The risks associated with the execution of the implementation plan if the case is funded and the risks faced by the organization if the case is not funded.
Identifying and understanding risks should be an important part of any organizational activity. Mitigating the risks identified through proactive management reduces the likelihood of them occurring and/or reduces their impact when issues do occur.
As it is a process that is commonly used across many types of activities, it is a useful tool for sharing information in a format familiar to people working across different disciplines or areas of an organization. An assessment of the risks faced is, therefore, an essential part of any business case as it helps those evaluating the business case to understand the potential impact of the work even if they are unfamiliar with the details of digital preservation.
There are two groups of risk that you may wish to discuss within your business case:
-
Risks associated with the execution of the Implementation plan, should the business case be funded.
-
Risks faced by the organization if the business case is not funded.
A description of the risks that would be faced during the execution of the options set out in the business case will allow those assessing the business case to compare the potential negative impacts of the work with the benefits that will be accrued. The risks included here should align with the implementation plan as described in a previous section. The risks covered might include problems occurring that would cause delays, how staffing changes might affect progress, or technological risks faced.
Setting out the risks faced by an organization if the business case is not funded can be a particularly persuasive part of making your case if the risks faced are significant (e.g. they affect revenue streams or may result in the failure to meet legal obligations) or your organization is particularly risk averse (e.g. the risk of data loss might result in harm to a organization’s reputation which could in turn affect funding). If you plan to include such risks, it is important to ensure the risks described are realistic and relevant and to avoid an approach that might be described as “scare-mongering”. Note that it may be more suitable to include these kinds of risks as “dis-benefits” in the benefits section of your business case.
Depending on the organization or project in question the business case may only need high-level risks to be identified, whereas others may require a full, detailed risk assessment to be carried out. A more in depth risk assessment exercise might identify the likelihood and impact of each identified risk. Scoring and multiplying together the likelihood and impact will give a raw risk score. Risk mitigation activities may then reduce these scores, providing an indication of most significant risks for further consideration.