Thursday, March 26, 2015

The Risk Management Process

The Risk Management Process
An easy way to understand risk management is to think of the process as a series of sequential steps that need to be repeated over and over during the course of a project. The image below shows this process cycle:

The Risk Management Process is comprised of six sequential steps repeated on a regular basis during the lifetime of a project.
  1. Identify Risks. In this first step of the process, the project team systematically identifies as many potential risks, events, factors, and other items that threaten the success of the project (I.e, its scope, quality, budget, or schedule). The goal of this process step is to create a master list of all potential risks to the project. 
    • Multiple methods are used to identify the risks, including brainstorming, systematic methodologies, and gleaning experience from other similar projects and outside experts.
    • Risks identified should include programmatic, technical, external, corporate, and other types. I.e., these are not just one type, such as technical. Instead, the goal is to find all types of risks that threaten the project in any manner.
    • Risks that are similar to each other are sometimes rolled up into single combined risks. High-level categories are then used to group individual identified risks together into broader logical areas. Frequently, these categories are the higher level WBS areas of the project, but they may include other categories, too.
    • The first time through the entire cycle, the result of this Identify step should be the creation of a preliminary risk register that contains all identified risks. Often this is created in a spreadsheet format. In future passes through the process cycle, new risks are identified during this step.
  2. Analyze & Prioritize Risks. In this second step of the process, an analysis of each identified risk from the previous step is performed. This is done is two parts. the first analysis performed is qualitative in nature, and helps create an initial sorting or “triaging” of the list into a prioritized ranking. Then a more formal quantitative analysis is performed on the higher level risks that are identified.
    • A qualitative likelihood (I.e., probability) of each identified risk is estimated; i.e., low, medium, or highly likely. This is a subjective analysis to initially just categorize each risk.
    • A qualitative assessment of the impact of each risk is also performed. This is essentially the “damage” that will result if the risk is triggered and becomes an actual issue. Typically, three subjective categories are used to categorize the impact of a risk: low, medium, or high impact. 
    • The initial qualitative assessment of likelihood and impact are then plotted on a risk priority matrix, which helps determine the “seriousness” of each risk. This helps focus your attention on the more important risks, and not waste time or effort analyzing less serious or less important risks. For example, a risk that has a high probability of occurring, but a very low impact, might be considered to be of lower overall importance to a medium probability risk that has a high impact.
    • Each risk element in the risk register is updated with this seriousness ranking. The risk register can then be sorted on this factor, allowing the project management team to focus its efforts appropriately.
    • Frequently, the more serious risks are then further analyzed, with more objective quantitative evaluations of probability and impact. An expected cost of each risk can be estimated by multiplying the probability of a risk by its impact.
    • Trigger dates for each risk in the risk register (or at least the more serious risks) are also identified.
    • The first time through the cycle, the result of this Analyze and Prioritize step should be that the risk register is updated to include probabilities, impacts, trigger dates, and expected costs as required for all risks.  In future iterations through the risk management process cycle, new identified risks are analyzed and prioritized during this step, and the risk register updated accordingly.
  3. Plan Responses. In this step, responses are developed for the various risks in the risk register. These responses are essentially the individual plan or plans that you, the project manager will implement to minimize the likelihood and/or impact of each significant risk.
    • The threshold for developing formal responses is frequently determined by way of the seriousness ranking of the individual risks. 
    • For risks above this threshold, formal risk responses are developed by the project team. These responses usually employ one or more standard techniques, such as avoidance, contingency draws, mitigation, risk transfers, or even just acceptance and monitoring of the risk.
    • There can be more than one response plan identified for a single risk. These responses might be applied in parallel or serve as backups to one another.
    • At this point, contingency reserve budgets are also often created (or at least informed) from the expected cost estimates in the risk register. Some projects use the risk register as a list of liens against the contingency budget to help ensure that adequate funds are available to address the more serious and/or costly risks.
  4. Monitor Risks. Once the risk register is complete, the role of project management is to monitor the individual risks contained therein and update it accordingly. It’s often very important to address an issue as soon as it arises, immediately applying the appropriate risk response plan.
    • A regular schedule of systematically and formally reviewing the status of each risk in the register is implemented during this step. This evaluation includes assessments of probability, impacts, seriousness, trigger dates, and response plans. As projects evolve, it’s very easy to let the risk register “go stale” and assume that the state of the project risks last month or quarter is still valid this month or quarter.
    • Risks can be retired during this monitoring phase, often as a result of a trigger event or date occurring without the risk being realized.
  5. Execute Responses. If/when a risk is realized, it is no longer technically considered to be a “risk,” but instead is now referred to as an “issue.” The previously identified response to that risk (or a variation of it) is implemented in this step.
    • Occasionally, some risk response plans include proactive approaches like buying insurance prior to a risk becoming an issue. These plans are executed at this step in the process.
  6. Communicate with Stakeholders. A primary role of Project Management is communicating to key stakeholders the the status of project risks, their collective cost/schedule/quality/scope exposure, response plans, and the resolution of issues as they arise. As the project progresses, the communication step includes a description of changes and the addition and subtraction of new risks to the register.
  7. Repeat. A key aspect of this Risk Management process is its continuous nature. Said another way, once the initial risk register is created and in place, your job as project manager is not over. The secret to success is repeating the steps of the cycle on a regular cadence, adding new risks as they arise, retiring expired risks, and continuously updating the risk register and communicating its status to stakeholders. The goal is to stay ahead of risks, before they overtake you and your project.
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)