Saturday, January 30, 2010

Risks Management Plan

image"Risk Management" is the art and science of thinking about what could go wrong, and what should be done to mitigate those risks in a cost-effective manner.

A Risk Management Plan is a document prepared by a project manager to foresee risks, to estimate the effectiveness, and to create response plans to mitigate them. It also consists of the risk assessment matrix.

“There are known knowns;

there are things we know that we know.

There are known unknowns;

that is to say, there are things that we now know we don’t know.

But there are also unknown unknowns;

there are things we do not know we don’t know. ”

- United States Secretary of Defense Donald Rumsfeld


Risk Definition

A risk is a potential problem, a situation that, if it materializes, may adversely affect the project. Risks that materialize are no longer risks, they are problems. All projects have risks, and all risks are ultimately handled:

  • Some disappear
  • Some develop into problems that demand attention
  • A few escalate into crises that destroy projects

The goal of risk management is to ensure that risks never fall into the third category.

“If you don't attack the risks, the risks will attack you!”

- Unknown author


Common Risks

The list of common risks that most projects will encounter forms a starting point for developing a catalog of risks. However, the list ¡s not exhaustive; most project managers will find several more risks that they can add, and project experience will tend to increase this number. When you are assessing the risks for your projects, always refer to a list such as this. Otherwise, you run the project management risk that not all project risks are identified.

image Staff Risks
- Key staff will not be available when needed
- Key skill sets will not be available when needed
- Staff will be lost during the project
image Equipment Risks
- Required equipment will not be delivered on time
- Access to hardware will be restricted
- Equipment will fail
image Client Risks
- Client resources will not be made available as required
- Client staff will not reach decisions in a timely manner
- Deliverables will not be reviewed according to the schedule
- Knowledgeable client staff will be replaced by those less qualified
image Scope Risks
- Requirements for additional effort will surface
- Changes of scope will be deemed to be included ¡n the project
- Scope changes will be introduced without the knowledge of project management
image Technology Risks
- The technology will have technical or performance limitations that endanger the project
- Technology components will not be easily integrated
- The technology is new and poorly understood
image Delivery Risks
- System response time will not be adequate
- System capacity requirements will exceed available capacity
- The system will fail to meet functional requirements
image Physical Risks
- The office will be damaged by fire, flood, or other catastrophe
- A computer virus will infect the development system
- A team member will steal a confidential material and make it available to competitors of the client
image Schedule Risks
- Wrong time estimation
- Resources are not tracked properly. All resources like staff, systems, skills of individuals etc.
- Failure to identify complex functionalities and time required to develop those functionalities
- Unexpected project scope expansions
image Budget Risks
- Wrong budget estimation
- Cost overruns
- Project scope expansion

Risk Management Process

There are four steps to managing risks:

RiskManagement

 

Risk Identification

Although all projects are different, the same risks, those listed ¡n the common risks list tend to recur. In identifying the risks for a project, you must continually ask, “What can possibly go wrong?” If there is one risk that is universally the most dangerous for all projects, ¡t is the following:

Corporate management views the project manager’s risk analysis as alarmist and will not take the risks seriously until they materialize.

The only way to mitigate this risk is to document all other risks, identify the actions you take, and keep the management informed, especially as the risk becomes more probable. It is only by stressing your risk analysis, by making explicit recommendations, and by insisting that management understand the risks that you can avoid having to say, “See, I told you so.”

Risk Categorization

There are numerous statistical methods for defining degree of the risk as risks, but the simplest categorization, and therefore the most extreme, high, effective, is to describe risks as extreme, high, medium, low, or minimal. This process is called the Qualitative Analysis of the risk.

The degree of risk depends upon two characteristics:

  • Probability: that the risk will occur
  • Impact: on the project if it does

Probability and impact are both categorized as high, medium, and low, and their relationship, indicates the degree of risk.

image

The estimates of probability and impact are completely dependent upon subjective estimates. This means that if an estimator is unskilled or inexperienced, the estimates will be inaccurate. If the project manager is not confident in the estimator’s judgments, then subject matter experts from other projects should be invited to participate in the qualitative analysis process.

Consider two risks: that a team member will resign during the project and that a fire will consume the office, destroying the installation and all the work that has been done. Both risks are of medium degree. In the first case, although the probability is high, the impact is low: You assume that the team member will give adequate notice and can be easily replaced. The second risk has a high - in fact potentially devastating - impact, but the probability is low and the risk is easily mitigated by ensuring proper off-site backup.

You categorize risks so that you can identify those that are the most dangerous and require the most attention. It is the extreme and high risks that need your attention first.

