We should scale our risk management effort to fit each project or initiative.Â Itâ€™s difficult to persuade executives to invest time and money on risk management to avoid or mitigate risk. They prefer â€śbeing ready to reactâ€ť when bad stuff happens. They think that is cheaper than spending money on what many see as a bureaucratic process with pointless meetings and lots of paperwork. So their decision is to â€śkeep our eyes open for troubleâ€ť rather than waste money, and possibly delay the start, to identify and plan for risks. This is a poor decision. Even a little bit of risk management, say one hour of time, can have a very significant payback if you can avoid a problem or two.
Project managers need to make the case that even a small amount of risk management time, like a lunch meeting with the right people, can repay the investment many times over by avoiding problems. The best way to make this point is to discuss some recent project failures. You can cite the problems that brought those projects down and explain how a little bit of risk response planning and some early problem solving might have saved the day. Risk Management Process
Scaling Risk Management Techniques for Different Size Projects
After you gain approval for a risk management effort, you need to proceed carefully with a barebones program. In the beginning, you need to build your credibility and that of risk management with a handsome return for the risk investment. You also need to use the correct set of risk management techniques to fit the size and scale of each project. One size does not fit all. You need to tailor the approach so it fits the project and yields a high return on the investment. Risk Responses
There are five components in the full Risk Management process. You will rarely use all of them:
- Risk identification â€“ identify those positive and negative risks that might affect the project
- Qualitative risk analysis â€“ fast, low cost risk evaluation with no research or data gathering
- Quantitative risk analysis â€“ slower, expensive research into the riskâ€™ probability and impact
- Risk response planning â€“ ways to mitigate, avoid, eliminate the riskâ€™s affect
- Risk monitoring & control â€“ monitoring so you can launch a risk response when needed.
Depending on the project, you may entirely skip one or two of the steps to reduce the time and expense. You also scale the effort in the process steps you will do. As stated above, quantitative analysis is the most expensive and time consuming step. You will probably skip it on small and medium-sized projects. You will do the less expensive qualitative risk analysis on most projects. On some projects, you will scale it back to a one hour meeting. On other projects, your qualitative risk analysis might deserve 6 hours of work and include getting ideas and data from a dozen stakeholders. You must control how much time and money you spend in each of these steps. On a small project, you can invest as little as an hour in total on risk identification, qualitative risk analysis and risk response planning. You will spend only what it cost to buy coffee for the group. On larger projects with massive risks, you may do all five of the steps and spend weeks or months and thousands of dollars. Small Project Risk Management
Three Example Risk Management Plans
Letâ€™s look at some example risk management processes and see how you might use them for three different size projects:
- A project done within a department where the PM and team all report to the project sponsor
- A cross-functional project that affects multiple departments within an organization
- A strategic initiative for a large organization
Project #1: Project Risk Management – Small Project
In assessing the situation, you remember the boss made a big point about starting fast and avoiding a lot of project management paperwork and unnecessary meetings. So you decide to use a very minimal risk management process. When you finish the discussion about the project scope, you ask the boss, â€śWhat are the major risks you think we face in delivering that scope?â€ť The boss gives you three ideas of risks that had damaged similar project efforts. Then you ask, â€śWhat do you think we can do on this project to avoid having our efforts hurt by the same kinds of risks?â€ť The boss suggests that you avoid the problems with inter-department cooperation by involving the other departments early in the effort. He also points out that you can avoid delays resulting from people not coming to meetings by letting people attend by video conference. Finally, the boss suggests that you record the video conferences (after letting everyone know youâ€™re doing it) and send the video to the people who couldnâ€™t attend the meeting. You thank the boss without mentioning the fact that the two of you have just completed risk identification, qualitative risk analysis and risk response planning. All you say was that you will add those elements to the project plan and schedule.
In this example of a small project, you asked a couple of open-ended questions to tap into the bossâ€™s experience. You completed a very small risk management process. The project plan would now include risk responses and risk mitigations that may help this project avoid some known risks. Presenting Your Risk Plan
Project #2: Project Risk Management â€“ Cross-functional Project
This somewhat larger project involves stakeholders from several departments. Many of them may also be contributing team members. You begin very simply with identifying the risks during a meeting to which all of the identified project stakeholders and team members were invited. You describe the scope of the project and major deliverables and ask people to think back through their project experience about risks that could affect each of the deliverables. Your project charter has five high level deliverables and you focus the discussion on each of those in turn. You are careful to limit the discussion to the identification of risks and ask people to hold off on identifying the kind of risk response they think is appropriate. You want to hold that off until later. You encourage people to offer their ideas about risks. You also discourage people from criticizing any of the suggestions or evaluating their likelihood. You want as long a list as you can get from the group.
With your list of identified risks, youâ€™re ready to begin qualitative risk analysis. In qualitative risk analysis, you will assemble your group and focus on screening the risks using relatively quick and inexpensive qualitative techniques.Â You want to prioritize the risks in terms of their likelihood and potential impact on the project.
You use qualitative risk analysis as the only analysis to support risk response planning. The projectâ€™s scale does not justify the cost of quantitative analysis.
- Two members of the team and the project sponsor will subjectively set the impact and likelihood values for your risk and impact analysis.
- Neither the boss nor the team members have any experience in risk management. In the beginning, the boss thought the process was a waste of time.
