An Insight into the Technology world.
Analysis and Insight from Savvycom Team.

During the process of software engineering development, have you started considering risk management as a long-term way of optimisation? I think you have already experienced this, on a small scale: testing. But sometimes, testing seems to be not certain enough for us to totally rely on.

So, how can we take control of risk management? Let’s find out with Savvycom to the first issue of an effective strategy for dealing with this side of software engineering: IT risk mitigation.

it risk mitigation properly, savvycom risk management plan

Four basic steps of IT risk mitigation overview

By definition, IT risk mitigation is the primary strategy that we can achieve through a plan, promote options and actions to increase more chances and lessen threats to project objectives.

Step 1: Risk identification

Before we can figure out which risk we need to mitigate, the first thing to do is identify risk. Throughout some useful tools and sometimes simply by observation, we can notice risk events and their correlations between them (it’s just like detective movies when the main characters gather all the clues they could find and try linking them together to detect key problems).

When we manage to define clearly risk events and their relationship, let’s move to:

Step 2: A risk impact assessment.

risk assessment in it risk mitigation

In this step, we will try our best to assess the probabilities and consequences of risk events. Each risk event has a different issue, concept and their own background perspective so we should approach it in many angles and aspects. It’s helpful to consider carefully some factors when you are evaluating consequences: cost, schedule, technical performance impacts, also capability and functionality impacts, etc.

It depends on the way you evaluate each factor to assess the level of risk impact. There are 3 assumptions I can list for you to reference:

  • Assumption 1: There is a small slip or delay in schedule timeline, a small increase in total cost, a minor shortfall in operational performance, which doesn’t affect software development process overall. In this case, the chance for risk occurrence is low (10-25%).
  • Assumption 2: There are small slips or delays in schedule timeline, a relative increase in total cost, some minor shortfalls in operational performance, which have negative impacts on the software development process. In this case, the chance for risk occurrence is not comfortable at all (25-50%).
  • Assumption 3: There are large slips or long delays in schedule timeline, a significant increase in total cost, major shortfalls in operational performance, which not only have negative impacts on the software development process but also affect the contract with the client. Now, the probability of risk occurrence is alarming (more than 50%).

Step 3: Risk prioritisation analysis.

Now, we start ranking identified risk events from ‘most to least’ (or the importance and urgency model) based on decision-analytic rules.

By this point, we can classify risks as three categories: high, medium and low criticality. After that, we will identify low critical risks as watch-listed risks (written down to risk-tracking list) to track it in the future. High and medium critical risks will transfer to step 4: IT risk mitigation planning, implementation and progress monitoring. Because we don’t have enough resources to fix all the problems at once, so we had better give the prioritisation for urgent risks first: high and medium critical ones.

We have quite many options in this step so I will explain more detailed below. Basically, we will use many different strategies and methods, approach by many aspects of problems to mitigate the identified risks and finish it completely.

One thing to notice here: the watch-listed risks in step 3: risk prioritisation analysis. After a time, maybe some low critical risks has become a major issue for your business. So, we transfer them right to step 4: IT risk mitigation planning, implementation and progress monitoring to fix them immediately, to reduce and restrict as much as possible its potential damage to your business.

2. Strategies for IT risk mitigation

As I mentioned before, there are some different strategies for each risk, depending on which type of risk, which situations and how much budget you can spend to fix them. Without further ado, let’s take a closer step into this centre of IT risk mitigation.

There are 5 prominent candidates that are able to solve your problems in software engineering: assume/ accept, avoid, control, transfer and watch/ monitor.

2.1. Assume/ accept:

Risks can take a toll on many sides of your business: from traditional cost, schedule to technical performance, overall impacting negatively on your revenue, profit, etc. No one wants to do unprofitable business in the long term, right?

Basically, this method means that you recognise the existence of a particular risk, and you make a purposeful decision to accept it without taking all our efforts to control it.

To be more detailed in tasks, you and your team need to cooperate with the operational users. What have you gained after this cooperation? An overall understanding of risks and their implications – a precious value source for your business to further improve user experience as well as your software engineering products. A great understanding of these mentioned impacts will provide you with a better solution to fix the problems.

For example, Savvycom received the offer to develop and design a mobile platform application iHeartLocal. During the software development process, our client also come up with several new requests that can optimise the efficiency of iHeartLocal app (of course that might affect the budget and timeline). However, applying Agile Methodology and letting our clients join the development process could help us understand their ideas and point out which part we need to enhance. By this IT risk mitigation method, our client, iHeartLocal could improve the user experience for their users, discover some potential that the app might have, and properly adjusted it before launching.

2.2. Avoid

In this strategy, we adjust software requirements or restrictions to lower the risk effect. The adjustment can be a change in funding, schedule and technical requirements.

And again, you need to work with clients to gain a collective understanding of risks and their implications. Some schedule adjustment, technological advance and other development we can apply to improve the performance of your product/ service. You can show your product/ service again to the users and evaluate whether or not they have better experiences. Otherwise, you had better try to identify capabilities that will be delayed and any impacts resulting from dependencies on other efforts.

2.3. Control

This strategy is equal to the solution that you implement actions to lessen the likelihood and impact of the risk.

There are various options in this control strategy alone. One way to do that is to find out potential solutions from other companies’ similar risk situations. For instance, our client, InsuRebel wanted to seek out an IT outsourcing partner with an affordable cost. They got a recommendation from another person who before reached out to Savvycom in the same situation: finding a trustworthy IT partner with a good price.

Or you just simply offer other companies to solve them for you. In that case, you should remember taking good care in assessing any architectural changes needed and their implications.

2.4. Transfer

From the popular meaning of the word ‘transfer’, I think you may get the point. The intention is to reassign organisational accountability, responsibility and authority to another stakeholder who is willing to take risks.

When you start considering ‘transfer’ as an option, you should notice carefully some factor can be changed and involved in the process. One main advice I can give you is: position your business and your customer. Remember, your customers are the one buying your product/ service, so any transfer must gain their benefits and meet their needs, not in contrast.

For example, one of our projects, Jio Health, we involve in the application development process and upgrade their instant-access healthcare service in order to better meet the needs of their customers: doctors and patients. With the further development of the wearable technology device integration, Savvycom assisted Jio Health to optimize health track progress with deep insights with any aviation from core values of the project.

2.5. Watch/ monitor

It simply means that you monitor the environment for changes that affect the risk.

Remember the watch-listed risks I mention before? It can be considered as one practice for the watch/ monitor method. Sometimes you need to backtrack some low critical risks, their basic assumptions and premises.

Then you scan their environment, to see anything change with the risk. If this way is ineffective, you need to adjust it to be better, or simply change the method. If your way proves its efficiency, see whether or not you can apply it to other situations.

The typical example of this method is technological advancement. Before, most businesses still rely heavily on a big private operating system to run the operation. But, after the newborn of the cloud computing system, the game has changed. With many innovative advantages, the cloud offers, risks of losing your position in the market is really high, because of outdated operating systems and slow-down work efficiency compared to your competitor. From this example, learn that your business needs to equip new technologies based on environmental changes.

With many years of experience in software development and risk mitigation in the IT Outsourcing projects, Savvycom is proud to satisfy over a hundred clients around the globe in more than 300 projects.

Book a meeting

If you have any consideration or inquiries in IT Outsourcing or Software Development, we are happy to assist and be your Technology Partner who is able to figure your problems out by our best solutions.

  • Phone: +84 24 3202 9222
  • Hotline: +84 32 657 2886
  • Email:
  • Website:
  • Head Office: 12th floor, Viet A Tower, Duy Tan Street, Hanoi, Vietnam
Leave a Reply