Once the qualitative assessments of project risks are completed, the estimates can be examined to determine the magnitude of the risks: Quantitative Analysis. A technique to consider the risk probability and risk impact is to multiply the risk probability by the risk impact on a scale from 1 to 5 and then transform it to a percentage value from the project’s estimate:

RiskEquation

Risk Mitigation

You mitigate a risk by reducing its probability, its impact or both. Since every project is unique, so are the mitigation actions. Once risks have been identified and assessed, all techniques to manage the risk fall into one or more of these four major categories:

image image
  • Risk avoidance: Includes not performing an activity that could carry risk. An example would be not buying a property or business in order to not take on the liability that comes with it. Another would be not flying in order to not take the risk that the airplane were to be hijacked. Avoidance may seem the answer to all risks, but avoiding risks also means losing out on the potential gain that accepting (retaining) the risk may have allowed. Not entering a business to avoid the risk of loss also avoids the possibility of earning the profits.
  • Risk reduction/mitigation: Involves methods that reduce the severity of the loss. Examples include sprinklers designed to put out a fire to reduce the risk of loss by fire. This method may cause a greater loss by water damage and therefore may not be suitable. Halon fire suppression systems may mitigate that risk, but the cost may be prohibitive as a strategy.
  • Risk transfer: Means causing another party to accept the risk, typically by contract. Insurance is one type of risk transfer. Other times it may involve contract language that transfers a risk to another party without the payment of an insurance premium. Liability among construction or other contractors is very often transferred this way.
  • Some ways of managing risk fall into multiple categories. Risk retention pools are technically retaining the risk for the group, but spreading it over the whole group involves transfer among individual members of the group. This is different from traditional insurance, in that no premium is exchanged between members of the group up front, but instead losses are assessed to all members of the group.
  • Risk acceptance/retention: Involves accepting the loss when it occurs. True self-insurance falls in this category. Risk retention is a viable strategy for small risks where the cost of insuring against the risk would be greater over time than the total losses sustained. All risks that are not avoided or transferred are retained by default. This includes risks that are so large or catastrophic that they either cannot be insured against or the premiums would be infeasible. War is an example since most property and risks are not insured against war, so the loss attributed by war is retained by the insured. Also any amount of potential loss (risk) over the amount insured is retained risk. This may also be acceptable if the chance of a very large loss is small or if the cost to insure for greater coverage amounts is so great it would hinder the goals of the organization too much.
  • The Aggressive: Exploit: Strategies for linking risk and opportunity also lists a fifth strategy as a possible option: Exploit. That is, actively seeking out risk in order to gain competitive advantage, since risk does not always carry a negative connotation, but can also lead to beneficial results, depending on the outcome.

The difference in seconds between 10:55 and 10:54 can vary from 1 to 119 seconds, it depends on how and when we look at it.

  • The Don’t want to know about it: Ignore: Tomlin (2006), in his research, found a “see-no-evil-hear-no-evil”-strategy amongst the businesses he investigated. He discovered that many businesses willingly overlooked the risk they were exposed to, an approach he labeled Ignore, a kind of misunderstood Accept, perhaps?

Ideal use of these strategies may not be possible. Some of them may involve tradeoffs that are not acceptable to the organization or person making the risk management decisions.

The four strategies (Avoid, Reduce, Transfer and Accept) are important as hands-on and easy to understand basic approaches towards dealing with risk. Adding Exploit adds the dimension of ‘positive’ risk, while adding Ignore adds a notion of unwillingness to deal with risks. While oversimplified, these six approaches do not show the full spectrum of risk management strategies, but they can help in setting up a basic framework for risk management.

Risk Management

imageEffective risk management requires a reporting and review structure to ensure that risks are effectively identified and assessed and that appropriate controls and responses are in place. Regular audits of policy and standards compliance should be carried out and standards performance reviewed to identify opportunities for improvement.

There are many different types of software you can use track risks, it can be a simple spreadsheet to a complex database.

Creating a practical risk management plan is straightforward in concept, if not in execution. Prepare a table with the following seven columns:

  1. Risk Factor: List anything you can think of that could cause substantial harm to your business.
  2. Type: Assign the risk to one of the categories described above , e.g. market risk, competitive risk, technology & operational risk, etc. Assigning a type can suggest who might be best qualified to manage that particular risk (for example, your CFO might be responsible for looking after your firm's financial risks).
  3. Probability: Think of the relative likelihood of manifesting this particular risk factor.
  4. Impact: Describe what would happen to the company if this risk factor manifests itself.image
  5. Mitigation Tactics: List the things you can do either reduce the likelihood or minimize the impact of the consequences if this risk factor manifests itself. Note that just because a tactic is available, it doesn't mean you should employ it.
  6. Mitigation Costs: For each mitigation tactic, think about the implementation cost.
  7. Status: Once you have assembled the first six columns, you need to decide which mitigating tactics, if any, you need to implement. Your choices will depend on your personal risk tolerance – there's no right or wrong answer. Whatever actions you do take, you should document them in the Status column of your risk management plan.

Results of Risk Control

  • The project status is known
  • Corrective action has been taken
  • The risk management plan has been updated
  • The budget (including contingency and reserve) has been updated
  • The schedule has been updated
  • Lessons learned on the project with respect to the particular risk(s) have need prepared and disseminated