Risk analysis is a critical part of you proposal and planning
Many funders place substantial emphasis on having a good risk analysis as part of the application, particularly for maturing technology that has gone beyond proof-of-concept. Unfortunately, it is common for many proposals to treat risk analysis as an afterthought or to not consider it in sufficient detail. Consequently, the project is likely to either fail at the application stage or hit unforeseen problems in the implementation phase. In this article we give you some hints and guidance about how to undertake a sound risk analysis in your application, and how to use this to manage your project effectively.
We'd be the first to admit that risk analysis may not be the most exciting topic in the world (for some at least), but ignore it at your cost. A technically excellent project with poor risk assessment is unlikely to be awarded funding.
Don't leave it until the end.
Risk analysis should be one of the first things you do as part of your application. Once you've outlined the basic concept of your project and created a draft work breakdown structure, you need to start thinking about risks. The contingency measures you identify to help reduce risks should be integrated in to your planning, which includes timescales, human resource levels, and costs. Risks are largely meaningless if you don't incorporate them in to the structure of your project (and assessors will be attuned to this).
What should I consider as risks?
This will vary a lot depending on the type of project, but we recommend thinking of them in the following categories:
If your project is based around a technology, technical risks relate to specific challenges to delivering that technology and making it work as expected. Risks could include:
- Functionality/performance is not as expected or to specification
- Issues with integration with other technologies/hardware/software within the project
- Failures under test or demonstration conditions
- Failure to meet required standards or legislation.
To some extent these are inter-related to all the risks you identify, but essentially relate to project management issues during delivery of your project. They might include:
- Substantial delays in the tasks
- Overspend or other financial issues
- Partners leaving, not contributing to the project as intended, or going in to liquidation
- Legal issues, such as data protection issues or IP infringement.
If your project is to be exploited as a product or service within industry or society, there will be risks associated with this. They could include:
- The cost of implementing the technology is much higher than estimated
- Related to the above, the return-on-investment or business case becomes undesirable
- Market forces change, so that the technology is no longer considered relevant
- Competing technology arrives that is better/cheaper/preferred.
Here you need to consider how your project or technology integrates in to society and how this might create certain risks. These could include:
- Creating issues in relation to public health, human rights, ethics, or security
- Changes in public perception, which casts the project or technology in a negative light
- Government policy, legislation or standards change that make it much harder or impossible to exploit the project
- The technology creates negative impacts such as job displacement or environmental effects.
How do I categorise risk?
The funder will expect you to estimate both the likelihood and impact of your risks. As you can see from the figure below, low impact and low probability (of occurrence) creates an overall low risk (green). Conversely, high impact, high probability creates high or critical risks (amber/red). Everything in between these two creates your risk matrix.
In your application, you need to strike a balance between being excessively optimistic and scaremongering! Some applicants fall in to the trap of thinking that assessors just want to see a low risk project. If you list mostly low or medium risks, the assessors are likely to think you haven't considered your risks properly and that, if the project is so low risk, why do you need funding anyway? Conversely, if you over-estimate/over-state risk criticality such that your risk table is burning bright red, assessors are likely to think that the concept has not been de-risked sufficiently and represents a high probability of failure, so won't fund it.
As a general rule, we don't recommend listing any risks that are low or very low, unless they relate to a specific issue that your application needs to address (e.g. legislative risks). This is because low or very low risks aren’t likely to be a threat to the project. Just find a balance between medium and high-risks that gives the assessors confidence that you have thought about your risks properly, but that the project still has a good chance of success.
What are Good Risk Mitigations?
Good risk mitigations are quantifiable, measurable actions that can be used to reduce the likelihood of the risk occurring. This might include:
- Adding in contingency in timescales to allow for delays/issues
- Adding in contingency in budgets to allow for issues/unknowns
- Increasing resourcing levels for high risk tasks
- A clear management structure with a defined meeting schedule and clear lines of authority/reporting
- Clear escalation policy and openness of communication so issues are highlighted early
- A defined schedule of technical meetings for high-risk tasks
- A risk review board with a defined schedule of meetings
- Comprehensive testing and validation tasks
- Regular reviews of technology maturation and TRL assessment
- A defined schedule of meeting with regulators to understand policies and standards
- Defined meetings with stakeholders, industry, and end-users to ensure requirements remain consistent
- Consistent public engagement to understand societal opinions.
What is Poor Risk Mitigations?
Anything that is nebulous, a generality, or unquantified! We have quite often read in applications that say delays and issues will be mitigated by "good management techniques" or "sound communication strategies". While these aren't bad thing in principle, you need to be much clearer on what this means and quantify them wherever possible (as per the examples above). Your risks need to be integrated in to your planning, costing, and tasks (see below), allowing the assessors to clearly see that you have thought about your risks and how you will try to manage them.
Implementing your risk analysis in your application and your project.
Once you have done your risk analysis, take a look to see how this alters your draft work breakdown structure, tasks, and costings. Assessors will accept reasonable contingency in time and cost for high risk items and, indeed, this will be generally well-regarded as they will see you have undertaken your risk analysis properly.
Once your project is funded, make sure risk management is a fundamental part of your project management strategy. You may even wish to have a separate board or task dedicated to risk management. Risk management can be a very effective tool to ensure your project team is focussed on the most likely areas where issues are to emerge. Use a risk register (based upon your risk analysis) to drive actions and resourcing levels to your most critical activities (see the figure below). It is not enough just to have a risk register and record your risks. You should be using it actively to prioritise your action list and to drive resource and focus (and additional resource if required) to reduce the risk. You should be regularly assessing the risk levels of your critical tasks and continue to take mitigating actions if risk is not reducing.
Just remember that most funded projects can never have the total budget increased, so make sure your contingency is already in your costings. Moreover, most funding bodies would prefer it if projects are delivered to schedule. If you need to request a delay, you are likely to only get one opportunity, so make it count. If you have been managing your project and risks effectively, the funder is likely to be much more sympathetic to your request for an extension.
One final point on Force Majeure. Clearly there are scenarios and "acts of God" that you can never foresee or plan for. For example, the current COVID-19 crisis will have an impact on on-going research projects. No-one could have foreseen this when writing an application. In cases of Force Majeure your funder is likely to be sympathetic and will accept requests for project extensions in this scenario.
We would, of course, be very happy to help you or advise you on your risk analysis or its implementation in your project.