Risk
Management
Basics
|
Rating
|
|
Neville Turbit - Project Perfect
|
 |
|
|
|
So you have been asked to put together a project risk management
plan. No idea where to start. Here is a brief guide to putting together a
risk management plan.
Project Risk Management
A risk is something that may happen and if
it does, will have a positive or negative impact on the
project. A few points here. "That may
happen" implies a probability of less then 100%. If it has
a probability of 100% - in other words it will happen -
it is an issue. An issue is managed differently to a risk
and we will handle issue management in a later white paper.
A risk must also have a probability something above 0%.
It must be a chance to happen or it is not a risk.
The second thing to consider from the definition
is "will have a positive or negative impact". Most people
dive into the negative risks but what if something goes
right? |
|
Take the example I came across recently where we identified a
project finishing ahead of schedule as a risk. It might seem to
be a bonus but the completion date happened to occur at the busiest
time of the year for the company. The last thing they needed was
a project going live in their peak period. The mitigation was
that if we were ahead of schedule, we would slow the project down
by reducing resources.
Risk
Management
Plan
There are four stages to risk management planning. They are: ·
- Risk Identification
- Risks Quantification
- Risk Response
- Risk Monitoring and Control
Risk
Identification
In this stage, we identify and name the risks. The best approach is a workshop
with business and IT people to carry out the identification. Use a combination
of brainstorming and reviewing of standard risk lists.
There are different sorts of risks and we need to decide on a project by
project basis what to do about each type.
Business risks are ongoing risks that are best handled by the business. An
example is that if the project cannot meet end of financial year deadline,
the business area may need to retain their existing accounting system for
another year. The response is likely to be a contingency plan developed by
the business, to use the existing system for another year.
Generic risks are risks to all projects. For example the risk that business
users might not be available and requirements may be incomplete. Each organisation
will develop standard responses to generic risks.
Risks should be defined in two parts. The first is the cause of the situation
(Vendor not meeting deadline, Business users not available, etc.). The second
part is the impact (Budget will be exceeded, Milestones not achieved, etc.).
Hence a risk might be defined as "The vendor not meeting deadline will mean
that budget will be exceeded". If this format is used, it is easy to remove
duplicates, and understand the risk.
Risk
Quantification
Risk need to be quantified in two dimensions. The impact of the risk needs
to be assessed. The probability of the risk occurring needs to be assessed.
For simplicity, rate each on a 1 to 4 scale. The larger the number, the larger
the impact or probability. By using a matrix, a priority can be established.
Note that if probability is high, and impact is low, it is a
Medium risk. On the other hand if impact is high, and probability low, it
is High priority. A remote chance of a catastrophe warrants more attention
than a high chance of a hiccup.
Risk
Response
There are four things you can do about a risk. The strategies are:
- Avoid the risk. Do something to remove it. Use another supplier for example.
- Transfer the risk. Make someone else responsible. Perhaps a Vendor can
be made responsible for a particularly risky part of the project.
- Mitigate the risk. Take actions to lessen the impact or chance of the
risk occurring. If the risk relates to availability of resources, draw up
an agreement and get sign-off for the resource to be available.
- Accept the risk. The risk might be so small the effort to do anything
is not worth while.
A risk response plan should include the strategy and action items to address
the strategy. The actions should include what needs to be done, who is doing
it, and when it should be completed.
Risk
Control
The final step is to continually monitor risks to identify any change in
the status, or if they turn into an issue. It is best to hold regular risk
reviews to identify actions outstanding, risk probability and impact, remove
risks that have passed, and identify new risks.
Summary
Risk management is not a complex task. If you follow the four steps, you
can put together a risk management plan for a project in a short space of
time. Without a plan, the success of the project, and your reputation as a
Project Manager, are on the line. Follow these steps and you will increase
your chances of success.
To date, 1326 people have rated this article. The average rating is 3.72 - Add your rating. Just select a rating and click the button. No other information
required.
Only one rating per person is allowed.
|
Risk Management Basics
|
Return to the top
