One of the tasks of any project manager is the Risk Management process.
Risk management is a project itself, consisting of several phases:
- Identification – determine what events are risks to the project
- Assessment – determine the impact of the risks on the project
- Prioritization – determine in which order the risks will be addressed
- Monitor and report – watch and report on the effectiveness of the risk mitigation
A big challenge is putting a value on potential project risks to determine the impact on the overall project.
Identifying the Types
Risks come from a variety of sources including:
- Financial instabilities
- Natural disasters
- Legal liabilities
- Competitor competition
- Ineffective collaboration
- Inclement weather
- job site theft
Basically, a risk is defined as anything which, if it should happen, would negatively affect a project’s schedule or budget.
Effective risk management is the identification of the most probable events that will impact the project. Once that list is created then an assessment of the level of impact on the project can be done.
To be most effective, risk management will address risks in the order of highest probability and highest impact down to those with the lowest probability and impact. In fact, risk management can itself have a high impact on a project. Assigning resources to work on risk management and mitigation takes them away from other productive areas of a project.
Understanding the various ways to address risks can help in determining the potential impact and the amount of time to spend analyzing the risk.
Dealing with Risk Issues
The typical ways of dealing with project risks include:
- Avoidance – don’t do something which might incur the risk
Donating to a PAC may incur a conflict of interest when working on a government contract
- Reduction – minimize the risk
Make sure that less than 10 percent of the executive board travels to a country that is in a conflict at the same time
- Sharing – divide the risk with others
Work with multiple contract vendors to employ resources
- Retention – take responsibility for and plan for in the project
Build “bad weather days" into the work plan
Assessing the Impact
A good starting point is to decide the probability of an event happening.
- The probability of the loss of work days due to heavy snow on a project in Denver, CO in December is very high.
- The probability of the loss of work days due to a 7.0 earthquake during a project in Kansas City, MO is very low.
Next, we work down the list starting at the highest probability to lowest. Note that in the above examples, the lowest probability has the highest impact. However, we are more concerned with the “feasible" versus the “theoretically possible" risks.
Now we take each task and make a judgement as to the level of impact that it will have on the project. Sometimes we have past history to refer to. Other times we must rely on our common sense. We also take into account our options for addressing risks (from above).
So, using the Denver snow days example, our loss of work days due to snow could have a:
- High impact – there is no easy way to absorb this risk into the plan so it will be very negatively affected
- Medium impact – we can adjust the schedule and resources so as to keep the project on track
- Low impact – we don’t need to do anything because the plan has sufficient contingency already built into it
Categorizing risks this way helps to communicate the impact of risks without having detailed data to show.
The next challenge is to provide some kind of statistics for those highly probable tasks to help determine which approach to take to address them. When there is no history available in which to compare events, this becomes quite difficult.
For areas considered “intangible assets," such as intellectual property, this is most challenging.
Consider answering this question during a project stakeholder meeting, “What would the dollar impact be should our competition infringe on our latest patent for a cheaper, faster microprocessor chip?"
Sometimes our best input to the process is an “educated guess" and whatever statistics we have available that are even remotely related to the risk.
For less daunting risks, we do have a formula to communicate the overall impact of a risk on the project:
The probability of the occurrence times the impact of the event equals the overall risk.
Again for our snow days example:
The number of anticipated snow days times the dollars and time lost with each snow day equals the impact on the project schedule and budget.
With this we are able to communicate some type of measurable impact on our project by the risk being assessed.
The assessment of a risk may not give us a concrete value to work with. We may have to deal with an impact of “thousands of dollars" or “weeks of delay on the schedule". We at least will have a level of magnitude to which we can apply one of our methods.
If the method we choose reduces the magnitude of impact then we know that we are on the right path.
Risk management is complex and often an inexact science. Too little risk management may miss key risks. Too much can negatively impact the project itself.
Assessing the impact of risks quickly, putting a value on potential project risks, communicating some level of magnitude, and offering options to address the risks are important skills for the project manager.
- Us Dept of Commerce, National Institute of Standards and Technology, “Risk Management Guide for Information Technology Systems", July 2002, http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
- Image Credit: Risk Management Elements – Wikimedia Commons/Defense Acquisition University Press, 2001/ Public Domain License