Risk Management and COVID-19

Written by lewsauder

July 3, 2020

We have all been talking about business disruption for a few years. But none of us foresaw the disruption that COVID-19 has inflicted upon us.

It has taken over virtually every aspect of our lives. How we do business, socialize, learn, and shop. Terms that we had never heard of a mere three months ago like social distancing, contact tracing and shelter in place, are now part of our everyday lingo. I have heard the term unprecedented more than I care to admit. I am really looking forward to more “precedented” times.

I have found it interesting how different people have approached it in such different ways. There are people who have taking the threat of this virus very seriously. They are quarantining with only their family members. They leave the house only for necessary items. They wear a mask and limit those outings as much as possible. They keep a six-foot distance whenever possible. They wipe down groceries, doorknobs, light switches, and anything else that may have been touched by human hands.

Others appear barely concerned. They continue to socialize with friends with the same viewpoint. They do not wear a protective mask. They are following a business as usual approach.

Neither side has been definitively proven right or wrong. Different philosophies drive these varied approaches. Some are driven by their political views on their liberties. Others do not believe the threat is as high as it has been painted by the media.

Project risk management

I have seen a parallel to how people approach risk management on projects. I try to always consider a wide variety or risks on projects. I do a deep dive at project start-up, and then address it frequently throughout the duration. Some think I spend too much time worrying about things that will probably never happen.

Many of the risks that we discuss never become issues. As a result, the mitigation plans that we had for them are never implemented.

Dwight Eisenhower famously said, “Plans Are Worthless, But Planning Is Everything.” My interpretation is that as soon as you write down your plan, the situation changes making it obsolete. But, because you have made the effort to plan, you have the information available to adapt to those changes.

When we plan projects and address risks, there are two key things you want to consider:

·        What is the likelihood that this will occur?

·        What would be the impact to the project if it occurred?

You then want to consider how you would mitigate that risk. They fall under four general categories:

·        Risk avoidance: This is done if there is a high probability that the risk could occur, or if there would be high impact to the project. The project will take proactive measures to ensure this risk does not occur. For example, if the workplace is in a high-crime area, the company may move to a safer location to avoid the risk.

·        Risk acceptance: If the impact and likelihood to the project are low, you may decide just to accept the risk and do nothing except stay aware of it. If there is a risk that one of your programmers on staff may quit, you may accept that risk, since there is an option to pull programmers from another, lower-priority project.

·        Risk reduction: If the impact and likelihood are high, you may want to take measures to reduce the risk. For example, if the risk is that a key member of your team could quit, you may increase that person’s salary to reduce the risk. This can often be combined with a risk avoidance strategy.

·        Risk transfer: With certain risks, there may be options to transfer it to a third party. This is the case when using an off-site data center for disaster recovery or purchasing insurance.

Impact: Possibilities vs. Probabilities:

You may have had the misfortune to study statistics at some time in your life. In statistics we learn that there are “Type I Errors” and “Type II Errors.” A Type I Error is a false positive, assuming something is true when it is false. Conversely, a Type II Error, a false negative, is assuming something is false, when it is true. Impact is what drives which error you want to avoid.

In the Midwest, where I live, tornados are an inherent risk. A few weeks ago, during a thunderstorm, the tornado siren went off. I gathered up the family and we went to the basement. We sat down there for a while and watched an episode of The Office. By the time the episode was over, so was the warning.

In the 20 years we have owned the house, we have probably averaged 1-2 tornado warnings per year. Every time it happened; we have gone to the basement. We count our blessings that our house has never been hit with one. It has always been a false positive. Historically, even in a tornado warning, the probability is low. But there is the possibility it could hit our house. We can replace the house and belongings, but not our lives. Therefore the impact would be great. Despite never being hit, we go to the basement every time.

Many people face the COVID-19 risk the same way. The odds of being infected appear low. The odds of dying from it are lower. Despite all of that, it spreads easily and there is no cure. The impact of death or passing it to someone at risk is high. As a result, they practice risk reduction. They wear a mask. They wash their hands regularly. They practice social distancing.

This is the most difficult type of risk to discuss in project risk planning. I have been known to bring up a risk and get the response, “That is so unlikely it’s not worth discussing.”

For example, I once brought up the risk that we could lose our entire programming staff if they all quit. I will agree that it is unlikely, but not impossible. I once heard of project team where three members quit to start their own development company. Within a couple of weeks, they had hired almost the full team away from their previous employer.

While the likelihood was low, the impact was very high. Some possible risk mitigations strategies for a risk like this:’

·        Risk avoidance: Have every team member sign a non-compete contract.

·        Risk reduction: Have the recruiting team begin development of a hiring pipeline to have people ready in the interviewing process.

·        Risk transfer: Hire a recruiting firm on retainer to replace the team.

Since this is not an acceptable risk, there is no risk acceptance policy for this.

Like hand washing and mask wearing, none of these are foolproof. But they put you in a situation to be prepared in the off-chance the risk becomes an actual issue.


Everyone has their own risk tolerance. Some people appear to be afraid of any possibility that can happen. Some people have a false sense of security. Regardless of your tolerance, it is always a good idea to take the time to consider any possible risk. Discuss the probability of that risk. And regardless of the probability, consider the impact to the project if that risk evolved to become an issue.

How seriously do you take your risks?

If you would like to learn more about a career in Project Management, get Lew’s book Project Management 101: 101 Tips for Success in Project Management on Amazon.

Please feel free to provide feedback in the comments section below.

Image courtesy of Sira Anamwong at FreeDigitalPhotos.net

Lew’s Books at Amazon:

Project Management 101
Consulting 101
The Reluctant Mentor

Stay Up to Date With The Latest News & Updates

Free ebook

Get 50 Ways to Leave Your Employer for free, signing up to our newsletter!


Submit a Comment

Your email address will not be published. Required fields are marked *

Share This