Project trade-offs are the best technique to use when you’re dealing with executives who want to make changes to the plan. Knowledgeable project executives understand the concept of balances or trade-offs when they want to add or delete something. They know that if they ask you to squeeze the duration by one month it will affect the scope, cost or risk. Those are the 4-corners of a project.
Unfortunately, some executives think they can shorten the duration of the project by a month without impacting the other three corners. In this project fantasyland, they believe they can increase the scope and the deliverables without affecting the duration (schedule), cost or risk. They think any changes they want to make to the project are “free.”
Project managers who allow project executives to live in this fantasy world are doomed to repeated project failures. Once you give the executive free changes to the project, he will keep requesting (or demanding) more changes.
Using the 4-Corners
Skilled project managers always talk to executives about trade-offs between the project’s 4-corners: scope, duration, cost and risk. They make the point that there are no “free lunch” changes. Every change to the project impacts the other corners and requires a trade-off. But tactically, the PMs never say “no” to a change. That never gets them anywhere. What they say is, “Yes, I can change the schedule to finish two weeks earlier. But that will increase the project cost by $14,000 to pay for overtime and hiring several consultants. Do you want to do that, sir? Do you want to trade off a two week earlier finish for a $14,000 increase in the budget?”
Project managers should talk trade-offs with executives during the initial planning and in the approval presentation. They should continue this discussion every week when change requests are submitted and as variances appear.
They also always have the data on the 4-corners and always carry an iPad or small PC so they can generate tradeoff data in a minute or two from their MS Project schedule. You need to quantify the scope, budget, rick and duration.
We teach this tradeoff technique in all our beginner and more advanced approach in our advanced classes. You can also read more on quantifying the 4-corners in our articles of risk management, scope definition, budgeting and scheduling.
Convincing managers and executives to support, fund and participate in Project Risk Management is often difficult. These decision-makers usually think risk management involves lots of long meetings and tons of paperwork. They view it as wasting large amounts of time and money. Project managers need to change the decision-makers’ thinking. You need to persuade these leaders that a minimal investment in project risk management is worthwhile. To do this, you start by gathering some data from a few failed projects. This data will let you identify the causes of your organization’s project failures. Then you can discuss the causes and explain them as risks that were not identified early, assessed properly and responded to quickly. Risk Management Main Page
If you make a reasonable case to the decision-makers, you can justify a short meeting devoted to risk management for the new project. You can schedule a lunch and invite the most knowledgeable project stakeholders to attend. You ask them to contribute their experiences on similar projects. The key to a successful first risk management meeting is to keep things short and efficient. The goal is for the group to identify one major risk the new project faces. Next do a quick assessment of the likelihood and impact, and plan one or two risk responses. The responses are ways to lessen the risk’s impact on the project. All this can be done during a lunch. Small Project Risk Management
You need to have the right people involved in identifying the risks and discussing ways of responding to them. Your aim is not to perform a complete risk management process. You’re simply demonstrating to these decision-makers that a little bit of time invested in risk management can pay big dividends. Remember that risks can be positive as well as negative. So don’t fail to raise the issue of positive risks; things that can shorten the duration and reduce the cost. Risk Responses
Watch the video where Dick Billows, PMP discusses project risk management techniques. It covers risk analysis and ways of developing risk responses, then justifying them to the users.
Bad things can and do happen on projects. Even the best fire-fighting can make the situation worse. The only solution is risk mitigation. And you need to do it early in the project. That’s when it is easier and cheaper to do. Risk mitigation is worthwhile even if you can only spend 10 minutes on it. If you can anticipate one significant risk and take steps to prevent it, that 10 minutes was time well spent. On even a small IT project, risk management is often worth the time and expense of a lunch if you get a few knowledgeable users and their manager to attend. You start risk mitigation by tapping into people’s experience from similar or related projects. Everyone knows that bad risks can make the project take longer or cost more. And good risks can make the project finish sooner and cost less. So you record their ideas about the project’s good and bad risks. Risk Management Main Page
Watch the video where Dick Billows, PMP discusses project management techniques focusing on risk mitigation for IT projects. The discussion covers qualitative and quantitative risk analysis as well as ways to develop risk responses and justify them to the users. Risk Responses
Advanced Risk Management
The best way to learn project risk management is through mentoring. That’s where your employer lets you work with an experienced project manager. Most of us at 4PM learned that way. We studied the risk management techniques an expert PM used on his/her projects. Then the mentor let us manage small projects until we knew how to do it right. That is a much more effective way to learn than sitting in a class of 25 or more people trying to learn from an academic. Small Project Risk Management
You should spend some time doing Project Risk Management even if your project is small. Let’s say your boss is the sponsor and your project has just two team members. That means you will be completing tasks as well as performing project manager duties. Most projects are small like this but you still should perform some Project Risk Management on them. Risk Management Main Page
Now you shouldn’t tell anyone that you are starting the Project Risk Management process. That will make them think you’re going to waste time doing fancy mathematics, having all kinds of useless meetings and generating worthless paperwork. But you’re not going to do that fancy, expensive stuff. You’re just going to do simple risk management so you can solve some problems early in the project. In fact, risk management lets you solve some problems before they start.
This early problem solving begins during the planning phase. Let’s say your project is to reorganize the department’s supply room. First you identify the problems (risks) that may affect the project. Then you think about how likely each of those problems is to occur and what the damage will be if they do. The ones that are likely to seriously affect the project are the ones you should do something about. Next, you analyze the identified problems and think about how you might avoid each one. In other words, you think about how you might dodge them completely.
Project Risk Management – Early Problem Solving
For example, when you think about the problems your supply room project will face, you come up with two of them that are likely to occur and will have a big impact if they do. The first problem is that people may not keep the supply room well-organized after you finish the cleanup. The second problem is that it will take people longer to find what they want than it does now because the supplies will probably be in different places. Let’s tackle each of these problems (risks) separately.
