Risk analysis and mitigation is important in managing any project. Six Sigma is no different in this regard. You’ll need to understand what risk is, how it can affect your project, and what to do about it.

Risk comes from not knowing what you’re doing.

Warren Buffett

What is Risk?

Put simply, a risk is a chance of something negative happening. In the context of Six Sigma, risks are things that can delay, halt, or harm your project.

There are a few different types of risk:

  • External: Occurrences outside your company that you have little to no control over. For example, natural disasters, social changes, government policy modifications.
  • Consequential: Things that happen because of something the company does. For example, a new product receives a negative reaction and public opinion declines.
  • Personal: Issues arising from staffing issues, management problems and the like. For example, a subject matter expert resigns, leaving you without a key source of knowledge.
  • Technical: Problems with technology and automation. For example, a company might find that their current automated production hardware can’t be configured to use a new algorithm that would decrease production time.
  • Supply: Every project requires some resources. In most cases, you’ll need these resources – whether physical or intangible – to be supplied. For example, you might need material for producing a new part. Conversely, you might be reliant on getting enough cloud resources to test a new SaaS product.

Note: You’ll find that every industry and company tends to define its risk categories differently, according to need. You’ll rarely use the exact categories mentioned above. What matters is that you understand the broad varieties and sources of risk – then you can adapt as needed.

Risk is what’s left over when you think you’ve thought of everything.

Carl Richards, Future Babble

What We Can Do About Risk

Every project will contain risks. Some of them you’ll be aware of; some of them will hit out of the blue. No matter how hard you try, you can’t eliminate all risk from a project. So why are we even talking about this? Because through risk analysis and mitigation, you can decrease the chances of big negative effects on your project results. Or in other words: you can give your projects their best possible chance of success. Risk analysis and mitigation requires identifying your risks, understanding how they might affect your project, and then figuring out what you can do to minimize their effects.

Risk analysis and mitigation process. Identify, Analyze, and Mitigate.
Image: Risk analysis and mitigation process

Risk Mitigation vs Risk Avoidance

You’ll sometimes see ‘mitigation’ and ‘avoidance’ used together, but when it comes to risk, these are quite different concepts. That’s because while risk analysis and mitigation focuses on handling risky situations, risk avoidance tries to eliminate it.

“Isn’t it good to avoid all risk?” you might ask. Emotionally, yes. But every great endeavor involves an element of risk. Remove all risk from your project, and you end up with a very boring, very bland, uninspiring result.

All good projects will have risks attached to them. Your job isn’t to take away all the risks – it’s to minimize their negative effects.

And the trouble is, if you don’t risk anything, you risk even more.

Erica Jong

How to Identify Risks

So you know what risk is, and you know the main types of risk you could encounter. How do you actually identify the risks your particular project could face? There are a few methods you could use:

  • Brainstorming: Sit down with team members and subject matter experts to throw around some ideas for risks in the major risk categories.
  • Learned lessons: What did you learn from previous projects? Are any of the negatives from these applicable to the new project?
  • Keystones: What are the important supports on which the project relies? These could be people, regulatory requirements, a piece of technology, an environmental situation. For example, say you’re designing a new piece of hardware for the building industry. Your keystones might be a supply of cheap steel from overseas and a continued boom in the commercial building industry.
  • Assumptions: This is a tricky one, because it requires you to question points that you unconsciously consider factual. Sit down with your team to identify assumptions that you have about the project. For example, that all members of your team will always be available to work in the office.
  • Fault tree analysis: This tool allows you to chart a process and its potential failure points. See Fault Tree Analysis for more information.
Video: Risk Identification Techniques

How to Analyze Risks

Once you’ve identified your risks, the next step is to analyze them. Analysis allows you to understand the risks that your project faces. You’ll then be able to prioritize them by severity and likelihood.

Properly analyzing your risks at this stage ensures that:

  • The most dangerous risks can be dealt with appropriately.
  • You don’t waste resources countering risks that aren’t important.
  • Your team can channel their efforts into getting the most benefit.
  • The project is safeguarded wherever practical.

Good risk analysis improves stakeholder confidence, minimizes unexpected expenditures, and allows for appropriate resource allocation.

Risk analysis tools

There are a few tools that you can use in your risk analysis:

Risk analysis results

At the end of your risk analysis, you should have a list of risks, prioritized by danger level and likelihood.

How to Mitigate Risk

Once you fully understand the risks to your project, the next step is to mitigate those risks. To mitigate a risk means to limit negative effects as much as reasonably possible. You will rarely completely negate a risk. Rather, it’s like installing airbags into a car. The airbags won’t stop you having a traffic accident. However, they will give you some protection if you have a collision with another vehicle at speed.

Each of your risk mitigation strategies should either:

  • Limit the chances of a negative event occurring, or
  • Limit the effects of a negative event, if it occurs.

Add at least one mitigation strategy to each risk. You might find that you can apply a single strategy to more than one risk – this is good!

Video: Harry Hall talks about risk mitigation


It’s all very well to have strategies to mitigate risk. But these are useless to you if you don’t follow through and do something. While you’ll be able to put some into place immediately, others will be contingency based. You won’t be able to enact these. However, you can clear the path to ensure that if you need to implement them, the process will be easy and smooth.

Example Risk Analysis and Mitigation

A construction company has a large CBD building project beginning soon. It needs to identify, analyze, and mitigate risks to the project.


The project team brainstorms and looks at similar past projects to gather a list of risks for the project.


The team uses a feasibility study and risk assessment matrix to analyze and prioritize the risks that the project faces. It determines that the highest priority risk is that issues with shipping will cut supply lines and halt construction on the site.


While changing to a local supplier would eliminate that risk, it would also increase costs dramatically. The project team decides that the cost outweighed the benefit of eliminating the risk. However, it decides to make local suppliers an alternative option if the shipping issues actually occur. Getting a new supplier signed off requires quite a bit of paperwork and due diligence. If the problem hits, the team doesn’t want the project held up while this sign-off process happens. Instead, it starts the process at the beginning of the project, so that if it can’t get material from international suppliers, it can quickly and easily switch to the local suppliers instead.

Note that this solution does not in any way change the potential event. The chances of international shipping disruption remain exactly the same. What the team has changed, though, is the negative impact that the event would have. The project might have higher costs, due to higher prices from local suppliers, but it shouldn’t experience a time delay.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.