Here is how to plan a Risk Strategy for your project. You have gone through the risk identification process and you have done qualitative analysis of those risks. You may have also done quantitative analysis on a few major risks. Now you have your data on the probability of each risk occurring and the magnitude of the impact (on duration and/or cost) if it does happen. Risk Management Main Page
Let’s look at some examples. Say that each project has two risks:
- Risk A is that turnover among the project engineers will exceed 15% year.
- Risk B is that serious flooding during the spring will require the project team to relocate.
If you’re planning your Risk Strategy based on qualitative data, you have asked your team to subjectively evaluate the probability and magnitude of each risk. It will be in the form of:
- Risk #A has a high probability of occurring and a high impact on the project if it does occur.
- Risk #B has a low probability of occurring and a medium impact on the project if it does occur.
If you’re quantifying the probability and impact, you will have gathered data from historical records or experiments and will be able to summarize it like this:
- Risk #A has a 14% probability of occurring and a $20,000 impact if it does The expected value of the risk is $2,800 (.14 x $20,000).
- Risk #B has a 5% probability of occurring and a $1,000 impact if it does. The expected value of the risk is $50 (.05 x $1,000).
The quantitative risk analysis in your Risk Strategy is more usable than the qualitative analysis. It also costs a great deal more to develop. The numbers are particularly useful because they allow you to calculate the expected value of the risk. That expected value, which you get by multiplying the probability times the magnitude of the impact, puts a ceiling on what you can spend to completely avoid the risk. You don’t have this information when you limit yourself to qualitative analysis. But you need to plan your Risk Strategy regardless of the limitations of your information. Small Project Risk Management
Risk Strategy: What Risk(s) to Focus On
You, the sponsor and stakeholders might decide to focus your Risk Strategy on risk #A – engineer turnover. You would accept risk #B – relocation due to flooding – because its probability and magnitude are small, based on both the qualitative and quantitative data. That means you will not plan any specific risk mitigation, avoidance or transfer to avoid the risk’s effect. You won’t spend any money trying to avoid or mitigate the risk. However, your Risk Strategy will include a contingency plan for this accepted risk. That plan will detail how to respond to the flooding risk if it occurs. The contingency plan might focus on identifying two available office locations that are nearby.
Then you would focus your attention on the more significant risk. Because risk #A – engineer turnover – is a negative risk you can use three Risk Strategies, individually or in combination.
- Avoid the risk. This Risk Strategy requires you to alter the project plan to completely eliminate the source of risks. In this example, you might purchase the deliverable “off-the-shelf” so you don’t have to develop it yourself. So engineer turnover would not harm the project.
- Transfer the risk. This Risk Strategy is similar to buying insurance for the risk. If you were concerned about a tornado, you might buy tornado insurance. For the engineer turnover risk, you might contract with an engineering consulting firm to provide the hours of engineer work you require.
- Mitigate the risk. This Risk Strategy requires you to reduce the probability of the risk occurring and/or the magnitude of the risk if it does occur. These mitigation actions usually require you to spend money and the limitation is the expected value of the risk you calculated above. One mitigation might be to raise the salaries of your engineers to reduce the probability of their being hired by another firm. You might also hire two additional engineers which would lower the impact of turnover because you would have the extra staff immediately available. You often can’t completely eliminate the risk with mitigation. You merely reduce the probability and/or the magnitude of its impact. You have a remaining part of the risk that you have to accept and for which you would develop a contingency plan.
Risk Strategy: Involve the Team
Remember that the expected value of that risk of turnover among the project engineers is $2,800. That means you can’t spend more than that amount, even if you eliminate the risk entirely. That is the spending ceiling on the risk response. You would gather the risk management team together and ask for ideas that would reduce the project engineer turnover to 15% or less.
One team member might suggest that all the engineers working on the project receive a $200 bonus if they stay until the project is completed. With 14 engineers, there would be sufficient money to pay that bonus amount but then you would need to completely eliminate turnover above 15%. A number of members of the team might raise an objection. They say that engineers who are offered a substantial pay increase by another firm would not stay on the project for as little as $200. They also suggest that if other members of the project team didn’t receive a similar bonus it might create even larger morale problems. You would for other ideas for holding down turnover. A team member could suggest hiring additional engineers for the project team. This would give you the capacity to absorb turnover above 15%.
A few minutes of Risk Strategy, even on a small project, delivers a good return in proportion to the cost.