The first risk comes down to making sure that the new organization of supplies is maintained. You and your two project team members discuss possible incentives for the people who stock the supply room shelves. You believe you can avoid this problem if you involve the staff in the design of the supply room and hold them accountable for maintaining it. The three of you agree on that task and you add it to the project plan.
You go on to the second risk of people not being able to find the supplies they want because the supplies have been moved to different locations. You certainly don’t want complaints about your reorganization. So you discuss what would make it easy for people to find things. You finally agree to place the high-volume supplies, the ones that are needed most often, near the entrance to the supply room. After you’ve included the supplies that cause two-thirds of the trips to the supply room, you agree to organize the remaining items by category (paper products, writing instruments, clips and staples, etc.).
The amount of risk management you do depends on the size of your project. On a very small project, the risk management effort might be completed over a lunch with the project manager, the sponsor and some team members. Here’s what that discussion will do:
Identify the risks the project faces
Assess the likelihood of the risk occurring and the size (magnitude) of its impact on cost and duration if it occurs
Develop risk responses to avoid or reduce the impact of the risk.
Project Risk Management Steps
Here are the steps you can follow for your project risk management process. You may do some or all of them, depending on the size and complexity of your project.
You and the team members begin by reviewing the list of identified risks, both positive and negative. That list is called the risk register. Then each person assigns a rating of high, medium or low to the likelihood (probability) of each risk occurring and the size (magnitude) of the impact if it does.
You gather and correlate the individual assessments of probability and magnitude and calculates the average for each risk in the risk register.
You and the team members review the average ratings and select those risks that are important enough to justify a response. This is called qualitative risk analysis.
You present the qualitative risk analysis to the project sponsor. The goal is to obtain their approval to plan responses to the risks.
You and the team members develop risk responses for the positive and negative risks. For positive risks, you design the response to increase the probability and/or the magnitude of the beneficial impact. For negative risks, the response should decrease the probability or magnitude of the adverse impact. Risk Responses
You present the recommended risk responses along with an analysis of their impact on the project’s cost, schedule and budget. For the risk responses that the sponsor approves, the project manager makes changes to the project plan, schedule and budget to reflect those risk responses.
Summary of Project Risk Management
Even on small projects, risk management helps you identify and solve problems before you begin work. This increases your project success rate, which helps you advance your career.
You can learn more about managing risks in our online project management courses. You work privately and individually with a expert project manager. You control the schedule and pace and have as many phone calls and live video conferences as you wish. Take a look at the course in your specialty.
At the beginning, when you and Dick talk to design your program and what you want to learn, you will select case studies that fit the kind of projects you want to manage. Chose you course and then select the which specialty case study from business, or marketing, or construction, or healthcare, or consulting. That way your case studies and project plans, schedules and presentations will fit your desired specialty.
It’s difficult to persuade executives to invest time and money on risk management to avoid or limit risks. They prefer “being ready to react” when bad stuff happens. They think that is cheaper than spending money on what they often see as a bureaucratic process with pointless meetings and lots of paperwork. So their decision is to “keep our eyes open for trouble.” They don’t want to waste money, and possibly delay the project’s start, by identifying and planning for risks. This is a poor decision. Even a small amount of risk management, as little as one hour, can have a significant payback if it allows you to avoid one or two problems.
Project managers need to make the case that even a small amount of time on Risk Management, like a lunch meeting with the right people, can repay the investment by avoiding problems. The best way to make this point is to discuss some recent project failures. You can cite the problems that brought those projects down and explain how a bit of risk management, response planning and early problem solving might have saved the day. Risk Management Plan
Risk Management for Different Size Projects
After you gain approval for a Risk Management effort, you need to move ahead carefully with a bare bones approach. In the beginning, you need to build your credibility and that of risk management with a handsome return for the risk investment. You also need to use the correct set of risk management techniques to fit the size and scale of each project. One size does not fit all. You need to tailor your approach so it fits the project and yields a high return on the investment.
Watch this video on risk identification.
Risk Management: Risk Identification
There are five components in the full Risk Management process. But you will rarely use all of them.
Risk identification – identify those positive and negative risks that might affect the project
Qualitative risk analysis – fast, low-cost risk evaluation with no research or data gathering
Quantitative risk analysis – slower, expensive research into the risk’s probability and impact
Risk response planning – ways to mitigate, avoid or eliminate the risk’s effect. Risk Strategy
Risk monitoring & control – monitoring so you can launch a risk response when needed.
You must control how much time and money you spend in each of these steps. Depending on the project, you may entirely skip one or two of the steps to cut the time and cost. You will do the less expensive qualitative risk analysis on most projects. On a small project, you can invest as little as an hour in total on risk identification, qualitative risk analysis and risk response planning. You will spend only what it cost to buy coffee for the group. But on some projects, your qualitative risk analysis might deserve 6 hours of work and include getting ideas and data from a dozen stakeholders. On larger projects with massive risks, you may do all five of the steps and spend weeks or months and thousands of dollars.
Risk Management: Examples of Three Plans
Let’s look at some Risk Management examples and see how you might use them for three different size projects:
A project done within a department where the PM and team all report to the project sponsor
A cross-functional project that affects several departments in an organization
A strategic initiative that affects all areas in a large organization
Project #1: Risk Management for a Small Project
In assessing the situation, you remember the boss made a big point about starting fast and avoiding a lot of project management paperwork and unnecessary meetings. So you decide to use a very small risk management process. When you finish the discussion about the project scope, you ask the boss, “What are the major risks you think we face in delivering that scope?” The boss gives you three examples of risks that had damaged similar project efforts. Then you ask, “What do you think we can do on this project to avoid having our efforts hurt by the same kinds of risks?” The boss suggests that you avoid the problems with inter-department cooperation by involving the other departments early in the effort. He also points out that you can avoid delays resulting from people not coming to meetings by letting people attend by video conference. Finally, the boss suggests that you record the video conferences (after letting everyone know you’re doing it) and send the video to the people who couldn’t attend the meeting. You thank the boss without explaining that the two of you have just completed risk identification, qualitative risk analysis and risk response planning. All you say is that you will add those elements to the project plan and schedule.
