As Spyrosoft collaborates with multiple customers from the high risk sectors such as the medical and automotive industry, risk management is one of the crucial elements of every project our team manage and develop, no matter if it’s a software or hardware undertaking.
In this article, our risk management experts, Marek Palka and Lukasz Stachowiak talk about how we approach risk management at Spyrosoft and the strategies we employ during the collaborations with our clients.
How would you define risk management?
MP: From my perspective, it is managing uncertainty. At work as well as in private life, there is a certain type of uncertainty related to the fact that we cannot guarantee that things will always go as planned. It could be that we are also missing crucial data to ensure that they will, but we have enough of them to state that they will not. To increase the probability of completing the task, we should start thinking about scenarios on what could go wrong and that could hold us back from achieving our goal.
Once we have identified them and addressed them accordingly, we minimise the risk of external conditions affecting the situation.
LS: The main goal of risk management is not to eliminate all risk but to bring it down to an acceptable level. It is one of the principles of multiple risk management standards.
What should a company that wants to implement risk management into its operations do?
MP: The first step is identifying a risk or rather, risks. This is the starting point that is decisive for the next steps. Once we have this list of risks, we can estimate whether their pose a serious threat and how they can impact our business operations. During this process, we can discover that at least some of them are very unlikely to occur and even if they do, they will have a minimal impact on what we do. This is what we would ideally like to achieve because this way, this risk will have a nominal influence over my end goal. This list of risks will also include things that are more likely and highly likely to happen. The latter should be getting a red light until we figure out our strategy for dealing with them.
The third step is setting up the strategy for all these risks. The most common method is mitigating risks – taking actions that would allow for identifying risks that were previously marked high probability/high impact as low or medium. What we are trying to achieve here is to decrease the probability and impact.
Another way of managing risks is transferring them - is there anyone we could pass these risks on? If there are any domains where we do not have enough expertise and that is the threat in its own rights, we should choose a supplier that could take over the responsibility for this domain. This way, the risk would be managed on their end.
There is also accepting risk. I can accept risk if it is at a low level, but I will need to monitor it and check its level on a regular basis.
Another technique is avoiding risk. It occurs when i.e. I choose a particular technology where you have no expertise and transferring risk is not possible for the lack of firms that could take this risk on. I can avoid this risk only by picking a different technology for a certain project/task.
There’s also so-called positive risk - an opportunity. By definition, risk is something uncertain, an uncertain event and in this case this uncertainty can come about as a positive occurrence.
One of these positive risk/opportunity management strategies is also enhancing risk. It’s about making it more probable and ensuring its positive impact. One example: we are working on a project and there is a bonus if we can deliver work earlier than expected.
Do you want to know more about risk management strategies? >>>
How thinking about risk management has been changing at Spyrosoft over the years?
Spyrosoft was founded by very experienced professionals, so even though things were not formalised right from the start, absolutely everyone had risk management at the back of their minds. It was just an obvious thing to do –confirmed by the ISO9001 standard which present a risk-based approach to every new project and process where we start by identifying risks and addressing them accordingly.
We established this risk-based approach on an organisational level, later on followed by assurance from ISO9001 and ISO27001 we received. This way, our approach was assured by the international norms.
We also set up risk management strategy for 2019 – 2023 where we identified risks and opportunities and how they align with our business goals. We now have regular risk management catchups where we discuss risks that occurred, the ones that we avoided, how the former impacted what we do, what has changed and new risks that emerged since the last meeting.
We can then make informed decisions on what we want to change. This method helped us at the beginning of the pandemic when we were able to immediately start working remotely and introducing preventive measures in our offices in line with our Business Continuity Plan that was prepared using the risk-based approach.
As a company, we provide software development services to our clients and these services also have their risks and their risk management certificates. When we create a new offer, we also identify risks and create a risk register that we later present to a customer. This register is then included in the project documentation, and it gets updated with new risks throughout the project progress.
There is also another level to this and it is directly related to the product that we develop in collaborations with the client. Here risk management applies to ensuring that the product is built in a way that it would not harm end users’ health and life.
How do we introduce clients to our perspective on risk management?
We talk about our processes and risk management documentation that we will have to create during the contract agreement process. Spyrosoft Project Managers are well aware of how important risk management is regardless of what format it eventually takes: a formalised risk register or a list in Jira. What matters is that this documentation gets prepared, and it is applied on all levels during different stages of the project and for various risk levels.
In the initial stage of the project, we also use qualitative risk assessment which allows us to take a methodical approach to identifying risks. We can then apply a risk matrix and see where these identified risks are – and if they are acceptable or not.
Tool qualification is also commonly used in all our projects, particularly in these in the automotive and healthcare industry. For the projects from the latter sector, we also need to analyse the safety of all tools, including software tools, to make sure that writing code in them would not lead to failure later in the product itself. We also extensively configure these tools, so these risk analyses need to be regularly repeated using the risk management framework.