Risk Management is about identifying methods of identifying and managing risks, analyzing risks, assigning responsibilities for people to handle risks, outlining risk budget, defining risk categories, creating probability and impact matrix, and identifying risk responses.
As a planning activity this process is carried as early in the project as possible, and then revisited regularly.
Simply because if you look at the risk management processes, 5 out of 7 processes are in the planning phase. Which means a lot of thought has to go into planning for risk management at the planning state itself.
And in order to do this, the project manager should start looking at all aspects of the project – right from project charter to stakeholder list to business case. In fact the risk management is to be thought about right when the project is conceived.
If you were to plant a sapling, you’ll think of all possible ways it can be troubled – from kids stomping accidentally to farm animals eating it. Similarly as soon as the project is conceived the project manager should start thinking about ways harm can come in its way.
OK, I’m convinced. What’s the right way to do this?
Great! The process itself is quite simple. This is about outlining mechanisms of identifying and managing risks and risk responses on the project.
What do we need?
Project charter – all high-level information you need such as requirements, milestones, assumptions, and constraints are available in this document. Each of these could be a source of risk, and needs to be studied carefully.
Project plan, of course – risks need to be analyzed in all activities of the project, which means that you need to study baselines and subsidiary management plans such as for cost, schedule, scope and quality. For the initial rounds though you go with whatever is available.
Stakeholder register – this document contains information such as role, interests and level of influence of stakeholders.
Every organization defines risk thresholds. That is, how much of a risk – in terms of cost incurred – can you assimilate before you start implementing risk responses.
It is important for the project manager to understand this before embarking on risk planning exercise.
Also, there are few things that give the PM a head start – risk management plans from previous projects and available templates. Some of the readily available artifacts may be predefined risk categories, formats for reports and statements, risk register, and risk terms. All these from organizational process assets.
And don’t forget lessons learned from the repository. That has a wealth of knowledge that can save the project manager from many a traps.
How easily can this be done?
Involve experts – this one technique employed at planning stage can help save a lot of time, energy and resources at later point in the project. Not to mention heartaches.
Stakeholders, team members who have worked in similar projects earlier, subject matter experts (SME), consultants, industry experts, consultants, and even senior management people in the organization can contribute in risk management planning.
Lot of risk can emanate from stakeholders (remember the definition of stakeholder is someone that is positively and negatively impacted by the project, or even those that think that they are impacted!) Hence Stakeholder analysis is also a key factor in risk planning.
You meet up with a lot of these people, and each meeting is a golden chance to bring about as many ideas as possible. Managing meeting effectively would be helpful for all involved.
What is a risk management plan?
Risk management plan describes how risk management is going to be structured and performed on the project.
Risk management plan is a subset of project management plan. It is a subsidiary plan just like other plans considered as inputs to this process. Which also means that any change to risk management plan is to be driven via change control process.
This plan gives you the methods to identify, assess and manage risks, and contains following components –
- Roles and responsibilities of team members for conducting each activity defined in the plan
- Risk management budget and funding, when and how should it be used on the project on realization of risks
- Probability and impact matrix gives you a feel of the impact on project objectives when a risk materializes. Based on the probability and the impact on project objectives scale of a risk is decided. Scale is defined relatively (low, medium, high) or numerically (a value from 0 to 1).
- Stakeholder’s tolerance decides how much of a risk can be absorbed without impacting project objectives. For instance, how long can you afford to wait before it impacts schedule when one of the critical developers falls sick – defines risk tolerance on schedule.
- Risk categorization framework such as risk breakdown structure (RBS), like the one below that Kathy used on her landscaping project
Figure: Risk Breakdown Structure
- How should outcome of risk management process are documented and communicated is driven by which reporting format is to be used.
- Risk tolerance & risk appetite of stakeholders
- Format for risk management outcome reports to be used for communicating to stakeholders
- Definition of risk probability and impact, and the actual matrix for qualitative risk analysis. A sample risk probability and impact matrix is given below –
Figure: Sample probability and impact matrix
Risk Management plan is an important subsidiary plan of Project plan, and can be prepared much easily be banking on existing templates or sample plans in the organizational process assets. This exercise itself gives insights into some of inherent risks in the project, and sort of feeds on into next process – Identifying Project Risks!