Skip to main content

Risk is Everybody’s Business

Identification and management of risks is a crucial activity at every stage of the business change lifecycle.

Risks come in all shapes and sizes, but generally speaking if we can predict them and spot them early we have a better opportunity to formulate an appropriate response. Many projects will have a centralized risk log that is ‘owned’ by the project manager—and it’s easy to assume that project risk management is entirely within the domain of the PM. After all, they have the log, surely it’s their responsibility? Well, yes and no….

Depending on the organization, the mechanics of keeping the risk log up to date, identifying risk owners and appropriate management action may fall within the remit of the PM. These are crucial activities, yet the reality is that effective management of project risks relies on collaboration. Risk really is everybody’s business.

“The effect of uncertainty on the value of a change, a solution or the enterprise” (IIBA, 2015, p.452)

This definition provides a useful lens through which to discuss risk. As BAs we often have a unique perspective, as we’re able to view the top-level  ‘end-to-end’ macro-view as well as being able to zoom into the detailed micro-view. Whereas a project manager may be best placed to perceive risks to time and budget (as they will look across all streams of work), they may require our input to identify detailed risks that apply to the value of the change. Working as a team, bringing in the relevant stakeholder expertise too, we’ll get a much more holistic view.

This definition also makes the important (but often forgotten) point that there are risks that affect the ongoing operation of the enterprise as well as those that affect the efficiency or effectiveness of the change initiative itself. Take the following examples:



Risk Background

Risk Event

Risk Outcome


The new (desired) widget production process will be cutting edge.  We have no data on which to base our estimates of time, and limited data on which to base our cost of delivery estimates.

Design effort uncovers additional complexity, meaning design and delivery will take longer than expected

·       Project timescales affected (cannot progress widget workstream)

·       Budget affected

·       Benefits reduced


The new (desired) widget production process is significantly more automated than the current (manual) process.  It relies on new technology that we are unfamiliar with.

Catastrophic failure of widget production system (e.g. ‘hackers’ disrupt operation)

·       Production halts

·       Orders not fulfilled

·       Revenue loss of X$/minute of downtime

·       Reputational damage

·       Downtime of greater than 2 days will likely lead to key accounts getting  lost

Here we can see that the first risk affects project delivery. A cutting-edge process is being designed, so there is little knowledge of how long it will actually take to build. There are many ways this risk might be managed, including looking at an incremental delivery style that will enable us to test and learn as we progress. However, a key point here is that when the project is complete, this risk evaporates. It no longer needs to be actively managed.

This is in contrast to the second risk, which will need attention throughout the project but will also need to be managed once the process moves into a ‘business as usual’ state. Throughout the project we’ll need to be considering whether there are associated processes or requirements which can help to minimize the ongoing risk (for example, it’s likely that there are a set of implied ‘monitoring’ requirements, and a set of disaster recovery processes that need to be captured). It’ll be important to find someone to ‘own’ this risk once the project has launched. With our ability to ‘zoom out’ to examine the macro level, and ‘zoom in’ to see the detail, we have a lot to contribute.

These are all areas where we can help. As with so many topics, risk can be viewed from multiple perspectives, and when we take a collaborative approach we see much more.



IIBA® (2015) A Guide to the Business Analysis Body of Knowledge® v3, Toronto, International Institute of Business Analysis

Adrian Reed

Adrian Reed is a true advocate of the analysis profession. In his day job, he acts as Principal Consultant and Director at Blackmetric Business Solutions where he provides business analysis consultancy and training solutions to a range of clients in varying industries. He is a Past President of the UK chapter of the IIBA® and he speaks internationally on topics relating to business analysis and business change. Adrian wrote the 2016 book ‘Be a Great Problem Solver… Now’ and the 2018 book ‘Business Analyst’ You can read Adrian’s blog at and follow him on Twitter at