Introduction
This section defines the processes of conducting risk management activities for a real project. The objectives of the plan are to increase the possibility of positive risks, or opportunities, and decrease the negative risks. Risk, issue, and opportunity management is a continuous process to address events posing a threat to or enhancing the realization of project cost, schedule, and performance objectives.
For simplification in this section, the term “risk” encompasses risks, issues, and opportunities.
Risk efforts require the team to continuously anticipate and identify potential threats and opportunities and to implement plans to avoid, transfer, mitigate, and monitor risks.
Risks, issues, and opportunities are defined as:
- • Risk: a negative event that could occur and impact the project’s ability to realize its cost, schedule, or performance objectives
- • Issue: a negative event that has occurred and made an impact on the project’s ability to meet its cost, schedule, or performance objectives
- • Opportunity: a positive event or effect that might occur due to strengths and enhance the project’s ability to meet its cost, schedule, or performance objectives.
This plan mainly addresses the methods to identify, analyze, mitigate, and monitor risks. In most instances, opportunities could also be considered. Risks may result from the project’s people, process, and/or technology elements. Furthermore, risks may come from internal and external sources. As such, risk management efforts must be proactive and aggressive in nature and must involve the entire project team and key internal/external stakeholders to ensure the project’s objectives are met.
A Risk Management Plan is prepared in accordance with document templates and formats and the project’s:
- 1. Charter document
- 2. Scope statement
- 3. Cost Management Plan
- 4. Schedule Management Plan
- 5. Communications Plan
- 6. Document templates and formats
Purpose
The purpose of the Project Risk Mitigation and Management Plan is to establish policy and disseminate guidance and information related to the management of project risks.
Objectives
The ongoing risk management objectives include the early identification, continuous tracking, and systematic reduction of potential threats or opportunities to the project’s cost, schedule, or performance objectives.
These objectives are met by accomplishing the following actions:
- 1. Identify and mitigate risks in a timely manner
- 2. Minimize impact of risks upon realization of project objectives
- 3. Manage risk within established guidelines.
Risk management scope
The scope is to provide the project team identification, analysis mitigation, and control of risks related to project, schedule, cost, and/or technical project aspects. The effort involves those events (both internal and external) threatening the realization of the project cost, schedule and performance objectives. All risk management activities involve the identification, analysis, mitigation, and management of threats to the project objectives.
6.3.1.4 Background
The Project is chartered to develop a leading-edge commercial aircraft constructed primarily of a carbon-fiber-reinforced plastic (CFRP) composite. In recent years, the Company experimented with outsourcing almost all this work to firms in other US cities and to international companies. Problems with schedule, budget, resources, and quality quickly led to extreme risks in each area. To counter this, COMPANY-X returned to its original guiding principles in early 2010. The company, once again, invests in its local workforce, protecting the intellectual properties of technology and business processes by keeping 95% of Project operations in house.
The Project defines the terms and aligns the resources and processes to deliver the right information to meet the project’s needs. The Company aims to improve the efficiency with which the right item is delivered to the right station during construction, now combining a just-in-time (JIT) approach with most-in-demand parts kept in stock.
The project team provides an objective analysis of its current abilities to provide the best value for its customers and develop a blueprint for achieving the ideal state of customer engagement strategy and execution. The project team defines the necessary actions to reach the ultimate strategy and state of operations with its customers to meet their needs and objectives. The strategic direction aims to provide customer segmentation and interaction strategies to provide a unique level of service for each customer based on individual customer requirements and preferences.
Supporting products
The Project Risk Management Plan provides general guidance related to the project team’s management approach.
Roles and Responsibilities
The Project engages multiple parties to improve customer satisfaction and increase readiness and project revenue.
This section of the Risk Management Plan identifies the roles and responsibilities to manage risks.
Roles and responsibilities
Roles and responsibilities are listed in Fig. 6.3.1.
Support infrastructure tools
The Project utilizes a number of tools to manage risks, as identified in Fig. 6.3.2.
6.3.2.3 Training
Every Project team member, regardless of position, is required to participate in a workshop in which they are provided an overview of the project’s risk management processes and procedures. The workshop includes an identification session. The Risk Project Management Support Specialist ensures all training is documented on the team’s database.
