Project Risk Management: Don’t Risk Not Doing This!

by Shiv Shenoy

“Good Risk Management fosters vigilance in times of calm and instills discipline in times of crisis”

– Dr. Michael Ong

What is risk?

A possibility of change in the expected outcome of a task or event implies a risk.

Every activity has an inherent risk in it. Even walking on the road has its own risks, like getting hit by a truck.

Simplest of the tasks on a project has risks. For instance, as release deadline gets closer project’s software architect may fall sick, thereby increasing the risk of delivery. Any of scope, cost, schedule and quality of the project may affected due to materialization of a risk.

On the day you wanted to buy that project management software, you come across a discount code that saves you 50% on the price! This is also a risk – although a positive one. Positive risk is called an opportunity.

If risk occurs on a project it may lead to a positive or negative impact on one or more of project objectives.

The goal of the project manager in Risk Management is to enhance the probability of occurrence and increase the positive impact of Opportunities, and decrease the probability of occurrence and eliminate or decrease the negative impact of Threats. This leads to achievement of project objectives.

There are “known unknowns” and “unknown unknowns” on a project. What does this mean?

“Known unknowns” are identified risks on the project.

If you have only one architect working on the project you know that if he has an emergency there is no one to fill in for him during his absence. Such risks cost you money when they materialize. This cost is covered from Contingency Reserves.

“Unknown unknowns” are those risks that you cannot proactively identify.

During project execution, your lead developer may find out that a piece of scope was never captured in the Requirements documentation. You cannot plan for these types of risks. When unknown unknowns occur, their cost is covered from Management Reserves.

Risk Tolerance

Every organization has some amount or risk tolerance. Degree or tolerance depends on factors such as nature and complexity of project, extent of rewards in the offering.

If you are building a nuclear reactor the amount of risk tolerance would be much lower, whereas you may exhibit more risk tolerance for a software product that is looking to time the market.

Here is an interesting way to learn that the concept of “known knowns, etc”, popularized in a response United States Secretary of Defense Donald Rumsfeld gave to a question at a U.S. Department of Defense (DoD) news briefing on February 12, 2002 about the lack of evidence linking the government of Iraq with the supply of weapons of mass destruction to terrorist groups.

I’d like to thank Jesse VanWay for this information! – Shiv

Risk attitude of an organization

The three concepts related to risks that an organization can exhibit –

Risk tolerance – amount of risk that organization can withstand before it reacts to take an evasive measure
Risk appetite – amount of risk the organization can afford to take in anticipation of reward
Risk threshold – the is the point of risk level at which organization decides whether to accept risk. Below threshold organization will accept risk, above threshold organization will not tolerate risk.

Project Risk Management Knowledge Area has 7 processes, 5 of them in planning process group alone!

Why?

Because, you prepare for a risk before you give it a chance to materialize. Most of risk related processes are executed in planning state before the actual project work starts. A risk involved with an activity has a chance of materialization the moment work is started!

Risk levels

There are 2 levels of risk.

Individual project risk – the impact of an individual threat or opportunity (negative or positive risk, respectively) is on one or more objectives of the project. Impact of this is usually lesser than the next risk level.
Overall project risk – this is the case where a risk if materializes will have catastrophic (for a threat) or magnanimous (for an opportunity) impact on the overall project. Sometimes the source of this could very well be an individual risk.

What activities are involved in risk management?

Planning The Management Of Risks is a project management activity to create a plan that identifies methods of managing risks, assigns responsibilities for people who handle risks, outlines risk budget, defines risk categories, and identifies probability and impact matrix.

Identifying Project Risks Proactively is the project management activity to come up with a register for all risks, known as Risk Register. This risk register contains list of identified risks, their sources, and potential responses.

Analyzing Risks In Qualitatively is the project management activity where risks in the risk register are ranked and prioritized based on urgency, probability of them coming true, and potential impact. These are based on subjective analysis, and so are quicker to do than the next project management activity.

Analyzing Risks In With Numerical Analysis is the project management activity where risks in the risk register are analyzed using statistical tools and their priorities are updated.

Planning Appropriate Responses for Risks is the project management activity for developing actions to enhance opportunities and reduce threats to project objectives posed by risks.

Implementing Identified Risk Responses is the project management activity for implementing risk responses quickly whenever they arise in the project. When opportunities arise we make most of it.

Monitoring Risks is the project management activity to actually implement risk response plans, track and monitor residual risks, and identify new risks.

How to deal with negative risks (or threats)?

Let us look at this with an example. Meeting with an accident is a real (negative) risk involved with driving a car.

How can one deal with it?

Escalate – out of my sphere of influence to handle. Refer to higher authority to handle the risk.
Avoid – just don’t drive the car at all.
Transfer – take an insurance. In case of an accident, at least financial losses will be covered.
Mitigate – regularly service the car, learn all the traffic rules and driving etiquette, and mitigate the risk of accident happening.
Accept – just don’t do anything about it. Drive without a worry in the world. If it happens, it happens.

For Negative risks you can Escalate, Avoid, Transfer, Mitigate or Accept;

For Positive risks you can Escalate, Exploit, Share, Enhance or Accept.

How to make the best of positive risks (or opportunities)?

A friend tells you about a piece of real estate available for purchase near an upcoming airport project. You feel that total amount to be invested is out of your reach. If you get to invest in it though, the price is expected to be doubled every year for next 3-4 years and it makes for a great investment opportunity right now.

What would you do?

Escalate – too big an opportunity to my ability to capitalize. Refer the opportunity to a builder, and work with him to get the deal. This may benefit in some way in future.
Exploit – invest all your savings, take up a loan. Go for it.
Share – team up with the friend who can invest partially and together buy the piece of land.
Enhance – go for aggressive bargain, offer all-cash-deal to get it if possible. Enhance the benefit of this opportunity.
Accept – show interest but don’t do anything actively. If the seller comes around for your price you will make the deal.

Exam pointer – This can go into the Brain dump you create a week before your exam. Expect few questions on risk management.

Next post: Risk Management Planning Is Crucial For The Project, Here’s How To Do It Right

Previous post: How to Plan Communications Management on Your Project?

{ 0 comments… add one }

You must log in to post a comment. Log in now.