In this example of a small project, you asked a couple of open-ended questions to tap into the boss’s experience. You completed a very small Risk Management process. The project plan will now include risk responses and risk mitigations that may help this project avoid some known risks. Project Risk Management
Project #2: Risk Management for a Cross-functional Project
This somewhat larger project involves stakeholders from several departments in the organization. Many of them may also be project team members. In a meeting with all the identified project stakeholders and team members, you describe the scope of the project and the major deliverables. Then you ask the people to think about risks that could affect each deliverable. Your project charter has five high-level deliverables and you focus the discussion on each of those. You limit the discussion to identifying the risks and their ideas about those risks. You ask them to hold off on defining the kind of risk response they think is appropriate. You also discourage people from criticizing any of the suggestions or evaluating their likelihood. In qualitative risk analysis, you want the group to come up with a list that’s as long as possible.
With your list of identified risks, you’re ready to begin qualitative risk analysis. You will assemble your group and focus on screening the risks using relatively quick and inexpensive qualitative techniques. You want to rank the risks in terms of their likelihood and potential impact on the project. You use qualitative risk analysis as the only analysis to support risk response planning. The project’s scale does not justify the time and cost of quantitative analysis. Neither the boss nor the team members have any experience in Risk Management so they will subjectively rate the impact and likelihood values for your risk and impact analysis.
After they have completed their task, you have a list of 14 potential risks. You then say, “Here’s a form we’ll use to get everyone’s assessment of the risks we face on the project. We want to describe each risk in terms of two separate dimensions:
The probability or likelihood of the risk event occurring
The impact it will have on the project’s costs or finish date or both, if it occurs.
We’ll use a simple scale of 1 to 6 with three choices for likelihood and for impact. Low – meaning very unlikely to occur or a small impact. High – meaning very likely to occur and a large impact. And Medium – meaning between those two extremes.”
Figure 1 – Risk Management Qualitative Risk Scores from Team Members
You get ratings from the team members: 1=Low 6=High. Then you enter them in the form and have the qualitative risk analysis results below. Using this data, you would select a risk response.
1. Risk event
4. Risk Response
Type of Response
Turnover among engineers is over 20%
Transfer, Mitigate, Avoid 0r Accept with Contingency
Figure 2 – P/I Results for Three Risks
Magnitude Low Medium HighProbability
Don’t use new procedure
Trouble Reports increase
Then you say, “We all seem to agree that while we have several risks, only one risk has both a high probability and a high magnitude and that’s the risk of engineer turnover.
The boss says, “I thought this risk stuff would be a waste of time but I’m already thinking of things we can do to reduce engineer turnover. That is a surprise I wouldn’t want to hear about right before the end of the project.”
For this department project, you engaged the sponsor and the team in risk identification and qualitative analysis. Now you’re ready to move on to risk response planning. The aim of risk management is to take action by forming risk responses before the risks do any harm to the project. It doesn’t require fancy risk management techniques, just an effective process.
Project #3: Risk Management for a Strategic Project for a Larger Organization
The project risk management plan calls for using qualitative risk analysis as a screening tool to select the risks that you will put through quantitative analysis. You anticipate analyzing a dozen or more risks with quantitative analysis.
Three committees will do qualitative risk assessment. Each one is focusing on a particular market segment the company serves.
The risk steering committee will make a final decision about which risks go on to quantitative analysis. That committee includes the sponsor, senior VPs and you, the project manager.
You distribute the project risk management qualitative risk assessment form to the three risk committees. Since the team members are familiar with estimating probabilities and magnitudes, you use a 1-10 scale for the estimates.
Then you give the committee leaders their project risk management instructions, “Here’s what we’re going to do here. Each person will make an independent judgment about the probability of each of our risk events occurring and the impact on the project if they do. We’ll use a scale of 1 to 10 for each assessment. So if a risk event is very likely to occur, you should give it a 9 or even a 10. For a risk event that is very unlikely, give it a score of 1 or 2. When you come to the impact decision, forget the probability of the risk event occurring. Simply assess how big an impact it will have. If its impact will bury the project and do us irreparable harm, you should score it a 10. If a risk event has minimal impact on the project, score it a 1 or 2.”
One team member asks, “Aren’t we going to discuss each risk first?”
You answer, “No, I think it’s best if each person gives their assessment without being influenced by the others. Remember that we have people whose immediate superior is on this committee. If people share their opinions before we each score the risks, the managers’ opinion may count too heavily. I want everyone to make their own judgment without knowing what the managers think. We may get better information with independent judgments and avoid some of the politics. For that same reason, we’ll keep the ballots anonymous. You’ll notice there is no place to fill in your name.”
A few days later, you tabulate the data from the completed forms into a spreadsheet designed for this purpose. The result is a table of data values and a graph for each committee. You take the risk management data and the recommendations from each committee to the risk management committee. That committee includes the sponsor and an executive vice president. You select one or two risks from each committee’s qualitative analysis and recommend conducting a quantitative analysis.
Because three of the risks have probabilities and impacts above eight, the committee decides that all three need quantitative analysis. They are particularly concerned about the risk of customers not using the new trouble report procedure. They ask you exactly what they will get from this quantitative analysis.