After the group has completed risk identification, you have a list of 14 potential risks. You rejoin the other two members of the risk team in the bossâ€™s office and say, â€śHereâ€™s a form weâ€™ll use to get everyoneâ€™s assessment of the risks we face on the project. We want to describe each risk in terms of two separate dimensions:
- The probability or likelihood of the risk event occurring
- The impact it will have on the projectâ€™s costs or finish date or both, if it occurs.
Weâ€™ll use a simpleÂ scale with three choices for likelihood and for impact. Low â€“ meaning very unlikely to occur or a small impact.Â High â€“ meaning very likely to occur and a large impact. And Medium â€“ meaning betweenÂ those two extremes.â€ť
Figure 1 Risk Management Qualitative Risk Scores from Three Team Members (
You get ratings from the three team members 1=Low 6=high ThenÂ enter them in the formÂ and haveÂ the qualitative risk analysis results below.Â Using this data, you would select a risk response.
|1. Risk event||2. Likelihood||3. Impact||4. Risk Response|
Type of Response
|Turnover among engineers is over 20%||
|Â 5||Â 1||Â 1||Â 6||
|Â Transfer, Mitigate, Avoid 0r Accept with Contingency|
Figure 2Â P/I Results for Three Risks with
|Â Â Â Â MagnitudeÂ Â Â Â Â Â Â LowÂ Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â MediumÂ Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â HighProbability|
|Â MediumÂ Â Â Â Â||Donâ€™t use new procedure|
|Trouble Reports increase|
Then you say, â€śWe all seem to agree that while we have several risks, only one risk has both a high probability and a high magnitude and thatâ€™s the risk of engineer turnover. TheÂ other significant risk is that our customers donâ€™tÂ use the new procedureâ€ť
The boss says, â€śI thought this risk stuff was going to be a waste of time, but Iâ€™m already thinking of things we can do to educate the customers about the new procedures. That is one surprise I wouldnâ€™t want to hear about right before the end of the project.â€ť
For this department project, youâ€™re ready to move on to risk response planning.Â Having engaged the sponsor and the team in risk identification and qualitative analysis, you can carry out the aim of risk management, which is to take action in the form of risk responses before risks do any harm. That doesnâ€™t require fancy or sophisticated risk management techniques, just an effective process.
Project #3: Project Risk Management: Strategic Initiative for a Larger Organization
- TheÂ project risk management plan calls for using qualitative risk assessment as a screening tool to select the risk that will be put through quantitative analysis. You anticipate analyzing a dozen or more risks with quantitative analysis.
- Qualitative risk assessment is being done by three committees. Each one is focusing on a particular market segment the company serves.
- The risk steering committee will make a final determination about which risks go on to quantitative analysis. That committee includes the sponsor, senior VPs and you, the project manager.
You distribute the project risk management qualitative risk assessment form to the three risk committees.Â Since the team members are familiar with estimating probabilities and magnitudes, you use a 1-10 scale for the estimates.
Then you give the committee leaders theirÂ project risk management instructions, â€śHereâ€™s what weâ€™re going to do here. Each person will make an independent judgment about the probability of each of our risk events occurring and the impact on the project if they do. Weâ€™ll use a 1 to 10 scale for each assessment. So if a risk event is very likely to occur, you should give it a 9 or even a 10.Â For a risk event that is very unlikely, give it a score of 1 or 2.Â Youâ€™ll do the same thing on the impact. When you come to that decision, forget the probability of the risk event occurring. Simply assess how big an impact it will have. If its impact will bury the project and do us irreparable harm, you should score it a 10. If a risk event occurring has minimal impact on the project, give it a 1 or 2.â€ť
One team member asked, â€śArenâ€™t we going to discuss each risk first?â€ť
You answered, â€śNo, I think itâ€™s best if each person gives their assessment without being influenced by the others. Remember that we have people whose immediate superior is on the same committee.Â If people share their opinions before we each score the risks, the managerâ€™s opinion may count too much.Â Letâ€™s everyone make a judgment without knowing what the managers think. We may get better information with independent judgments and avoid some of the politics. For that same reason, weâ€™ll keep the ballots anonymous. Youâ€™ll notice there is no place to fill in your name.â€ť
A few days later, you gather the completed forms and tabulate the data into a spreadsheet designed for this purpose. The result is a table of data values and a graph for each committees. YouÂ take theÂ project risk management data and recommendations from each committee to the risk management committee that includes the sponsor and an executive vice president. You select one or two risks from each committeeâ€™s qualitative analysis and recommended that a quantitative analysis be conducted.
Because three of the risks on the chart aboveÂ have probabilities and impacts above eight, the committee decides that all three warrant quantitative analysis. They are particularly concerned about the risk of customers not using the new trouble report procedure. They ask you exactly what they will get from this quantitative analysis.
You say, â€śWe will start with an influence diagram we developed during risk identification. Then weâ€™ll gather some opinions from industry experts and build a decision network to analyze where we can have our biggest influence in avoiding that risk.â€ť
As the quantitative analysis proceeds, you and the other members sketch out ideas for mitigating, avoiding or transferring these risk to other organizations. Those strategies will be applied when the quantitative data is ready. You will have an expected value for each risk which will tell you how much expense you can justify to avoid each risk.
Project Risk Management Summary
The process above indicates how you can do a worthwhile risk analysis for a small project in a matter of minutes with larger investments in projects with greater scale and significance.