Risk Management Process
This section describes, step-by-step, the risk management process from identification to completion. The risk management process is a continuous cycle. It is performed initially during project planning and thereafter following newly identified risks. The risk management process must be an integral part of the Project’s strategy and implementation. The management process involves four primary activities, as shown in Fig. 6.3.3.
6.3.3.1 Identify
All members of the Project share the responsibility of identifying potential risks. For instance, the PEO could be the Risk Originator as well as the Risk Owner. Risk identification demands constant vigilance with regard to project activities, schedules, parallel projects, or other threat sources that may impact the project cost, schedule, and/or performance objectives.
Risk identification occurs during weekly project status meetings. The Risk Originator (see Fig. 6.2.1) presents the risk and captures the necessary details using the risk data sheet. The Risk Originator originally populates the risk data sheet to provide the project team enough information to analyze the risk in question.
Analyze
Qualitative and quantitative process tools are used to assess and analyze risk. Two primary activities determine a risk’s validity and potential impacts on project objectives. They are:
- 1. Probability of occurrence: What is the probability of occurrence?
- 2. Severity of impact: How severe is the impact if the risk occurs?
The Risk Originator completes an initial analysis, but the project team collaboratively analyzes and validates the risk at the weekly project team meeting. The PMO assigns a risk owner. A collaborative analysis determines impact across all functional areas. This ensures nothing is evaluated in isolation, but at a project-wide level.
The analysis and qualification activities prioritize the risks, indicating higher priority risks. The following sections discuss the structure to score probability of occurrence and severity of impact to arrive at a risk factor.
- 1. Analyze
- 2. Qualitatively/quantitatively
- 3. Monitor/control
- 4. Plan response
- 5. (Repeat quantitative analysis if necessary)
- 6. Identify risks
Probability of occurrence
Fig. 6.3.4 provides guidelines to determine the probability of occurrence of the risk.
Probability of impact
Fig. 6.3.5 provides guidelines to score and measure probability of impact on the project if the event occurs.
Risk factor
The risk factor combines probability of occurrence and probability of impact to provide a single factor for the risk in question. Fig. 6.3.6 designates whether the overall risk factor is high, medium, or low.
Once probability of occurrence and impact are analyzed and a risk qualification factor is assigned, appropriate mitigation strategy is determined.
Plan response
Once analysis is complete, planning responses to risks allows the team to consider options to reduce threats to project objectives and enhance opportunities. A Risk Owner is assigned for each risk response. The team must remember that responses must be appropriate to the criticality of the risk as well as cost effective to the project.
During the weekly project team meeting, mitigation strategy and status are discussed to address risks. There are a variety of methods for handling and resolving risks, defined in Fig. 6.3.7.
The PMO determines the primary target severity levels and the alternate methods and resources required to mitigate the risks. These decisions are documented on the original issue identification form and are recorded in the Risk Management Database by the Risk Project Management Support Specialist. This determination is based upon the resolution guidance set forth in Fig. 6.3.8 and is directly related to the risk qualification factor described in Fig. 6.3.6.
The Risk Owner, designated by the PMO, is responsible for developing a detailed risk mitigation plan for each risk, which defines the following:
- 1. Primary and alternate methods of mitigation
- 2. Discrete actions necessary to implement methods
- 3. Detailed resource requirements necessary to accomplish mitigation actions
- 4. Discrete time requirements by mitigation action
- 5. Detailed conditions that must be met to change risk status
The risk mitigation activities and plans also abide by the following guidance:
- 1. Methods and actions for mitigating the risk are clear and well defined
- 2. Realistic due dates are established to mitigate the risk
- 3. Methods address root cause
- 4. Methods define the conditions by which the risk is officially mitigated
- 5. Methods establish an audit trail for future continual product and process improvements
Risks are elevated to the advisory board or the PEO for guidance and resolution as appropriate.
Monitor/control
The Project uses methodical and repeatable procedures for monitoring and managing risk mitigation functions. The primary means of accomplishing this task includes well-defined procedures for:
- 1. Communication
- 2. Reporting
- 3. Performance measurement
- 4. Continual process improvement
Communication
Fig. 6.3.9 identifies the communication process for internal risk management.