You say, “We will start with an influence diagram we developed during risk identification. Then we’ll gather some opinions from industry experts and build a decision network to analyze where we can have our biggest influence in avoiding that risk.”
As the quantitative analysis proceeds, you and the other members sketch out ideas for mitigating, avoiding or transferring these risk to other organizations. You will apply those strategies when the quantitative data is ready. You will have an expected value for each risk which will tell you the time and cost you can justify to avoid that risk. Risk Management Plan Presentation
Risk Management Summary
You can do a worthwhile risk analysis for a small project in a matter of minutes. You’ll invest more time and use more advanced techniques, like qualitative and quantitative risk analysis, for projects with greater scale and significance.
You can learn how to manage risks in our advanced project management courses. You’ll work privately and individually online with an expert project manager. You control the schedule and pace and have as many phone calls and live video conferences as you wish. Take a look at the course in your specialty.
The project management risk process has a bad reputation among executives. Often that reputation is well deserved. Too many project managers get carried away with fancy mathematics, too many meetings and far too much paperwork. The cost and level of effort are out of proportion to the benefits the project receives from the risk management effort. Executives who have seen project managers waste a great deal of time with endless risk meetings and generation of mountains of paperwork often decide they want no risk management. Many executives won’t support risk management, even on large projects where it is vitally important. They want to get started fast and fight fires as they come up. Project managers face an uphill battle even if there are significant risks that can and should be addressed. Project Risk Management Main Page
Project Management Risk – Firefighting
In the eyes of the executives, firefighting instead of managing risks seems like a more prudent and economical course. It’s easy for people to convince themselves that when a risk event occurs they can quickly muster the resources to fight the fire, put it out and quickly get back to work. This mental model of firefighting is not very realistic. If one of the major risks occurs for which they have no planned response, work on the project comes to a screeching halt. People are pulled off their project work to take part in emergency planning for what to do about the risk and who should do it. Very often the team is simply frozen by the surprise risk event. It may take weeks or months to recover the lost initiative and productivity.
Project Management Risk – Three Levels
There is a middle ground between firefighting and overly elaborate risk management planning and implementation. This middle ground begins with an assessment of the project itself and then scaling the risk management effort to fit the project. You should tailor your risk management to the size of the project so the benefits exceed the cost of the analysis.
Project Management Risk Level 1 – for small projects typically done within an organizational unit. Small projects with small project teams and a relatively limited duration have risk management plans that you can formulate over a lunch with the sponsor and one or two team members. A very quick and subjective process can identify no more than four risks that could substantially reduce the project scope or increase its duration/budget. Then you do a “quick and dirty” qualitative analysis to judge the probability of the risk occurring and the magnitude if it does. You’re not doing any math here. You discuss people’s opinions about how likely and how big a deal the risk is. Finally, you’ll lay out the steps you could take to reduce the likelihood of the more significant risks occurring. Those are the risk responses that you put into the project plan. Your risk management planning is complete. This process lets you show significant benefits for a minimal investment.
Project Management Risk Level 2 – for projects that span organizational departments. That means it has stakeholders from a number of different functional areas or technical specialties. You’ll do a bit more analysis of the probability and magnitude of the impact of the risks, if they occur. You’ll also develop a formal risk response plan.
Project Management Risk Level 3 – for projects that impact the entire organization and possibly external customers. You’ll do quantitative risk analysis to provide data on the probability of a risk occurring and the magnitude if it does. You will most likely gather data on the probability of various risk events occurring. This data may come from project teams’ own experiences. Alternatively the scale of the project may justify hiring consultants who would conduct the data gathering as well rigorous statistical analysis.But the end result is the probability of the risk occurring and the magnitude of the dollar or duration impact if it does. From those numbers you can calculate the expected value of each risk. This allows you to put a ceiling on the amount you can spend on each of your risk responses. This level of risk management also requires you to develop a formal risk response plan.
You can enhance your PM skills and master the art of managing project risks in our online project management courses. You work privately and individually with an expert project manager. You control the schedule and pace and have as many phone calls and live video conferences with them as you wish. Take a look at the course in your specialty.
Here is How To Do Risk Analysis for your project. After you have identified the risks your project faces, you need to do a risk analysis to determine which ones call for a risk response and which do not. The purpose of risk analysis is to rank the list of identified risks in order of significance or importance. Your risk analysis focuses on qualitatively assessing the probability that the risk will occur and the magnitude of its impact if it does. You will use this qualitative risk analysis to decide which risks are important enough to warrant a risk response. Risk Management Main Page
How To Do Risk Analysis: Step 1 – Qualitative Analysis
Qualitative analysis assesses how much the risk could hurt the project but is doesn’t use any numbers. Qualitative analysis has the benefits of being cheap and fast but it lacks precision. You can easily do qualitative analysis by meeting with three or four team members and stakeholders in the cafeteria for coffee. You list the risks you have identified that can possibly affect the project. For each risk, you ask them to assess whether it is very likely to occur, moderately likely to occur or unlikely to occur. When you have that information from each attendee, you ask them about how much damage the risk will cause if it does occur. Will it cause just a little damage, a medium amount of damage or a lot of damage?
As you can see, this is not a very precise method but it does give you the opinions of your stakeholders and team members. If you have any risks that are very likely to occur and will cause significant damage, you will plan a risk response for those risks. The less significant risks you have identified are things you will watch out for but you won’t plan a formal risk response for them. On smaller projects, you will probably limit the risk analysis to these qualitative techniques and planning risk response(s) for the significant risks. Small Project Risk Management
You may also decide that one or two risks are so significant you should preform a quantitative risk analysis. The cost of the higher-level quantitative risk analysis probably requires the sponsor’s approval. Risk Responses
How To Do Risk Analysis: Step 2 – Quantitative Analysis
Quantitative risk analysis is both expensive and time-consuming. Usually, it is done only on very large projects which face very significant risks. Only in that situation could you justify the cost and weeks or months of effort which can go into a quantitative analysis. Regardless of which quantitative risk technique you utilize, the end result is the expected value of the risk. You calculate that by multiplying the probability of the risk occurring times the magnitude of the impact if it does occur.
