Risk Management

In this new series SciPhy Systems Project Manager Ed Hurlburt PMP, shows what it takes to project manage a facility development or scaleup project, starting with immediately usable, top-level strategies for risk management for your team. Want to find out more about SciPhy's PM system? Email Ed at edh@sciphysystems.com.


Scaling in the Hemp and Cannabis processing field is still relatively new (comparatively speaking). While it shares similarities with other industries; edible oils, chemicals, and even breweries, it has numerous challenges that are unique to the industry. As such, many companies struggle with overcoming the uncertainty that comes with building a new facility, developing requirements, procuring equipment, obtaining required permits, and bringing all the pieces together into a functioning facility.

In Part 1 of this post, we’ll take a look at project risks, and the basics of Risk Management.

In a future Part 2, we’ll be looking at specific areas of risk we anticipate in our projects, and look at specific risk mitigation strategies.

Known Unknown’s vs. Unknown Unknowns

Wait, what?

One of the cornerstones of Project Management is Risk Management. The Project Management Institute defines Risk Management as: “Project Risk Management includes the processes concerned with conducting risk management planning, identification, analysis, responses, and monitoring and control on a project”. Whew, that’s a mouthful! A simpler explanation is that “Risk Management is the process of identifying and managing project risk - or the “known unknowns”.

By utilizing tools such as a risk matrix and risk register, and by having productive, cross-discipline work sessions, we attempt to identify any point where risk can affect our project. We rank potential risks based on probability and impact, then develop strategies (responses) to minimize or mitigate the probability of the risk occurring. Not all project risks can be prevented, so we also must attempt to find ways to minimize the impact to our projects should the risk occur.

An unknown unknown is a risk that we don’t know or suspect yet (see, not as crazy as it sounds). One example of an unknown unknown is COVID. How many businesses, projects, and lives were impacted by COVID with little to no warning? Not all unknown unknown are catastrophic events; but hurricanes, tornadoes, earthquakes, fires, and other destructive events certainly qualify in this category. The bottom line is - no matter how well you plan your risk responses to the known unknowns, there is potential for events outside your control, to impact your project. How do you deal with these? A common strategy is contingency planning and risk reserves. One example of this would be to keep a reserve of cash or credit to help cover bills in the case of an extreme event. Another may be insuring your project, equipment, etc. against catastrophic events. Using the COVID example from earlier - the government did offer stimulus that helped many businesses, but what if that had not been available? Could your business have survived otherwise?

While risk planning is typically done at the beginning of a project, it doesn’t end there. The team should review the risk register regularly to determine if either probability or impact has changed, and also to add/mitigate any NEW risks that emerge during the project.

Risk Identification

The first step in managing risk and uncertainty in a project, is identifying as much potential risk (known unknowns) as possible. One tool that is frequently employed to help identify risks is brainstorming. By utilizing a cross-functional team in the brainstorming session, you can bring divergent viewpoints as to what might impact the project, and team members can build ideas off each other.

Brainstorming is a process of allowing your team the freedom to throw as many ideas out as they can in a fixed period of time. The relatively short duration of the brainstorming effort is focused on quantity, not quality of the ideas, and the brainstorming is done in a positive environment, free of criticism. 

For colocated teams, Brainstorming sessions are typically performed in a room with a large white board and abundant sticky notes.  Headers may or may not be put on the board, but one strategy is to write headers of the various internal and external risks categories, and then team members place their sticky notes under the appropriate header.

After the brainstorming session, the team then works to remove duplicates, re-categorize risks if needed, and up vote / down vote risks to ensure the remaining risks listed are relevant and worthy of follow-up with risk response planning.

For remote teams, there are online options for brainstorming. A virtual whiteboard can be set-up and the team will put virtual sticky notes on the board just as they would in a colocated setting. The same post-brainstorm review would occur, albeit virtually.

pasted image 0

Fig 1.1: Brainstorm - Risk Categories

Once the risks have been identified, sorted, duplicates removed or merged, and the categories identified - the risks are entered into a Risk Register. Once the risk register is populated with the risks, we’ll rank the risks based on probability and impact, and then develop mitigation strategies.


Fig 1.2: Risk Register

Risk Ranking

Each risk has two basic components we are interested in ranking and tracking. These two components combine to give us an overall risk score for each risk identified. For each of the items below, we’ll use the risk of shipping delays on critical equipment as an example of how the concept is applied.

Probability: This is the likelyhood of the risk occurring. Several factors can go into influencing the probability of a risk, and the probability may change throughout the project based on factors, including any mitigation strategies we may employ. Depending on the project complexity and desired granularity of ranking risks - Risk Managers employ scales of 1-3, 1-5, or 1-9. In the example shown in Fig 1. below, we have decided on a 5x5 matrix. So, for each risk we’ll assign a probability of 1-5, with 1 being the lowest chance of occurrence, and 5 being the highest. Most of our mitigation strategies will deal with trying to reduce or eliminate the probability of the risk occurring. In our example of potential shipping delays, if we have a vendor we know is pretty good on their timelines for shipping, we might put the probability at 2.

Impact: This is a determination of how much a given risk occurrence would impact our project.  Like the probability, we will assign an Impact rating of 1-5 with 1 being the lowest impact, and 5 the highest. While ideally we try to prevent risks from occurring, we can sometimes come up with mitigation strategies to minimize the impact of a risk event, we’ll typically focus on reducing probability. Again, using our example of a potential shipping delay, we look at the impact to the project if the critical equipment is delayed. Knowing the client’s focus on maintaining schedule, we see Impact as a 4.

Risk Score: We create the overall Risk Score by multiplying the Probability and the Impact scores. This allows us to determine where we want to focus our efforts on risk mitigation. For a given project, we may determine that we don’t want to address any “minor” risks, or we may decide we cannot tolerate any “severe” risks in our project. This is determined by the “Risk Appetite” of an organization and/or a client. In our shipping risk example, we ranked Probability as 2, and Impact as 4. This gives us a Risk Score of 8, or Moderate. 

risk matrix

Fig 1.3: Risk Matrix

The Probability, Impact, and Risk Scores are then entered into the Risk Register, where we can assess specific mitigation strategies for each.

In Part 2 of this post, we’ll be going a whole lot deeper, looking at specific areas of risk we anticipate in our extraction and processing facility buildout projects, as well as exploring specific risk mitigation strategies.


Ed Hurlburt, PMP has been managing projects for over 10 years, and has been a PMP Certified Project Manager since August 2015. Ed’s experience spans the Semiconductor and Automation Industries, managing projects with Fortune 500 companies worldwide. Ed currently manages projects for SciPhy Systems, a leading provider of large scale hemp processing systems.