Risk Assessment: How to Avoid a Disaster When You’re Growing Rapidly

Risk assessment is an important part of any project. If you’re not identifying risks, determining their likelihood and planning for potential disasters, you’re going to find yourself in hot water if something goes wrong.

I’m not talking about the business equivalent of a nuclear bunker. What I mean is creating a set of policies and procedures to make sure that you have an eye on risks and how you can handle them.

In this post, I’m going to discuss how we tackled risk assessment when implementing a ticketing service with one of our clients, Zero To Hero…

Meet Zero To Hero

Zero To Hero offer white collar boxing experiences to the everyday consumer. Customers sign up for over 40 hours of professional boxing training that culminates in a professional-style bout under the spotlights on Fight Night.

Zero To Hero were selling paper tickets for Fight Night either face to face or over the phone. This had worked fine while they were establishing themselves in the Bristol area, but with a plan to expand the business nationally (from 1 location to 10!), Zero To Hero knew they would need a ticketing system that could scale…

The Solution: eticketing

The obvious solution was eticketing. However, as with most business changes, switching from paper tickets to etickets carried a number of risks…

Picture the scene… there are 2,000 spectators at the gate, 60 minutes until the show starts… and you’ve just been told there’s a fault on the server that handles your etickets. How are you going to check people in? Will you have to delay or cancel the event? Or will you just let anyone and everyone in?

And after the event, investors are asking whose fault it was and if there’s anything you can do to recoup losses? Not to mention how you’re going to rebuild your reputation.

Fortunately this nightmare scenario is fictional. But it’s one that we had to consider.

If, like Zero to Hero, you’re at the verge of rapid expansion in your business, what can you do to avoid a catastrophe?

Spotting the Risks

It takes effort and mindfulness to see the risks directly associated with your project. It’s an even trickier art to spot the indirect risks!

Until recently, Zero To Hero had used printed tickets with anti-forgery foil built into them. While eticketing was clearly the right solution, and even relatively simple to implement from a technical perspective, it still carried a number of risks that needed to be considered…

Direct risks

There were two main direct risks associated with switching to etickets:

1. Software failure
2. Server failure

The likelihood of the server failing is low, although it does happen. If your website’s down, no one can make a purchase through it. This can be exceptionally harmful if you’re expecting a high volume of traffic and your products are readily available through a competitor (for example Amazon lost an estimated $4.8 million after a 40 minute outage in 2013).

For Zero To Hero, a short period of downtime would have a low impact. Due to the fact that there was nowhere else customers could go to sign up or buy tickets, we anticipated that, should the site go down, most customers would return later.

The second risk – software failure – can be reduced by using a proven, off-the-shelf ticketing solution.

Better still, if the ticket sales can be handled by an online third party service, then both software and server risks are minimised. There may even be a service guarantee that provides something of a financial safety net.

Indirect Risks

In this case, one obvious indirect risk stood out. Until now the tickets had anti-forgery foil built into them which could easily be checked by looking at them.

Etickets, however, are typically emailed out and contain a QR code (a sort of 2D barcode) that can either be displayed on a smartphone or printed out. They can be scanned with a smartphone app or a dedicated scanner. Either way, they verify the code with the server over the internet, and check that the ticket hasn’t been used before.

While this all sounds pretty simple, there are several potential risks…

1. Software and server failure
2. Internet failure
3. Localised power failure

The biggest risk is still with the software or server. However unlike for ticket sales, an outage for an hour or two, would be very disruptive.

In this instance our recommendation was not only to go with a third party service provider (who would be responsible for both the software and the server), but to go for a trusted name like Eventbrite or Ticketleap. While these solutions are more expensive than their competitors, we deemed them more reliable than cheaper alternatives.

Secondly, we concluded that Internet and power failure were not that likely, but for extra peace of mind, they can be mitigated against by having a downloaded/printed version of the ticket sales list.

While power failure could have a huge impact, it would likely result in the event being cancelled anyway and so any risk associated with ticket sales would be negligible in comparison.

How to spot risks and deal with them appropriately

Okay, that makes sense for Zero To Hero, but what about you? What you do is different. Your circumstances are different. The only similarity is that you’re growing.

“Projects are about engaging with risks, not avoiding them. We engage with risk in order to achieve commensurate rewards. If we can eliminate all risks, then the project is probably trivial, the rewards inconsequential.” – Graham Oakes, Econsultancy

Here’s how we approach to risk management at Simpleweb…

1. Look for the changes

Every change involves a risk. You get to know things the way they are, so any kind of change involves some potential for complications you might not anticipate.

Merely knowing this means you’ll have your eyes open.

Technology changes, especially. It may look straightforward to upgrade to v2.0, or replace CoolTech with DopeTech. But what else is changing as a result?

The direct risks should be obvious to you and will be specific to what you’re changing. You’re obviously making the change for a reason, so the direct risks are probably related to that thing too.

Indirect risks

The indirect risks are harder to spot.

Could your changes affect any of your systems? Maybe upgrading one piece of tech requires something else to be upgraded. “Sorry, that version of Xxxxxx requires yOS 8.0”

Are there stakeholders involved? If you’re dealing with larger organisations, you can bet that your changes will have an implication for at least one stakeholder that probably never crossed your mind as an issue.

Do your changes affect the way people work? There are whole books on Change Management and preparing people for change, mostly because we’re creatures of habit and mostly people hate change… especially if it’s forced on them.

• Do your changes alter the way people interact with each other?
• Do they add to or remove anyone’s sense of ownership or ability to be autonomous?
• Will people need to adapt or relearn new technology or processes?

2. Avoid if you can; mitigate if you can’t

The first rule of any self-defence school is: run if you can, fight if you can’t. It’s smart to learn how to deal with a conflict. It’s even smarter to avoid a conflict entirely.

So the first question has to be: is that change you’re planning really necessary, and do the benefits outweigh the issues?

Let’s say the answer is yes. Are there ways you can achieve your growth without having those risks? Maybe a different approach is less risky.

Having explored the options, you have a plan, and it has some risks. Before those risks have a chance to show themselves, prioritise them. How likely are they? How much impact? And how soon?

Then consider what you could do to handle things if a risk became an issue. That way you’ll be much better prepared for what’s coming.

Check out this article from Brighthub Project Management on how to create a risk register to manage your risks.

3. Know your strengths. And your weaknesses

When you’re going through a period of rapid growth, you’ll need more staff and an infrastructure that’s capable of delivering the growth. That means reaching outside your comfort zone, and crucially your expertise.

During this time, your instinct may be to spend as little as possible on outside services – that’s the natural response from a business that’s been in startup phase.

However, growth involves risk. And the biggest risks are those you don’t know about, which is why it makes sense to bring in experts. Not because they’re better at spotting risk than you, but because they’ll have experience with different types of risks you’re facing.

Even if you are unable to bring in experts to assist you with all kinds of risk, working with reliable third party services will certainly help you reduce risks.

Bonus tip for technology changes: Lead the tech. Don’t let it lead you.

Business decisions should start with the business, not the technology.

That’s not to say technological advances should be avoided. It’s more that you should have a strong business case for embracing new technology. At Simpleweb we think of ourselves as “technology agnostic”. We love new tech, but we use it only where it’s the best solution, not for the sake of it.

Choosing tech that suits your business, rather than trying to keep up with the hottest new advances, means you’ll make sure its right for the business so you can dictate what the tech needs to do and not the other way around.