Here’s an example. Let’s say your quantitative risk analysis determined there is a 0.001% chance that the company headquarters would be destroyed by a tornado during the coming four months. It also estimated that the magnitude of that risk (the damage that the tornado would cause) could be valued at $800,000. Now that risk probability is pretty small but the magnitude is pretty large. To combine them into a single number that lets you make a good decision, you would multiply that probability times the magnitude and come up with an expected value of the risk of $800. What that expected value means is that if you did this project 10,000 times with the same tornado risk, the average damage would be $800. So you can’t justify spending more than that amount ($800) to avoid the tornado risk. The quantitative risk analysis says you can have only a very limited risk response program if you must keep the cost under $800, the expected value of the tornado risk. Presenting Your Risk Plan
To learn more about how to manage project risks, consider one of our online project management courses. You work privately with a expert project manager. You control the schedule and pace and have as many phone calls and live video conferences as you wish. Take a look at the courses in your specialty.
Managing project risks is a touchy subject with project sponsors. The majority of executives who sponsor projects are hesitant to authorize risk management efforts. This is because in the past many executives have gotten burned by risk management efforts that cost a great deal of time and money and produced little or no results. So it’s hard to get the sponsor’s approval to do risk management. Often executives will say, “Start work and we will put out fires when they occur.” But firefighting is not the way to succeed on projects. Project Risk Management Main Page
There is an unfortunate emphasis in many organizations on firefighting as opposed to careful planning. This includes planning for the risks the project faces. Many project sponsors like the idea of not committing to highly detailed project plans. They think, and rightly so, that this limits their ability to “be flexible” and make changes whenever they want. Project managers who buy into this thinking have happy sponsors in the beginning of the project because they can start work fast. In this situation, the team puts little effort into project planning and there certainly is no project risk management. Unfortunately, the same project managers are routinely surprised by risk events that easily could have been anticipated during the planning phase. Because there was no risk management, the team has to stop work and figure out what to do about the risk(s) that smacked them in the face.
Managing Project Risks The Wrong Way
Let’s think about what happens when a project manager and team rely on firefighting instead of having a well thought out risk response plan. Let’s talk about a specific example. A project manager is relying on an outside contractor to produce a “super tech” deliverable that is required by three major project deliverables. In other words the super tech is an input to three other deliverables. There had been discussion among the project team and the organization’s legal staff about the contract with this vendor. But the team had worked with him before and assumed the super tech deliverable would be exactly what they need.
The project has started fairly quickly because no detail plan is being formulated. Over the first month everything goes well but then the vendor calls and says, “Super tech is going to be delayed because four of my best people have just walked off the job to go to work for a competitor in California. I don’t know where the heck I’m going to find people to do your super tech work. But I’ll get to work on it right now and keep you posted.” The project manager tries to find out how much of a delay they’re facing and the vendor says there’s no way to tell at this point.” The project manager also reminds the vendor that there’s a contract requirement to deliver super tech by the end of June. The vendor says, “That’s a long way away. I’m sure we’ll get it worked out by then.”
The project team is stuck because they gave no thought to the possibility of the vendor being unable to produce the deliverable by the end of June. They had done no risk analysis or planning about this critical project deliverable. There was no contingency plan and no money to pay for hiring another contractor to do the work. They also hadn’t planned for the option of buying a pre-built or “canned” deliverable as a substitute for super tech. So the project team must stop work on other project activities while they and the project manager try to find other options for super tech. Even if they find a substitute, the project will be significantly late because of the delay.
This type of risk event occurs all the time. People who try to respond to this type of risk with firefighting fail to recognize one thing. All the thinking that they’re going to do in this firefight should have been done as part of the risk management process. Then they would have had a contingency plan approved by the sponsor which they could implement the moment the contractor called with bad news.
When the project is late and over budget because of a couple of these risk events the sponsor’s not happy. Project managers need to remind executives of these failed projects to “sell” them on the need for risk management on future projects. Presenting Your Risk Plan
Managing Project Risks The Right Way
A risk management process can pay big dividends, particularly when it is scaled to fit each project. In fact, the entire risk management effort for a small project can take place during lunch with the sponsor. The sponsor and project manager spend one hour to identify the risks, analyze them and plan ways to avoid or mitigate the significant ones. There are bare-bone risk management techniques that don’t require a lot of paper work. Small Project Risk Management
To learn more how to manage project risks, consider our online project management courses. You work privately with a expert project manager. You control the schedule and pace and have as many phone calls and live video conferences as you wish. Take a look at the courses in your specialty.
Here is how to plan a Risk Strategy for your project. You have gone through the risk identification process and you have done qualitative analysis of those risks. You may have also done quantitative analysis on a few major risks. Now you have your data on the probability of each risk occurring and the magnitude of the impact (on duration and/or cost) if it does happen. Risk Management Main Page
Let’s look at some examples. Say that each project has two risks:
Risk A is that turnover among the project engineers will exceed 15% year.
Risk B is that serious flooding during the spring will require the project team to relocate.
If you’re planning your Risk Strategy based on qualitative data, you have asked your team to subjectively evaluate the probability and magnitude of each risk. It will be in the form of:
Risk #A has a high probability of occurring and a high impact on the project if it does occur.
Risk #B has a low probability of occurring and a medium impact on the project if it does occur.
If you’re quantifying the probability and impact, you will have gathered data from historical records or experiments and will be able to summarize it like this:
Risk #A has a 14% probability of occurring and a $20,000 impact if it does The expected value of the risk is $2,800 (.14 x $20,000).
