming, stress testing, risk audits, certifications, ...
Hope this helps,
Elias
Integrated FIT Guide for MBB by Clara 
