Kathy from earlier Landscaping project example, should think about stuff like –
- what if there is torrential downpour on the day jogging tracks are laid?
- what if large amount of exotic plant saplings die within first 2 weeks due to unfavorable soil or weather condition?
- what if the lone designer on the team quits halfway through the project?
In this process you think of ways to reduce threats and enhance opportunities to project objectives.
Where do we start?
The risk register, obviously. That is where all risks are listed. We also look at the risk management plan, which talks about methods of managing risks, responsibilities for people who handle risks, outlines risk budget, defines risk categories, and identifies probability and impact matrix.
How do we go about planning?
What are Secondary risks and Residual risks?
In few cases applying these strategies can lead to introduction of few other risks – these are called secondary risks.
Secondary risks should also be considered and added to the risk register. Usually project management would include a risk contingency reserve. While listing risk responses you would need to see if any of them may possibly invoke this contingency reserve.
Sometimes few risks remain even after figuring out risk responses. These are called residual risks.
Strategies for negative risks or Threats
We saw this briefly in the lesson on introduction to Risk management knowledge area. There are four ways to deal with threats. Let us look at them with an example.
Meeting with an accident is a real risk involved with driving a car. How can one deal with it?
- Avoid – change project plan, adjust one or more project objectives such as reducing scope or changing schedule to avoid a risk.
For our example, this would mean not driving a car at all.
- Transfer – transfer some or all of the risk, and ownership of response to a third party.
This comes at a premium however. If it is a work that a third party vendor has expertise in, it is wise to sign a contract and transfer the responsibility and risk of the work.
For our example, this would amount to taking an insurance. In case of an accident, at least financial losses will be covered.
- Mitigate – is about reducing the probability of risk by taking certain actions in advance. It could be measures like adding more tests around the hi-risk areas, making simpler designs, reducing complexity of components, having development checklists, or assigning best resources for developing risky modules/parts.
For our example, regularly servicing the car, learning the traffic rules and driving etiquette, not consuming alcohol while driving 🙂 and driving within prescribed speed limits would help mitigating the likelihood of accident to some extent.
- Accept – at times there is nothing one can do to avoid risk and project management team decides to deal with it if and when it occurs. Passive acceptance would be doing nothing about it at all. Active acceptance would be allocating specific contingency cost, schedule, resource budget for such risks.
For our example, this would be just not doing anything about it. Drive without a worry in the world. If it happens, driver’s driving instincts may save the day. Wear seat-belts.
Strategies for positive risks or Opportunities
Taking most benefit from a positive risk, or opportunity, is as important as dealing with negative risks on a project. From overall project perspective such benefits may negate some of the damage caused by risks that do materialize.
A friend tells you about a piece of real estate available for purchase near an upcoming airport project. The total amount to be invested is out of your reach. If you get to invest in it, the price is expected to be doubled every year for next 3-4 years and it makes for a great investment opportunity right now. What would you do?
- Exploit – plan in such a way that you remove all uncertainties and make sure that this risk happens for sure. Example of exploiting a risk on project could be creating vacancy for getting that star performer who is just coming out of another project.
For our example, take all your savings even take up a loan if necessary. Go for the investment.
- Share – share with a third party and get some of the benefits of this opportunity.
For our example, team up with the friend who can invest partially and two of you together buy that piece of land.
- Enhance – doing all that is possible to increase likelihood of this risk materialization.
For our example, go for aggressive bargain, if possible offer all-cash-deal to get it.
- Accept – just like one of the responses for negative risk, this is just not doing anything actively to pursue the opportunity but being prepared to take the benefit if it materializes.
For our example, show interest but don’t do anything actively. If the seller comes around for your price you will quickly complete the deal before seller changes mind.
If you need a mnemonic to remember strategies for positive and negative risks, consider this –
“Negative ATMA, PositivE SEA”
Strategies for negative risks are Avoid, Transfer, Mitigate and Accept; for positive risks they are Exploit, Share, Enhance, Accept.
What’ll we plan out?
Project plan is updated since risks impact project objectives, risk mitigation strategies may have an impact on these objectives. Hence cost, schedule, quality, procurement, human resource management subsidiary plans might be updated to accommodate risk responses. Cost, Scope and Schedule baselines also might be updated. In some cases updates to work breakdown structure is possible.
Any changes to plans need to go through change control process. Hence after risk planning you may need to call for a meeting with change control board presenting all these changes.
Several documents can possibly be updated including –
- Risk register – all potential responses identified for each risk are added to the risk register. Secondary risks – ones introduced due to application of a risk response – are also added. Residual risks – ones remaining even after applying risk responses – are added too. Risk response owners, their responsibilities, categories, priorities are other data added to the risk register.
- Assumption logs – risk responses will bring in clarity on some of the earlier assumptions
- Change requests – as mentioned earlier changes to project plan or baselines need change requests to be raised and run through change control process
A sample risk registered might look like the one below at this stage –
Figure 1: Updated Risk Register
Planning responses for risks is the last an exhaustive one. Spending as much time and effort as required on this process would yield rich returns for the project. Knowing that you have all the bases covered, would also give you that much more confidence as a project manager.