“The goal of risk management is to identify project risks
and plan mitigation actions in collaboration between the technical team and the
business organization. Risks are probable events that could increase the
project’s schedule, costs, or effort, or adversely impact overall customer
satisfaction. The goal is to identify these shared risks, predict the
likelihood of the risks occurring, quantify the impact should they occur, and
develop a plan for addressing each risk. Most importantly, the goal is to
establish agreement between the business organization and the technical team
that they need to work together to manage risks as they arise during the
project. The project manager should be proactive in assuring that risks are
analyzed and that action is taken to mitigate the risk. If you can anticipate
an event, then you should be able to weigh the consequences and develop actions
to minimize negative impacts.
Risk Assessment Model
“The risk Assessment Model is a spreadsheet that provides
for the documentation of the risks and computation of the change budget (or
risk budget). The risk assessment method computes the risk budget as a
percentage of effort of the difference between the project estimate and the
worst-case estimate. The assumption is that this difference is a function of
“In Figure 1, the project estimate is 1900 hours. The
worst-case estimate is 2600 hours. The difference is 700 hours (at risk). The
ten risk variables represent 100 percent, or 700 hours. Each risk is represented
as a percentage of the total (Data
Center will burn down = 9
percent of the total risk, or 61.12 hours). The fire control systems have a 25
percent probability of effectiveness, representing a 2 percent reduction of the
9 percent, or down to 45.84 hours. The sum of the reduced hours at risk
represents the risk budget.”
“The following list defines the various column headings
shown in figure 1:
Variable Up to ten risk variables
may be listed in this column.
Probability The probability of occurrence (as a
percentage) is specified in this column.
Consequence The relative consequence is indicated in this
column as a value between 1 (the lowest) and 10 (the maximum).
Impact This is a numerical
representation of the combination of the probability and relative impact of the
risk. The sum represents the total magnitude of all the risks.
+CB% The fields in this column are computed fields
representing the percentage of the total risk per risk variable.
Risk The fields in this column are computed fields
representing the actual number of hours per risk variable of the total number
of hours at risk.
Strategy The fields in this column
indicate the mitigation action to be used to manage or prevent the risk.
of Effectiveness The fields in this
column represent the probability of total effectiveness of the mitigation
action upon the risk variable.
-CB% The fields in this column are computed fields
representing the percentage reduction expected of the mitigation action.
Budget The risk budget is a product
of the percentage difference between (the probability of risks and the
probability of the mitigation actions) and the effort at risk, or the
difference between the project estimate and the worst case.”
“The risk assessment procedure should be performed monthly
under the direction of the project manager in conjunction with the project
sponsor. Newly identified risks should be added to the risk assessment model,
and risks no longer applicable should be dropped from the risk assessment
The Risk Management Process
“The risk management process consists of four steps that
guide the team to identify the risks, assess the risks, plan the mitigation
strategies for each risk, and update the risk management tool for subsequent
risk management sessions.”
Step 1: Identify Risks
“Review the risks developed during the funding process to
understand what risks were known at that time. This set of risks will have
changed, but it is the baseline from which to start risk assessment in this
phase. Determine which of those risks no longer exist and identify new issues
and obstacles that may produce undesired outcomes. Review the issues log for
items that should be represented as risks.”
“Risk elements may be introduced from many areas. Consider
the assumptions made when developing the project charter and the project plan.
The goal is to convert all critical assumptions into specific, ‘shared’ risks.
Once the risk factors for the project have been identified, they should be
documented in a risk assessment model spreadsheet similar to the one previously
shown in figure 1.”
Step 2: Assess the Risks
“Each risk should be examined and quantified in terms of
cost, schedule, and quality. Some risks may impact both the cost and schedule,
and some risks may impact all three. How much a risk will impact the project
may be derived from historical project data, industry norms, personal past
experience, or the estimation model.”
