In my webinar on Risk Management I take a poll on whether people are doing Risk Management on their projects and find a surprising result.
Risk Management processes are only being consistently applied to projects about half the time.. How can this be?
I believe this is likely due to a combination of these factors:
- Risk Management processes are considered to be "bureaucratic", with more effort needed to carry them out than any benefit to be gained
- It is seen as too difficult to accurately identify project risks, their probability of occurrence or expected impact
- A Project Manager has no time at the beginning of a project to worry about future imaginary risks when there are real problems and issues to tackle.
Addressing risks before they occur is always going to be easier and less costly than waiting for them to happen first before addressing them.
- Identify project risks in Risk Workout sessions with your project team, client and other key project stakeholders.
- Use a Risk Checklist or Risk Breakdown Structure to ensure you cover all the key areas of potential risk on your project.
- Don't forget to identify Opportunities (risks with a positive impact) as well as Threats (risks with a negative impact).
- Use a simple Register to identify and easily manage and track your project risks through all four Risk Management stages.
- Estimate the Probability of Occurrence for each risk.
An easy way to do this is to decide:
- if the risk is not too likely to happen, use 0.3
- if the risk is quite likely to happen, use 0.8
- if you think it is somewhere in between, use 0.5 for the probability.
- Estimate the Expected Impact for each risk; i.e. how much is it going to cost to address this risk if it were to occur. This can be difficult to assess with any accuracy, so don't get hung up here. Use your team, client and subject matter experts to come up with an order of magnitude estimate (e.g. is it $500 impact, $5000 impact, $50,000 impact etc). It is far better to come up with rough estimates like this then to do no risk management at all, and essentially be saying that all potential risks will have zero impact and zero probability of occurring.
- The next step in the Risk Analysis stage is the easy part - calculate the Expected Monetary Value for each risk, using the formula:
Expected Monetary Value (EMV) = Probability of Occurrence x Expected Impact.
- Now sort all risks by the size of their Expected Monetary Value, keeping the Top 5 to 10 or so for your further action and delegating the rest for review and action by the appropriate project team members and stakeholders. You can vary the number that you are going to track, but don't try and track all the risks that are identified, or you will sink in the quagmire. The Pareto Principle will usually apply here - about 20% of the risks you identify will cause 80% of the expected $$ impact, so just focus on this top 20%.
If you use a spreadsheet for your Risk Register, the EMV can be automatically calculated and your risks can be readily sorted by EMV size.
Risk Response Planning
- Now determine with your team a suitable response for each of your top risks.
For threats, use any of the following strategies to address each risk (and use several, if appropriate):
- Avoid (take a different path, like the captain of the Titanic should have done)
- Transfer (e.g by insurance, or outsourcing)
- Mitigate (any solution that will lessen the probability and/or impact of the threat)
- Accept (normally not a good choice, unless the expected impact is small)
For opportunities, the strategies should increase the probability of occurrence and expected benefit, so would include, for example:
Make sure each of the selected strategies and actions have a person assigned to action them, with target dates for check-pointing progress or completion.
Risk Monitoring and Control
- On a regular basis, review your project Risk Register to update the status of all identified risks, remove any that are no longer applicable and add any new risks. This review can be incorporated into your weekly team meeting, or the action items can be transferred to your Project Schedule or Project Issues Log, depending on the nature of the planned actions.
- Major risks and related action items should also be tracked and reported on your Status Reports, Project Dashboard and at your Project Executive Steering Committee, to ensure they get the attention and support needed for their successful resolution.
In my next post, I will provide you with three very valuable Risk Management best practices, that together with the above Risk Management processes, will help you to successfully avoid those icebergs.
Webinar: Risk Management Made Easy
If you are interested in learning more about Risk Management processes and best practices, and also would like an Excel based Risk Register that you may use for all four stages of Risk Management, sign up for the recorded webinar APM05 "Risk Management Made Easy" at www.alphapm.com/webinars.