Reporting
Project team maintains a risk management report, throughout development, to support status monitoring. This report captures essential information reviewed during major milestones and as required by the PMO. The Risk Management Report captures the information identified in Fig. 6.3.10. The Risk Project Management Support Specialist maintains the Risk Management Report.
| Risk status | Mitigation status | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Risk (R), issue (I), or opportunity (O) | R/I/O number | R/I/O name | R/I/O rating | Cost impact | Schedule impact (days) | Performance impact | Identified | Target close | Actual close | ||
| Ini. | Cur. | Tar. | |||||||||
Performance measurement
The project team manages and monitors a number of discrete performance measurements to provide project management with insight into the team’s ability to effectively mitigate risks.
Each functional team is responsible for managing and reporting on the risk management measures/metrics to the project managers during the weekly status meeting. The metrics identify areas needing additional guidance and/or support. The Risk Project Support Specialist is responsible for aggregating and developing the comprehensive risk status report taken from the Risk Management Database.
Metrics compiled by the Risk Project Support Specialist include:
- Average number of days to implement mitigation and change risk (High/Medium/Low)
- Deviation from target close date
- Past due mitigation plans
- Number of risks by functional team
If warranted, the project team may employ additional metrics to assist with risk management.
Continual process improvement
The project team, on an iterative and ongoing basis, evaluates the risk management process to analyze and employ lessons learned throughout the life of the project. Knowledge harvested from retired risks and ongoing risks is evaluated to determine if existing processes need to be improved. Additionally, risks are considered as testing plans are developed and implemented. The PMO ensures testing teams have applicable risks and associated mitigation plans to ensure they are fully addressed in the testing processes.
Audit
In order to monitor whether team members are following the procedures outlined in this document, an audit is performed at least annually. This audit follows the procedures outlined in the Project Quality Assurance Plan and Procedures.
| Sample risk data sheet | ||||||
|---|---|---|---|---|---|---|
| Section A: Risk identification | ||||||
| Risk number: 1 | Date opened: 2 | Originator: 3 | ||||
| Risk title: 4 | Risk category: 5 | |||||
| Risk description: 6 | ||||||
| Risk impact description: 7 cost impact in dollars: 8 | Schedule impact in days: 9 | Performance impact: 10 | ||||
| Impact team: 11 | Impacted team lead: 12 | Additional team(s) impacted:13 | ||||
| Risk owner: 14 | Date closed: 15 | Closure approver: 16 | ||||
| Closure criteria: 17 | ||||||
| Closure notes: 18 | ||||||
| Section B: Risk analysis | ||||||
| Preliminary analysis | Team lead analysis | |||||
| Probability: 19 | Probability: 19 | |||||
| Category | Impact | Rating (H-L) | Category | Impact | Rating (H-L) | |
| Cost | 20 | 21 | Cost | 20 | 21 | |
| Schedule | 20 | 21 | Schedule | 20 | 21 | |
| performance | 20 | 21 | performance | 20 | 21 | |
| Overall risk level (H,M,L): 22 | Overall risk level (H,M,L): 22 | |||||
| Date analyzed: 23 | Date analyzed:23 | |||||
| Postmitigation probability: 24 | ||||||
| Mitigation/solution recommendations: 25 | ||||||
| Section C: risk mitigation | ||||||
| Target risk level:26 | ||||||
| Action no. | Action owner | Method | Action | Current status | Last status: 32 Next status: 33 Cost to imp: 34 Target close: 35 Actual close: 36 | |
| 27 | 28 | 29 | 30 | 31 | ||
| Last status: 32 Next status: 33 Cost to imp: 34 Target close: 35 Actual close: 36 | ||||||
| Item | Element name | Definition | ||||
| Section A: Risk Identification | ||||||
| 1 | Risk number | A unique identifier for the risk. Beginning with | ||||
| 2 | Date opened | The date the risk was first identified | ||||
| 3 | Originator | The person who identified the risk: first and last name | ||||
| 4 | Risk title | A one-line phrase describing the risk | ||||
| 5 | Risk category | Select from: cost; schedule; business performance; change management; scope | ||||
| 6 | Risk description | Text that fully describes the risk and identifies the potential root cause | ||||