“The risks need to be assessed and assigned a percentage
chance of occurring. For instance, if your business is in a hurricane region, a
work stoppage due to a hurricane is highly unlikely in the winter (hurricane
season is June through November), so it would receive a low chance of
occurrence in the winter months, but it may be assigned a high chance of
occurrence in August, September, and October. Conversely, not being able to get
enough time from your subject matter experts almost always happens, so it would
be assigned a high percentage chance of occurrence. If you prefer the
high/medium/low technique, assign 80 percent to high, 50 percent to medium, and
20 percent to low.”
Step 3: Plan Risk Mitigation
“State the actions that are needed to mitigate negative
consequences or to maximize positive benefits. By deciding in advance how to
manage each risk, the probability and impact of the risk can be reduced. One of
the key elements of project management is to address risks proactively. Thus,
mitigating actions can eliminate risks by uncovering acceptable alternatives.
Risks may be mitigated, or bounded, in many ways:
planning Defines an action plan to
be executed if an identified risk event occurs.
strategies Risk events can often be
prevented by choosing an alternative strategy – using a method or technique
that is already familiar to most of your technical team versus one that is not.
Assumptions Bounding and communicating those bounds can
do much to reduce risk. For example, limiting the deliverable review process to
at most two iterations bounds the risk of infinite review – failure to obtain
staff Carrying extra staffing to
shore up critical path tasks, or to be ready to take over in the event of a
project team member leaving, reduces the risks associated with estimating
underruns or attrition.
overqualified staff in some positions (or staff members with multiple talents)
means you may have additional flexibility to respond to risk triggers when they
occur. For example, if the project has a tester who can also function as a team
lead should the team need additional team leaders during a peak period, the
project manager has a ready resource.
sharing In some cases the business
and technical organizations may opt to share certain risks – such as
environmental (physical space) failures. By sharing the risk, the project
manager may have additional resources to draw on to put the project back on
track. It’s usually a good idea to build teamwork management through risk
Organization Risk may also be reduced by changing the
organization or reporting structure for resources assigned to particular
project. Key personnel may be ‘loaned’ to the project for its duration. This
technique helps eliminate the risk of poor participation by key functional
“For each risk, the criteria for change should also be
defined. The mitigation plan needs to have someone responsible for driving the
effort to minimize or eliminate the risk. Progress against the mitigation plan
should occur through status reports and subsequent risk management sessions.
The amount of time and resources associated with risk mitigation needs to be included
in the project plan. Each risk and its associated mitigation strategy should
also have a clear trigger event that is predefined. In most cases this may be
obvious, but it’s best to declare the trigger event that launches the
Step 4: Update the Risk Assessment Model
“Produce a simple report that includes a statement of
high-probability risks, estimating assumptions, and impacts/mitigation actions.
This report is an effective tool for communicating the risks and ensuring that
all parties understand and agree to risk impacts and mitigation action plans.
Update the risk assessment model to include the current high-probability
“Perform this process before you start your project, to
develop a consensus on a change budget consistent with the project risks. When
developing the change budget, keep in mind that risks are not necessarily
additive. The project manager and project sponsor should use prudent judgment
in establishing a change budget that is consistent with the risk assessment
project manager and project sponsor should establish the actual amount of a
change budget in accordance with your company’s risk-aversion philosophy. The
risk-based change budget is a dollar percentage of the original estimate that
should be set aside to cover the negative impact of risks identified in the
procedure. The change budget represents the net change of all positive and
negative impacts (in other words, dollars at risk). The establishment of a
change budget assures that funds are available to continue the project when
faced with an increase in cost due to the negative impact of an identified
risk. Each month, as tasks are completed, their attendant risks can no longer
impact the project. Therefore, the change budget can be expected to decrease to
zero as the project moves toward project completion. The actual amount of the
change budget may be set to whatever amount the executive sponsor feels is
consistent with your company’s risk-aversion philosophy. However, the risk
assessment model provides a method to quantify this amount as a function of the
risks, mitigation, and project estimate (budgeted cost).”