Risk Strategy: A 3-Tier Response Approach
Project managers often skip the Risk Strategy process because the sponsor wants them to start quickly without wasting time on “useless paperwork” like risk management. This dooms you to non-stop fire fighting for the life of the project. We use a 3-tier Risk Strategy approach for projects of different scale and importance. On even a small project, you can do a simple risk assessment, investing as little as an hour and possibly saving days of lost time. That’s why we recommend using a 3 tiered Risk Strategy so you can match them to the scale and significance of the project. Here are definitions of the tiers:
- Tier 1 – A project done within a department or small company where the PM and team all report to the project sponsor.
- Tier 2 – A cross-functional project which affects multiple departments in the same organization.
- Tier 3 – A strategic initiative or consulting engagement that includes both technical expertise and project management services for an outside client or customer.
Risk Strategy: Risk Management Template
Here are 5 risk management steps that lead to your Risk Strategy planning:
- Identify the risks that threaten delivering the scope on time
- Qualitatively assess the probability of the risk occurring
- Qualitatively assess the magnitude of the impact if the risk occurs
- Select the most significant risks
- Plan how to avoid them or minimize the damage if we can’t avoid them.
In risk identification, you are simply harvesting as many risks as you can without making judgments about their significance. When you have the list of risks, you’re ready to begin qualitative risk analysis. That’s where you focus on evaluating the significance of each risk using relatively quick and inexpensive techniques. Specifically, you are assessing the likelihood a risk will occur and the impact (cost and time) if it does occur. You use these assessments to prioritize our risks in terms of their significance.
Risk Strategy: Three Situations
Tier 1 – In-department Project Risk Situation
- The PM and two team members spend 30 minutes on risk identification with a limit of 7 risks in two risk categories that threaten project success.
- The PM and two team members spend 30 minutes on qualitative/subjective risk analysis. This is the only support for the risk response plan because the project’s scale does not support the cost or time for quantitative analysis. The two members of the team and the project sponsor will subjectively set the impact and likelihood values for risk and impact analysis.
- The PM and sponsor will agree on the risk response plan in 30 minutes.
Let’s look in on how the process would work. For an in-department project, risk identification and qualitative analysis is all we’ll do before planning our risk responses.
The PM and the two team members take a short lunch and talk about the risk events that could cause them to fail to deliver the project scope. Then they discuss events that would affect finishing the project on time. They return with a list of 7 risks to consider. Six are negative risk events. The last is a positive risk event that would let them finish a week early.
After they’ve completed the risk identification, the PM and the two members of the team go to the PM’s cubicle. The PM smiles at them and says, “We’re 1/3 done. Now let’s spend about 30 minutes analyzing the risks we identified.
Here’s a form we’ll use to get everyone’s assessment of the risks we face on the project. We want to describe each risk in terms of two separate dimensions; 1.) the probability or likelihood of the risk event occurring and 2.) the impact it will have on the project if it occurs. We’ll use a simple scale with three choices for probability and for impact:
- low – meaning very unlikely to occur or a small impact
- high – meaning very likely to occur or a large impact and
- medium – between those two extremes.”
Following the risk assessment, the project manager charts the results, asks the boss to join them, and displays the simple grid for the group.
The PM says, “We all seem to agree that while we have several risks, only one risk has both a high probability and a high magnitude and that’s the risk of customers not using the new procedure.”
The boss says, “I thought this risk stuff was going to be a waste of time, but I’m already thinking of things we can do to educate the customers about the new procedures. That is one problem I would not want to hear about at the end of the project.”
Following the boss’ comments, the group begins to assemble a strategy. First, they discuss possibilities for changing the project plan in a way that allows them to completely avoid this risk. But it doesn’t take long before they realize there’s no way to avoid the customers having to learn the new trouble ticket procedures. They also briefly discuss being able to transfer this risk to another party and “buy insurance” to avoid the consequences. The boss brings that discussion to an end by telling them no training firm would undertake responsibility without charging them tens of thousands of dollars.
With limited strategies for avoiding and transferring the risk, the group focuses on mitigation. One mitigation that everyone likes is distributing professionally designed instruction manuals for the customer. That includes a laminated one page crib sheet to help them easily follow the new procedure. The boss agrees that wouldn’t cost very much and welcomes the idea of adding that mitigation to the project plan. They spend a few more minutes discussing other options including writing profiles of customers who did well with the new procedure and including it in the company magazine. No one likes that idea so they stick with the customer instruction manual mitigation idea. That brings their risk response planning to an end.
Tier 2 – Cross-functional Project Risk Situation
- The risk management plan calls for using qualitative risk assessment as a screening tool for quantitative analysis.
- The PM anticipates that they will analyze 12 or more risks in an intensive quantitative analysis.
