To be consistent with our principles, we need a systematic approach that enables us to focus time and resources on the highest priority risk elements. The power in the process is not in its complexity—it’s relatively simple and straightforward—the power is in the management approach it inspires.
Let’s review the essential steps for managing project risks:
- Identify—This is the critical step of identifying the risks to the project. The best way to start this process is also the best way to leverage the lessons from the past—use a risk profile. A risk profile, also referred to as a risk checklist or risk assessment form, lists the common sources of project risk that you need to consider. Although most risk profiles help you evaluate the majority of risk factors that are common to all projects the best risk profiles are ones that are specific to your industry, organization, and project type. In addition, the less experience that you have in project management or in the project domain, the more you should facilitate this process with the key stakeholders and subject matter experts on your project team.
- Determine probability—For each risk factor that has been identified, determine the likelihood that the risk event will occur. The goal is to quantify the uncertainty as much as possible, although in reality, this is still a judgment call. Common methods include numeric scales (1–5, 1–10) and subjective scales (High, Medium, Low).
- Assess impact—For each risk factor, determine the potential impact the risk event would have on the project critical success factors if it occurred. Like the probability element, the goal is to quantify the potential impact as much as possible. Generally, the same type of scale is used here, too. It is a good idea to document the specific impact (which critical success factor) and the magnitude of the impact.
- Prioritize—Now that we have a probability and an impact level, we tabulate a final ranking for each risk factor by combining the two values. If you have used numeric scales, this is straightforward; just multiply the two values together to get a final score. If you have used qualitative scales (L, M, H), you should be able to easily translate these to numeric values (1, 2, 3) to figure your final score. This step shows you the highest priority, most important risks, and the ones where you need to focus your initial efforts.
CautionThese steps focus on qualitative analysis and are more than sufficient for most projects, especially if a team approach is taken for this process. However, if you are in a situation or industry that requires more precise risk analysis, you will need to leverage a second phase of analysis called numerical (or quantitative) analysis. Techniques such as decision tree analysis and Monte Carlo simulations are frequently used here. Please consult an advanced project risk management course or text for instruction in this area. - Develop responses—Document a response plan for each risk using one of the five risk response options. Planning efforts are iterative in nature because risk response strategies might entail the allocation of additional resources, tasks, time, and costs to the project plan.
- Get buy-in—Review the risk response strategies with the key stakeholders to increase their awareness, get their feedback (if you have not already), and get their acceptance of the planned approaches.
- Monitor—Don’t stop. Nothing stays the same. Continue to keep your eye on the risk factors—watch for triggers to activate other planned responses, be mindful of the appearance of new risk factors, and don’t totally forget about the low-level risks. Either via circumstances changing or initial miscalculations, you might find some of these have a higher probability of occurring (or higher impact) than originally perceived.
Risk Response Options
Caution
For those planning on taking the PMP exam, note that risk management planning and risk response planning are two distinct activities.
Most people tend to think “mitigation” when they think of risk management. However, there are actually five risk response options. Table 14.1 reviews each response strategy and provides examples of each.
TABLE 14.1 Summary of Risk Response Options
| Risk Response | Description | Examples/Notes |
|---|---|---|
| Avoidance | Avoiding the risk.Changing the project plan to eliminate the risk.Changing the project plan to protect a project objective from the impact. | Reducing the scope to remove high-risk tasks.Adding resources or time.Adopting a proven approach rather than a new one.Removing a “problem” resource. |
| Acceptance | Accepting the consequences of the risk.The project plan is not changed to deal with the risk.A better response strategy cannot be identified. | Active acceptance.Passive acceptance.No action.Contingency allowance (reserves).Notifying management that there could be a major cost increase if this risk occurs. |
| Monitor and prepare | Accepting the risk for now.Closely monitor the risk and proactively develop alternative action plans if the event occurs. | Contingency plan.Fallback plan.Establish criteria that will trigger the implementation of the response plans. |
| Mitigation | Taking action to reduce the likelihood the risk will occur.Taking action to reduce the impact of the risk.Reducing the probability is always more effective than minimizing the consequences. | Adopting less-complex approaches.Planning on more testing.Adding resources or time to the schedule.Assigning a team member to visit the seller’s facilities frequently to learn about potential delivery problems as early as possible.Providing a less-experienced team member with additional training.Deciding to prototype a high-risk solution element. |
| Transference | Transferring ownership of the risk factor.Shifting the consequence of a risk and the ownership of the response to a third party. | Outsourcing difficult work to a more-experienced company.Fixed price contract.Contracts, insurance, warranties, guarantees, and so on.Used most often for financial risk exposure.Does not eliminate the risk. |
Key Risk Management Tools
One aspect of the risk management process described in the PMBOK Guide that many people find difficult to grasp is the reference to unfamiliar tools and techniques. Table 14.2 summarizes many of these tools and techniques to assist your learning and review process.
The risk assessment questionnaire contains questions that pertain to project size, structure, and technology. The risk assessment questionnaire is broken down by risk categories, subcategories, and criteria that rate risk level according to Low, Medium, or High.
Caution
As the project size and complexity increases (see size and complexity factors in Table 14.3), the level of risk can increase exponentially.
TABLE 14.2 Summary of Risk Management Tools
| Risk Tool | Description | Notes/Examples |
|---|---|---|
| Risk profile | A questionnaire or checklist to guide the identification of project risk factors. | Should be specific to industry, organization, and project type. |
| Risk assessment | Generally synonymous with risk profile.Frequently will contain criteria to establish Low, Medium, and High risk levels. | Often used interchangeably for risk profile or risk checklist. |
| Risk register (log) | Used to document the identified risks, probability score, impact score, priority, and planned response strategies. | May be combined with other project logs. |
| Risk management plan | Describes how the risk management process will be structured and performed. | Describes the process to be used. |
| Risk response plan | Describes the response strategies for identified risks. | Risk log.Details action steps to be taken if risk event occurs. |
| Probability/impact matrix | Used to establish general High, Medium, and Low classifications for a risk factor.Cross-references the probability score with the impact score. |
Leave a Reply