| 7 | Risk impact description | Text that fully describes the unfavorable outcomes if the risk occurs. For technical risks, the quantitative impact in terms of performance degradation should be identified here | ||||
| 8 | Cost impact in dollars | Estimate of the potential cost impact if risk was to occur before mitigation implemented | ||||
| 9 | Schedule impact in days | Estimate of the potential cost impact to schedule if risk was to occur before mitigation implemented | ||||
| 10 | Performance impact | Estimate of the potential cost impact to performance if risk was to occur before mitigation implemented | ||||
| 11 | Impacted team | Team most impacted by the risk. Typically identified by the originator | ||||
| 12 | Impacted team lead | Name of team lead most impacted by the risk: First and last name | ||||
| 13 | Additional teams impacted | Team(s) additionally impacted by the risk | ||||
| 14 | Risk owner | The name of the person responsible for ensuring the risk is analyzed. May be identified by the originator or the risk manager | ||||
| 15 | Date closed | Date the risk was closed. Typically approved by the project manager unless formally delegated. Signifies completion of mitigation actions and realization of closure criteria | ||||
| 16 | Closure approver | Project managers’ closure approval. First and last name | ||||
| 17 | Closure criteria | Criteria for formally closing risk. Conditions under which the threat no longer presents an adverse impact to the project objectives. | ||||
| 18 | Closure notes | Description of mitigation actions taken and rationale for closing this risk | ||||
| Section B: Risk analysis | ||||||
| 19 | Probability | Probability the risk will occur. Listed as a qualitative measurement (remote, unlikely, even chance, highly likely, near certain). Applies to both the preliminary and team lead analysis | ||||
| 20 | Impact | Anticipated impacts on the cost, schedule, and performance aspects of the project. Listed as a qualitative measurement. (Low, minor, moderate, significant, high) applies to both the preliminary and team lead analyses | ||||
| 21 | Rating | The risk management rating for each of the cost, schedule, and performance aspects. Represented as a numerical (1–9) and qualitative measure (low, medium, high) | ||||
| 22 | Overall risk level | The overall risk analysis is the highest of the ratings from the category(s). Represented as a numerical (1–9) and qualitative measure (low, medium, high) | ||||
| 23 | Date analyzed | The date risk analysis and qualification activities are complete by the originator and team leads. DDMMYY | ||||
| 24 | Postmitigation probability | Projected probability the risk will occur after mitigation (postmitigation) (remote, unlikely, even chance, highly likely, near certain) | ||||
| 25 | Mitigation/solution recommendations | Recommendations for the mitigation of the risk. Completed by the originator and team lead. Also contains recommended mitigation timeframes and resource estimates | ||||
| Section C: Risk mitigation | ||||||
| 26 | Target risk level | The desired risk level (target) upon which the risk control plan is developed. Default to low if not specified by the project manager | ||||
| 27 | Action number | Unique number assigned to the action item; beginning with A001 | ||||
| 28 | Action owner | The person responsible for completing the action | ||||
| 29 | Method | Indicate if mitigation action is avoidance (A), control (C), transfer (T), monitoring (M), or acceptance (P) | ||||
| 30 | Action | A planned activity/task used to control the risk. Action steps must be clear and understandable and identify future activity to mitigate the risk. Discrete action steps should be defined as separate actions in the database with owners, target and actual close dates, status dates, etc. This enables discrete action steps to be entered in the status field. Define the conditions that must exist before a contingency action is executed (trigger points) | ||||
| 31 | Status | A description of the current status of the action items | ||||
| 32 | Last status | Date the action was last reviewed/statused | ||||
| 33 | Next status | Date on which the action will be statused | ||||
| 34 | Cost to imp | Cost in dollars to implement this action | ||||
| 35 | Target close | The date expected to close the action. If the target close date cannot be made, a new target closed date should be documented and the original target close date retained | ||||
| 36 | Actual close | The date action is closed | ||||
Leave a Reply