Risk #B has a 5% probability of occurring and a $1,000 impact if it does. The expected value of the risk is $50 (.05 x $1,000).
The quantitative risk analysis in your Risk Strategy is more usable than the qualitative analysis. It also costs a great deal more to develop. The numbers are particularly useful because they allow you to calculate the expected value of the risk. That expected value, which you get by multiplying the probability times the magnitude of the impact, puts a ceiling on what you can spend to completely avoid the risk. You don’t have this information when you limit yourself to qualitative analysis. But you need to plan your Risk Strategy regardless of the limitations of your information. Small Project Risk Management
Risk Strategy: What Risk(s) to Focus On
Risk Management: Risk Response Plan
You, the sponsor and stakeholders might decide to focus your Risk Strategy on risk #A – engineer turnover. You would accept risk #B – relocation due to flooding – because its probability and magnitude are small, based on both the qualitative and quantitative data. That means you will not plan any specific risk mitigation, avoidance or transfer to avoid the risk’s effect. You won’t spend any money trying to avoid or mitigate the risk. However, your Risk Strategy will include a contingency plan for this accepted risk. That plan will detail how to respond to the flooding risk if it occurs. The contingency plan might focus on identifying two available office locations that are nearby.
Then you would focus your attention on the more significant risk. Because risk #A – engineer turnover – is a negative risk you can use three Risk Strategies, individually or in combination.
Avoid the risk. This Risk Strategy requires you to alter the project plan to completely eliminate the source of risks. In this example, you might purchase the deliverable “off-the-shelf” so you don’t have to develop it yourself. So engineer turnover would not harm the project.
Transfer the risk. This Risk Strategy is similar to buying insurance for the risk. If you were concerned about a tornado, you might buy tornado insurance. For the engineer turnover risk, you might contract with an engineering consulting firm to provide the hours of engineer work you require.
Mitigate the risk. This Risk Strategy requires you to reduce the probability of the risk occurring and/or the magnitude of the risk if it does occur. These mitigation actions usually require you to spend money and the limitation is the expected value of the risk you calculated above. One mitigation might be to raise the salaries of your engineers to reduce the probability of their being hired by another firm. You might also hire two additional engineers which would lower the impact of turnover because you would have the extra staff immediately available. You often can’t completely eliminate the risk with mitigation. You merely reduce the probability and/or the magnitude of its impact. You have a remaining part of the risk that you have to accept and for which you would develop a contingency plan.
Risk Strategy: Involve the Team
Remember that the expected value of that risk of turnover among the project engineers is $2,800. That means you can’t spend more than that amount, even if you eliminate the risk entirely. That is the spending ceiling on the risk response. You would gather the risk management team together and ask for ideas that would reduce the project engineer turnover to 15% or less.
One team member might suggest that all the engineers working on the project receive a $200 bonus if they stay until the project is completed. With 14 engineers, there would be sufficient money to pay that bonus amount but then you would need to completely eliminate turnover above 15%. A number of members of the team might raise an objection. They say that engineers who are offered a substantial pay increase by another firm would not stay on the project for as little as $200. They also suggest that if other members of the project team didn’t receive a similar bonus it might create even larger morale problems. You would for other ideas for holding down turnover. A team member could suggest hiring additional engineers for the project team. This would give you the capacity to absorb turnover above 15%.
A few minutes of Risk Strategy, even on a small project, delivers a good return in proportion to the cost.
Risk Strategy: A 3-Tier Response Approach
Project managers often skip the Risk Strategy process because the sponsor wants them to start quickly without wasting time on “useless paperwork” like risk management. This dooms you to non-stop fire fighting for the life of the project. We use a 3-tier Risk Strategy approach for projects of different scale and importance. On even a small project, you can do a simple risk assessment, investing as little as an hour and possibly saving days of lost time. That’s why we recommend using a 3 tiered Risk Strategy so you can match them to the scale and significance of the project. Here are definitions of the tiers:
Tier 1 – A project done within a department or small company where the PM and team all report to the project sponsor.
Tier 2 – A cross-functional project which affects multiple departments in the same organization.
Tier 3 – A strategic initiative or consulting engagement that includes both technical expertise and project management services for an outside client or customer.
Risk Strategy: Risk Management Template
Here are 5 risk management steps that lead to your Risk Strategy planning:
Identify the risks that threaten delivering the scope on time
Qualitatively assess the probability of the risk occurring
Qualitatively assess the magnitude of the impact if the risk occurs
Select the most significant risks
Plan how to avoid them or minimize the damage if we can’t avoid them.
In risk identification, you are simply harvesting as many risks as you can without making judgments about their significance. When you have the list of risks, you’re ready to begin qualitative risk analysis. That’s where you focus on evaluating the significance of each risk using relatively quick and inexpensive techniques. Specifically, you are assessing the likelihood a risk will occur and the impact (cost and time) if it does occur. You use these assessments to prioritize our risks in terms of their significance.
Risk Strategy: Three Situations
Tier 1 – In-department Project Risk Situation
The PM and two team members spend 30 minutes on risk identification with a limit of 7 risks in two risk categories that threaten project success.
The PM and two team members spend 30 minutes on qualitative/subjective risk analysis. This is the only support for the risk response plan because the project’s scale does not support the cost or time for quantitative analysis. The two members of the team and the project sponsor will subjectively set the impact and likelihood values for risk and impact analysis.
The PM and sponsor will agree on the risk response plan in 30 minutes.
Let’s look in on how the process would work. For an in-department project, risk identification and qualitative analysis is all we’ll do before planning our risk responses.
