How Risk Management works
What could put the project in a situation of uncertainty and impact the overall outcome? Do we know how to identify the possible issues and to eliminate them? All this is about Risk Management.
Hey Crizpers, today we are moving forward to my favorite process. I would like to touch base on the Risk Management and to discuss some approaches and hints in order to keep the project healthy and running.
Let me know how thoughtful you are about your life? Do you consider any possible changes and define your reaction on them? Or you live just today and do not apply your project management skills to your being?
Frankly speaking, if you do forecast and manage risks in your day-to-day breathing, I guess this would also be natural for you to apply your competency to your professional field. Cutting to the chase, let’s revise what we consider as risks.
What is Risk?
As you may remember, risks are either negative OR positive events that we make assumptions for. Risks is something that has not happened yet, however, if happened it will impact the project. And once happened, this is not a risk anymore, but an issue that we need to resolve. We may say, we have risks or we are in a risky situation.. but once the assumption became true, then ‘Huston, we have a problem’.
As a sample, you plan to buy a bike. There is an assumption it could be stolen, which is a risk. To prevent this risk we are planning to buy a cycle lock. This is a risk mitigation plan. However, if stolen this is not a risk anymore, as it has already happened. It will become our issue or a risk event.
Also, probably for someone a bike is not a very valuable thing and might be considered that it will not be a big deal if stolen. This risk will become a low priority as you have a high risk tolerance.
But what if we buy a car? This could be something that worth a risk management activities as most likely you risk tolerance in this situation would be lower.
In these two samples we could see the difference in the risk tolerance and the risk threshold.
For the bike our risk tolerance might be high as well as the threshold. For instance, if we have a scratch on a bike, this might not bother us much and we will feel OK, this is out threshold. And if stolen it will not be that much negative as if our car will be.
As for the car, we have a low tolerance, and most likely would want to deposit more in the risk management. Maybe to buy a parking spot or a garage. And should a car have a scratch, this might already be our threshold and we will feel inconvenience.
The same is in projects. The higher profile the project is, the lower is the stakeholder’s tolerance and thresholds for the risks on it.
The positive risks may also have place. For instance, you are going to bring your car to the first revision. You know how much this should cost. However, when you have come to a garage, your master told you that for the first revision you are getting a 10% discount. This is a positive risk. You may welcome it accepting this risk (a discount). Or you can reject it and pay for the revision as planned. Another case, the master tells that if you want to have a 10% discount, you need to bring 10 friends to this garage, and they will also get this 10% discount. Here you may share this risk by distributing those coupons to our peers.
The above was given to let you see what a risk is and to clear up it is not always something bad.
And as you are aware, same as in your life, on the project risks may occur throughout the delivery process, thus risk forecasting and management should be a constant and continues procedure as you breath.
Where everything starts? Project has its stakeholders. The stakeholders are the people who can impact OR could be impacted by the project, remember? And these are the people who’s opinion we should consider in order to deliver a valuable product. Besides their wants and needs we should also consider their fears in terms of threats.
Plan How to
The first step in our risk management journey would be to plan it and our actions. And this relates to the identification of the risk management strategy. We need to define how tolerant for risks our stakeholders are, what options and solutions they are accepting, what ways of addressing risks are the most comfortable for them, what is the threshold and triggers for risks.
Also, let’s note how will we create our risk metrics, what they will mean, how will me make calculations and what are the boundaries.
Having all above in a pocket and writing down in a document we may further reference and utilize the defined criteria while preparing our risk responses.
Let’s Identify Risks
Here the forecasting comes in. First we need to ensure there are no risks related to the current plans and documentation, or to secure ourselves by acknowledging the possible risks. Review what you have on hand and make relevant assumptions. For instance, we have WBS, but you see some gaps in the activities that are required for the deliverable. With that risk we will not deliver on time, or the delivery will cost more than we have expected. Bookworm through all the available docs.
Further, go to the key stakeholders and interview them. Most likely they have their own assumptions. Make relevant notes and right all down.
Where do we record our risks? Sure, this is our Risk Register. Remember, Risks and Issues are not the same. Therefore, in the Risk Register we have our assumptions, in the Issue log we keep the problems occurred.
