Risk Management

“The goal of risk management is to identify project risks and plan mitigation actions in collaboration between the technical team and the business organization. Risks are probable events that could increase the project’s schedule, costs, or effort, or adversely impact overall customer satisfaction. The goal is to identify these shared risks, predict the likelihood of the risks occurring, quantify the impact should they occur, and develop a plan for addressing each risk. Most importantly, the goal is to establish agreement between the business organization and the technical team that they need to work together to manage risks as they arise during the project. The project manager should be proactive in assuring that risks are analyzed and that action is taken to mitigate the risk. If you can anticipate an event, then you should be able to weigh the consequences and develop actions to minimize negative impacts.

Risk Assessment Model

“The risk Assessment Model is a spreadsheet that provides for the documentation of the risks and computation of the change budget (or risk budget). The risk assessment method computes the risk budget as a percentage of effort of the difference between the project estimate and the worst-case estimate. The assumption is that this difference is a function of all risks.”

“In Figure 1, the project estimate is 1900 hours. The worst-case estimate is 2600 hours. The difference is 700 hours (at risk). The ten risk variables represent 100 percent, or 700 hours. Each risk is represented as a percentage of the total (Data Center will burn down = 9 percent of the total risk, or 61.12 hours). The fire control systems have a 25 percent probability of effectiveness, representing a 2 percent reduction of the 9 percent, or down to 45.84 hours. The sum of the reduced hours at risk represents the risk budget.”

“The following list defines the various column headings shown in figure 1:

• Risk Variable Up to ten risk variables may be listed in this column.
• Probability The probability of occurrence (as a percentage) is specified in this column.
• Consequence The relative consequence is indicated in this column as a value between 1 (the lowest) and 10 (the maximum).
• Relative Impact This is a numerical representation of the combination of the probability and relative impact of the risk. The sum represents the total magnitude of all the risks.
• +CB% The fields in this column are computed fields representing the percentage of the total risk per risk variable.
• Risk The fields in this column are computed fields representing the actual number of hours per risk variable of the total number of hours at risk.
• Mitigation Strategy The fields in this column indicate the mitigation action to be used to manage or prevent the risk.
• Probability of Effectiveness The fields in this column represent the probability of total effectiveness of the mitigation action upon the risk variable.
• -CB% The fields in this column are computed fields representing the percentage reduction expected of the mitigation action.
• Risk Budget The risk budget is a product of the percentage difference between (the probability of risks and the probability of the mitigation actions) and the effort at risk, or the difference between the project estimate and the worst case.”

“The risk assessment procedure should be performed monthly under the direction of the project manager in conjunction with the project sponsor. Newly identified risks should be added to the risk assessment model, and risks no longer applicable should be dropped from the risk assessment model.”

The Risk Management Process

“The risk management process consists of four steps that guide the team to identify the risks, assess the risks, plan the mitigation strategies for each risk, and update the risk management tool for subsequent risk management sessions.”

Step 1: Identify Risks

“Review the risks developed during the funding process to understand what risks were known at that time. This set of risks will have changed, but it is the baseline from which to start risk assessment in this phase. Determine which of those risks no longer exist and identify new issues and obstacles that may produce undesired outcomes. Review the issues log for items that should be represented as risks.”

“Risk elements may be introduced from many areas. Consider the assumptions made when developing the project charter and the project plan. The goal is to convert all critical assumptions into specific, ‘shared’ risks. Once the risk factors for the project have been identified, they should be documented in a risk assessment model spreadsheet similar to the one previously shown in figure 1.”

Step 2: Assess the Risks

“Each risk should be examined and quantified in terms of cost, schedule, and quality. Some risks may impact both the cost and schedule, and some risks may impact all three. How much a risk will impact the project may be derived from historical project data, industry norms, personal past experience, or the estimation model.”

“The risks need to be assessed and assigned a percentage chance of occurring. For instance, if your business is in a hurricane region, a work stoppage due to a hurricane is highly unlikely in the winter (hurricane season is June through November), so it would receive a low chance of occurrence in the winter months, but it may be assigned a high chance of occurrence in August, September, and October. Conversely, not being able to get enough time from your subject matter experts almost always happens, so it would be assigned a high percentage chance of occurrence. If you prefer the high/medium/low technique, assign 80 percent to high, 50 percent to medium, and 20 percent to low.”

Step 3: Plan Risk Mitigation

“State the actions that are needed to mitigate negative consequences or to maximize positive benefits. By deciding in advance how to manage each risk, the probability and impact of the risk can be reduced. One of the key elements of project management is to address risks proactively. Thus, mitigating actions can eliminate risks by uncovering acceptable alternatives. Risks may be mitigated, or bounded, in many ways:

• Contingency planning Defines an action plan to be executed if an identified risk event occurs.
• Alternative strategies Risk events can often be prevented by choosing an alternative strategy – using a method or technique that is already familiar to most of your technical team versus one that is not.
• Assumptions Bounding and communicating those bounds can do much to reduce risk. For example, limiting the deliverable review process to at most two iterations bounds the risk of infinite review – failure to obtain approval.
• Read staff Carrying extra staffing to shore up critical path tasks, or to be ready to take over in the event of a project team member leaving, reduces the risks associated with estimating underruns or attrition.
• Staff qualifications/capabilities Using overqualified staff in some positions (or staff members with multiple talents) means you may have additional flexibility to respond to risk triggers when they occur. For example, if the project has a tester who can also function as a team lead should the team need additional team leaders during a peak period, the project manager has a ready resource.
• Risk sharing In some cases the business and technical organizations may opt to share certain risks – such as environmental (physical space) failures. By sharing the risk, the project manager may have additional resources to draw on to put the project back on track. It’s usually a good idea to build teamwork management through risk sharing.
• Organization Risk may also be reduced by changing the organization or reporting structure for resources assigned to particular project. Key personnel may be ‘loaned’ to the project for its duration. This technique helps eliminate the risk of poor participation by key functional personnel.”

“For each risk, the criteria for change should also be defined. The mitigation plan needs to have someone responsible for driving the effort to minimize or eliminate the risk. Progress against the mitigation plan should occur through status reports and subsequent risk management sessions. The amount of time and resources associated with risk mitigation needs to be included in the project plan. Each risk and its associated mitigation strategy should also have a clear trigger event that is predefined. In most cases this may be obvious, but it’s best to declare the trigger event that launches the mitigation action.”

Step 4: Update the Risk Assessment Model

“Produce a simple report that includes a statement of high-probability risks, estimating assumptions, and impacts/mitigation actions. This report is an effective tool for communicating the risks and ensuring that all parties understand and agree to risk impacts and mitigation action plans. Update the risk assessment model to include the current high-probability risks.”

“Perform this process before you start your project, to develop a consensus on a change budget consistent with the project risks. When developing the change budget, keep in mind that risks are not necessarily additive. The project manager and project sponsor should use prudent judgment in establishing a change budget that is consistent with the risk assessment model.”

Change Budget