The PM and the two team members take a short lunch and talk about the risk events that could cause them to fail to deliver the project scope. Then they discuss events that would affect finishing the project on time. They return with a list of 7 risks to consider. Six are negative risk events. The last is a positive risk event that would let them finish a week early.
After they’ve completed the risk identification, the PM and the two members of the team go to the PM’s cubicle. The PM smiles at them and says, “We’re 1/3 done. Now let’s spend about 30 minutes analyzing the risks we identified.
Here’s a form we’ll use to get everyone’s assessment of the risks we face on the project. We want to describe each risk in terms of two separate dimensions; 1.) the probability or likelihood of the risk event occurring and 2.) the impact it will have on the project if it occurs. We’ll use a simple scale with three choices for probability and for impact:
low – meaning very unlikely to occur or a small impact
high – meaning very likely to occur or a large impact and
medium – between those two extremes.”
Following the risk assessment, the project manager charts the results, asks the boss to join them, and displays the simple grid for the group.
The PM says, “We all seem to agree that while we have several risks, only one risk has both a high probability and a high magnitude and that’s the risk of customers not using the new procedure.”
The boss says, “I thought this risk stuff was going to be a waste of time, but I’m already thinking of things we can do to educate the customers about the new procedures. That is one problem I would not want to hear about at the end of the project.”
Following the boss’ comments, the group begins to assemble a strategy. First, they discuss possibilities for changing the project plan in a way that allows them to completely avoid this risk. But it doesn’t take long before they realize there’s no way to avoid the customers having to learn the new trouble ticket procedures. They also briefly discuss being able to transfer this risk to another party and “buy insurance” to avoid the consequences. The boss brings that discussion to an end by telling them no training firm would undertake responsibility without charging them tens of thousands of dollars.
With limited strategies for avoiding and transferring the risk, the group focuses on mitigation. One mitigation that everyone likes is distributing professionally designed instruction manuals for the customer. That includes a laminated one page crib sheet to help them easily follow the new procedure. The boss agrees that wouldn’t cost very much and welcomes the idea of adding that mitigation to the project plan. They spend a few more minutes discussing other options including writing profiles of customers who did well with the new procedure and including it in the company magazine. No one likes that idea so they stick with the customer instruction manual mitigation idea. That brings their risk response planning to an end.
Tier 2 – Cross-functional Project Risk Situation
The risk management plan calls for using qualitative risk assessment as a screening tool for quantitative analysis.
The PM anticipates that they will analyze 12 or more risks in an intensive quantitative analysis.
Three committees will perform qualitative analysis. Each one is focusing on a particular category of risk within the categories supplied by the organization.
The sponsor will decide which risks go to quantitative analysis.
The cross-functional project manager distributes the qualitative risk assessment form to each of the three risk committees to use in assessing the project’s risks. The team members are quite familiar with estimating probabilities and magnitudes so the project manager uses a 1-10 scale for the estimates. The first page of one committee’s form looks like this:
Then the project manager gives the committee leaders their instructions, “Each person will make an independent judgment about the probability of each risk event occurring and the impact on the project if it does. We’ll use a 1 to 10 scale for each assessment. So if a risk event is very likely to occur you should give it a 9 or even a 10. For a risk event that is very unlikely, give it a score of 1 or 2. We will do the same thing on the impact. When you come to that decision, forget the probability of the risk event occurring. Simply assess how big an impact it will have if it occurs. If its impact will bury the project and do us irreparable harm, you should score it a 10. If a risk event has minimal impact on the project, give it a 1 or 2.”
One of the team members says, “Aren’t we going to discuss each risk first?”
The project manager answers, “No. I think it’s best if each person gives their assessment without being influenced by the others. Remember that we have people whose immediate superior is on the same committee. If people reveal their opinions before we each score the risks, the manager’s opinion may count for too much. Let’s have everyone make a judgment without knowing what the managers think. We may get better information with independent judgments and avoid some of the politics. For that same reason, we’ll keep the ballots anonymous; you’ll notice there is no place to fill in a name.”
A few days later, the project manager gathers the completed forms from the committees and tabulates the data into a spreadsheet designed for this purpose. The result is a table of data values and a graph for each of the committees.
The cross-functional project manager takes the committees’ data and recommendations to the risk management committee which is made up of the sponsor and an executive vice president. The project manager selects one or two risks from each committee’s qualitative analysis and recommends quantitative analysis.
Three of the risks have probabilities and impacts above eight so the committee decides that all three warrant quantitative analysis. They are particularly concerned about the risk of customers not using the new trouble ticket procedure. They ask the project manager exactly what they will get from this quantitative analysis.
The project manager says, “We will start with an influence diagram that we developed during risk identification. Then we’ll gather some opinions from industry experts and build a decision network to analyze where we can have our biggest influence in avoiding that risk.” On this larger and more significant tier #2, cross-functional project, the decision-making about risk response strategies can be much more extensive. It can also involve substantially larger costs than the tier #1, in-department project.
A committee of executives will make final risk decisions based on detail work developed by risk committees focusing on special categories of risks.
The size of the project budget and its strategic significance for the client warrant elaborate quantitative analysis, which has been included in the risk-management plan.
The budget for quantitative risk analysis includes funds to pay experts’ fees and for research and data gathering. Presenting Your Risk Plan
The project manager presents the qualitative risk analysis information to the client’s management. Because these executives are familiar with making decisions based on data, the PM consultant includes qualitative measures of probability and impact and as well as data precision value. One of the executives asks, “What is the significance of that data precision score? Didn’t our people do a good job in the risk assessment?”