There is a variety of ways to document risks, so I could not give you a magic pill on how to keep your diary. Just make sure that the key indicators are consistently completed for all the risks. These usually are the risk probability, impact, cost, up-to-date status. You could also put there a root cause, a trigger, a time to mitigate and a dead line when should it be eliminated.
What I would advise to consider, is the risk categorization and the relevant risk breakdown structure. It may vary from project to project, but the general aspects to pay attention to are the logical separation of risks. This would help to properly estimate and prioritize your efforts. Besides, it gives a transparency to whole the picture.
For the categories you could take the project phase. For instance, risks that are related to the initiation, to planning, execution and etc. Or, should this be internal or external risks. Example, development and quality risks are most likely internal, while risks that are related to the new laws or vendors are external to your organization.
Now we have all the known risks documented, let’s review and analyze them.
No mystery here. Once we have our risks on hand, what we are going to do is to define how serious they are. We will use the criteria that we have defined within the planning step.
During the Qualitative analysis we usually exploit the probability-impact matrix. This is the table were we put the risks in, their probability in the percentage or in the equivalent term (e.g. low to high), and the risks impact in the same manner. Other indicators could be also added depends on the company policies and your taste.
When this is done, let’s define which risks require our special attention, and which we may just know about and keep an eye on them. Again, the previously set criteria will help us. For instance, we have a defined rule that all risks which have a probability higher than moderate of higher than 50% should be estimated precisely. In other words, which of the risks should be taken to the next stage of analysis, quantitative.
Similar as with the bike. If it has a scratch, we may think this is not a big deal. But if its wheel is punctured we will not be able to ride. Thus, will need to consider what to do to prevent it.
Here we are. Basically, all the risks that are considered as a high-priority risks are under the magnifying glass. Now we are going to calculate how much would it cost to conduct the preventive actions.
Remember our bike and an car. The common risk for both is to be stolen. As a preventive action we have defined the solutions to purchase a cycle lock for the bike and a garage for the car. The main values here are a bike and a car. However, if the lock will cost more than a bike itself, it may not make sense to purchase it. As for the car, a garage or a parking slot will most likely cost less, so this could be considered as a reasonable measure. On another hand, we have our criteria, and there we could have mentioned that in case the garage will cost more than 1/3 of a car, we are not going to accept this. Should this be the case, we would probably not buy a car (cancel the project) and will finally go with a bike.
Once we have calculated all our risk mitigation costs, we can sum them up and get the value of the Contingency Reserve. This is what we usually add to the project cost in order to deliver it successfully.
Contingency VS Management
I would also want to add a remark regarding the reserves. Let’s not mess up Contingency and Management Reserves. While the Contingency Reserve is an amount that we have calculated for the known risks during the Quantitative analysis, the Management Reserve is an amount for the possible unknowns. Remember, the risk forecasting and analysis is a continues processes that we execute throughout the project. During the project delivery new risks could pop up. The Management Reserve might be set according to the overall project analysis and considering the previous experience on similar projects. And this is an asset for the project cost too.
After the qualitative analysis we may already know what are we going to do with the low priority risks, while how to approach the high priority risks we may define only after we have numbers in front of us.
At this point based on the known risks we are able to define our risk response plan. We can see how much risks impact the project in general and if it worth the efforts. Should the cycle lock cost twice much than our bike, there may be no reason to invest in both.
Generate the reasonable preventive solution for all the risks you know based on the Risk Management Plan. Put them in the Risk Register and discuss with the key stakeholders. We need to agree in advance on what to do and act accordingly after on demand without any additional time loss for the negotiations. This might be crucial in the emergency situation, so try to be prepared upon the day-X.
Naturally these steps do not go one by one and in most cases all the process is messed up. Moreover, the priorities could shift during the project as well. Thus try to keep the process continues and work with risks on a regular basis throughout the project. The above activities should be done all over again constantly. Revise and examine them, forecast, take care of the project health. By the way, the closer the project delivery is, the fewer risks should we experience and the more chances the project will be successful.
What other risk management actions you undertake? Are there any additional hints you could share? Let me know if you have any questions, or if you’d like any additional topic to be evaluated.