- Three committees will perform qualitative analysis. Each one is focusing on a particular category of risk within the categories supplied by the organization.
- The sponsor will decide which risks go to quantitative analysis.
The cross-functional project manager distributes the qualitative risk assessment form to each of the three risk committees to use in assessing the project’s risks. The team members are quite familiar with estimating probabilities and magnitudes so the project manager uses a 1-10 scale for the estimates. The first page of one committee’s form looks like this:
Then the project manager gives the committee leaders their instructions, “Each person will make an independent judgment about the probability of each risk event occurring and the impact on the project if it does. We’ll use a 1 to 10 scale for each assessment. So if a risk event is very likely to occur you should give it a 9 or even a 10. For a risk event that is very unlikely, give it a score of 1 or 2. We will do the same thing on the impact. When you come to that decision, forget the probability of the risk event occurring. Simply assess how big an impact it will have if it occurs. If its impact will bury the project and do us irreparable harm, you should score it a 10. If a risk event has minimal impact on the project, give it a 1 or 2.”
One of the team members says, “Aren’t we going to discuss each risk first?”
The project manager answers, “No. I think it’s best if each person gives their assessment without being influenced by the others. Remember that we have people whose immediate superior is on the same committee. If people reveal their opinions before we each score the risks, the manager’s opinion may count for too much. Let’s have everyone make a judgment without knowing what the managers think. We may get better information with independent judgments and avoid some of the politics. For that same reason, we’ll keep the ballots anonymous; you’ll notice there is no place to fill in a name.”
A few days later, the project manager gathers the completed forms from the committees and tabulates the data into a spreadsheet designed for this purpose. The result is a table of data values and a graph for each of the committees.
The cross-functional project manager takes the committees’ data and recommendations to the risk management committee which is made up of the sponsor and an executive vice president. The project manager selects one or two risks from each committee’s qualitative analysis and recommends quantitative analysis.
Three of the risks have probabilities and impacts above eight so the committee decides that all three warrant quantitative analysis. They are particularly concerned about the risk of customers not using the new trouble ticket procedure. They ask the project manager exactly what they will get from this quantitative analysis.
The project manager says, “We will start with an influence diagram that we developed during risk identification. Then we’ll gather some opinions from industry experts and build a decision network to analyze where we can have our biggest influence in avoiding that risk.” On this larger and more significant tier #2, cross-functional project, the decision-making about risk response strategies can be much more extensive. It can also involve substantially larger costs than the tier #1, in-department project.
Tier 3 – Strategic/Consulting Project Risk Situation
- A committee of executives will make final risk decisions based on detail work developed by risk committees focusing on special categories of risks.
- The size of the project budget and its strategic significance for the client warrant elaborate quantitative analysis, which has been included in the risk-management plan.
- The budget for quantitative risk analysis includes funds to pay experts’ fees and for research and data gathering. Presenting Your Risk Plan
The project manager presents the qualitative risk analysis information to the client’s management. Because these executives are familiar with making decisions based on data, the PM consultant includes qualitative measures of probability and impact and as well as data precision value. One of the executives asks, “What is the significance of that data precision score? Didn’t our people do a good job in the risk assessment?”
The consulting project manager answers, “No, that’s not the case at all. That data precision score is reflective of the accuracy and validity of the data we have about each of the risks. It reflects our understanding of the risk, the amount of information we have available about it and the reliability and integrity of that data. The score is based on my firm’s collective experience with projects of this type. As you can see, there are a number of risks about which we know a great deal. As an example, the quality of the data we have about the third risk on the list is quite good. We have very reliable data from the company’s own quality control and quality assurance processes and I have given that risk a data precision score of 80 to reflect the quality of that data. On the other hand, the risk we are most concerned about is that the customers will not utilize the new trouble ticket procedure. I’ve given that a low data precision score because your organization has very little information. What we have is about other segments and is of questionable reliability. We are concerned about the risk because of its high probability and high magnitude. But frankly, the absence of good data is equally important. For that reason, I’m going to suggest we do a Monte Carlo simulation so we can more accurately assess the impact of that risk on the project’s overall duration and budget.”
The client executives accept the consulting PM’s recommendations and the list of prioritized risks. They authorize the project team to move on to quantitative risk analysis. For this very large strategic initiative level project, the quantitative analysis process can easily take months and include substantial and expensive data-gathering efforts. They will provide a better assessment of customer behavior and how it could be changed. From that data-gathering phase, the decision-makers will have sophisticated simulation information which would trigger the brainstorming process of the Risk Strategy.