The consulting project manager answers, “No, that’s not the case at all. That data precision score is reflective of the accuracy and validity of the data we have about each of the risks. It reflects our understanding of the risk, the amount of information we have available about it and the reliability and integrity of that data. The score is based on my firm’s collective experience with projects of this type. As you can see, there are a number of risks about which we know a great deal. As an example, the quality of the data we have about the third risk on the list is quite good. We have very reliable data from the company’s own quality control and quality assurance processes and I have given that risk a data precision score of 80 to reflect the quality of that data. On the other hand, the risk we are most concerned about is that the customers will not utilize the new trouble ticket procedure. I’ve given that a low data precision score because your organization has very little information. What we have is about other segments and is of questionable reliability. We are concerned about the risk because of its high probability and high magnitude. But frankly, the absence of good data is equally important. For that reason, I’m going to suggest we do a Monte Carlo simulation so we can more accurately assess the impact of that risk on the project’s overall duration and budget.”
The client executives accept the consulting PM’s recommendations and the list of prioritized risks. They authorize the project team to move on to quantitative risk analysis. For this very large strategic initiative level project, the quantitative analysis process can easily take months and include substantial and expensive data-gathering efforts. They will provide a better assessment of customer behavior and how it could be changed. From that data-gathering phase, the decision-makers will have sophisticated simulation information which would trigger the brainstorming process of the Risk Strategy.
Successful project managers always have a Risk Management Plan to avoid fires on their projects. That’s much better than putting out the flames after they have ignited. These PMs don’t need “all-hands” emergency meetings when something unexpected happens. They don’t need to bring all project work to a halt and give people new tasks to respond to a crisis. Instead, at the beginning of a project they design a Risk Management Plan that includes risk identification, risk analysis, risk strategy and risk response planning. They identify the most likely risks that will significantly impact the project and they plan for dealing with them. Then there is no emergency. There is no frantic reassignment of duties. The project team simply executes the Risk Management Plan they developed months before. Risk Management Main Page
Project managers who skip the Risk Management Plan do so because the sponsor wants them to start work quickly without “wasting time” on things like risk management. This will probably doom the PM to fighting fires for the rest of the project. Even on a small project, you can undertake a simple risk assessment process. By investing as little as an hour at the beginning of the project, you’ll possibly save dozens of hours later. You can use the project risk management steps below with your team and/or stakeholders.
Risk Management Plan in Theory
The Risk Management Plan is a concept with a very sound foundation. It’s proven that the cost of responding to unanticipated problems is always much higher and more disruptive than the cost of implementing risk strategies that you planned in advance. Further, if you keep the scale and cost of your risk management efforts in proportion to the scale of the project and the risks you are avoiding, a risk management more than pays for itself.
Risk Management Plan in Practice
Project managers routinely feel a great deal of pressure to start work on a project quickly since many executives think a Risk Management Plan is simply bureaucratic paper shuffling processes with no real-world pay off. There is some truth to that assumption, particularly in bureaucratic organizations where any activity like risk management is an opportunity for more papers, more procedures and endless meetings. In addition, there is the fantasy that good project managers are good firefighters so spending time and money on risk management is a waste of both. When bad risks flare up; you just fight the fires. Project Risk Management
Risk Management: Risk Identification
Risk Management Plan for Three Different Sized Projects
Small Project Plans- Done within your organization for one manager or your boss. Medium Project Plans- Affects multiple departments within your organization or done for customers/clients. Strategic Project Plans- Affects the entire organization or its customers and has long term effects.
Risk Management Plan #1: Risk Assessment
Small Project Plans- You may limit the entire risk management effort to 30-60 minutes. The tasks are to identify risks and plan risk responses for 2-3 major risks. Medium Project Plans- You would add qualitative risk analysis on 10 to 20 significant risks. Perhaps you would do quantitative risk analysis on the 2 to 3 biggest risks. The aim of the risk analyses is to develop cost data as justification for your risk responses. Strategic Project Plans- The scale of the project and the consequences of failure justify an extensive Risk Management Plan. Spending several weeks and over $10,000 on risk analysis is routine. It is normal to hire outside experts to assess the risks quantitatively.
Risk Management Plan #2: Identify Risks
Small Project Plans- Risk identification could be done over coffee with the sponsor and a few key stakeholders identifying key threats and opportunities. Remember that not all risks are bad. Medium Project Plans- Risk identification is usually broken up by major project deliverables with separate groups working through the identification process for each. The project manager provides each group with the risk categories they should address. Strategic Project Plans- The project scale justifies the use of multiple teams with each assigned one or more categories of risk. These are grouped by risk type (regulatory, competitive, technological, etc.) or the risks associated with a specific deliverable (facility construction, systems development, personnel etc.).
Risk Management Plan #3: Qualitative Risk Analysis
Small Project Plans- None Medium Project Plans- Use qualitative analysis for all risks. Strategic Project Plans- Use qualitative analysis as a screening and prioritizing tool to identify risks with large expected value and to justify more expensive quantitative analysis.
Risk Management Plan #4: Quantitative Risk Analysis
Small Project Plans- None Medium Project Plans- Only for very significant risks or opportunities. Strategic Project Plans- Used to justify risk responses that cost a great deal of time or money.
Risk Management Plan #5: Risk Response Plan
Small Project Plans- Short statement of how you will respond to each risk if it occurs. Medium Project Plans & Strategic Project Plans- More detailed set of risk responses using one or more of the following strategies: avoidance, mitigation, transference or acceptance with a contingency plan. You may combine all four of these risk reduction strategies in sophisticated responses. You will implement careful monitoring of the project using risk triggers for early warning. Risk Strategy
Risk Management Plan & “Best Practices” In the Real World
A slow education process regarding the Risk Management Plan works best with executives. Savvy project managers make a case for doing a limited amount of risk management by using examples from previous projects where they could have avoided delays and cost overruns with some risk management. Wise executives respond well to those examples, particularly seeing data from previous projects. Even the most skeptical sponsor will usually listen to arguments about the risks’ damage to project completion dates and budgets.