Test your risk management skills in a business simulator
By Ken Thompson, Sep 16, 2019 Last updated Jun 3, 2025Risk is the price of progress
- NASA
We cannot avoid risk in business or life.
The first reason we cannot operate “risk-free” is well understood – risk and reward. The level of risk is usually proportional to the potential level of reward available if that risk pays off. Therefore, if we try to avoid all risks then we will probably obtain low (or zero) rewards. This might be acceptable in our personal lives but not to our stakeholders or shareholders if we lead an enterprise, department, project or organisation.
“Risk-free” is just an illusion.
However, the second reason we cannot have a risk-free life, business or project is less well understood. Counterintuitively, even if we try to find and follow a totally risk-free path, we are still equally likely to be a victim of risk. Only in this case it will be an unexpected risk which we did not identify or fully consider in advance. So, if you think you have found a risk-free path, you probably have not done your risk assessment properly.
Let’s take a fun example to clarify:
Imagine you are on a rollercoaster ride with a possible break in the track between where you are now and the final station. The obvious mitigation is to jump off the rollercoaster early but that carries with it a risk of being injured in the jump. The passive action which might be perceived as lower risk is to stay on the ride and hope for the best. The latter choice could be seductively appealing as it is also the path of least resistance. Experience shows, however, that such passive or default paths are rarely the best options when confronted with risky situations.
Most risks are dilemmas
A useful technique here is to recognise that the most difficult decisions are actually dilemmas where a trade-off has to be made between two or more outcomes. The key thing about a dilemma is that, at least in the short term, there is no pain-free (risk-free) compromise. In the case of the rollercoaster example, the trade-off is between the high possibility of a minor injury (jumping off early) versus the low possibility of death or serious injury (staying on). You can read more about dilemma identification and management here .
Don’t confuse impact and likelihood
This simple example also highlights two other important characteristics of risk – the likelihood of a risk happening versus the impact of the risk if it does occur. Separating out these two characteristics (likelihood and impact) and not conflating them is a key aspect of effective risk analysis. More about this in a minute!
There are also two types of risk – elective risk and reactive risk
Elective risk (risks you proactively decide to take) leads us into the important topic of corporate governance. Lack of such governance can result in you betting your organisation’s future on the hoped-for outcome of a single decision. For the latest thinking on the evolving discipline of governance, risk and compliance (GRC) it is worth looking at the excellent free resources provided by OCEG – a non-profit think tank dedicated to developing and promoting GRC globally in organisations.
According to OCEG there are 4 key components of GRC:
- Learn about the organisation context, culture and key stakeholders to inform objectives, strategy and actions.
- Align strategy with objectives, and actions with strategy, by using effective decision-making that addresses values, opportunities, threats and requirements.
- Perform actions that promote and reward things that are desirable, prevent and remediate things that are undesirable, and detect when something happens as soon as possible.
- Review the design and operating effectiveness of the strategy and actions, as well as the ongoing appropriateness of objectives to improve the organisation.
Risk management is preparing for incoming risks
Reactive risk leads us directly into the field of risk management and its components – identification, assessment and mitigation.
For example, in our Acumen or Spread simulations, as part of a team’s planning, they are encouraged to conduct a risk identification exercise to determine their top priority risks and then decide what they might do to mitigate against them.
The effective management of risk involves four interlocking disciplines:
- Risk identification
- Risk analysis
- Risk mitigation
- Risk management
Let’s look at each risk discipline in a little more detail.
Risk identification
What are all the possible risks which could occur and negatively impact your upcoming project?
Risk analysis
For each risk you have identified, what is the likelihood of it happening (low, medium or high) and the impact on your project if it did (also low, medium or high)? Some people find it helpful to show this as a 3x3 matrix of likelihood and impact.

See more details about the free risk analysis tool here .
Risk mitigation
For your top priority risks, e.g. medium/high on both likelihood and impact, what can you do to either stop them happening (risk reduction) and if not, then to lessen their impact if they do (risk resilience)?
Risk management
Now you must implement your risk mitigations and then periodically cycle round steps 1–3 to make sure your risk identification, analysis and mitigations are both current and effective. Adjust as necessary.
For more details on risk management see “A Systematic Guide to Project Management” .
Business risks or project risks?
Identifying the risk you face is the first step to managing it. Understanding the context of risk is vital to quantifying the impacts and likelihoods. We offer business simulations to help build resilience and understanding of both business risks and project risks.
Business risks
If you wish to test skills in managing business or enterprise risks then you should refer to our business acumen simulations such as Acumen or Acuity which encourage teams to identify and prioritise risks and then mitigate them through simulation decisions via risk reduction and risk resilience building.
Project risks
Learning risk management on the job is a high-risk strategy!
It is like an airline pilot learning on the job with a real aeroplane, live crew and fare-paying passengers! Not a pilot most people would knowingly fly with!
Spread project management simulation
The Spread project management simulation is built to help build understanding of handling project risks around deadlines, budgets, and unexpected events. It is fully configurable, and can be set up like this:
- Set up a typical project over an agreed time period (e.g. 12 weeks or 12 months).
- Configure a list of project activities which participants can choose from to do the project. Include good, non-optimum and undesirable activities in your list so that participants can learn from making poor choices. You also define the impact of each activity in progressing the project.
- Project activities can be once-off or repeatable and can also depend on other activities. Dependencies can be “hard” or “soft”. Hard dependencies stop you selecting the dependent task, whilst soft dependencies allow you to run a dependent task but with its performance degraded. Like non-optimum and undesirable activities, soft dependencies allow participants to learn by making poor choices.
- You now design a schedule of potential “risk events” and when each can be triggered (unless mitigated first).
- You configure certain project activities to mitigate against each of these risks (as well as the activity’s other project impacts).
- You may have one project activity mitigating or partly mitigating more than one risk. If you wish, an activity’s mitigating effect can be expired so the activity needs repeated for its mitigating effect to become active again.
- You can have a risk which requires more than one activity to mitigate it. (Thus, it is a many–many relationship between risks and project activities – just like the real world.)
If the appropriate risk-mitigating activities have not been selected before the risk event schedule is reached, then the risk will occur and its impact will be felt in your project and you will be notified that the risk has occurred and what it means.
Conclusions
Risk management or corporate governance are not the kind of skills you can get right first time or learn on the job!
These skills are ideally suited for learning experientially through computer-based business simulations or paper-based scenarios. Usually, but not always, it is best if these are team-based simulations/scenarios (rather than individually played ones) as risk management is very much a team activity.
The closer these scenarios reflect the type of risks your managers are likely to encounter, the better. You would not train a Boeing 747 pilot in a spitfire simulator!