Risk management strategy
“When trouble is sensed well in advance in can be easily remedied; if you wait for it to show itself any medicine will be too late because the disease will have become incurable. As the doctors say of a wasting disease, to start with it is easy to cure but difficult to diagnose; after time… it becomes easy to diagnose but difficult to cure.” (Machiavelli, 1514) [1]
When dealing with a project, uncertainties are to be expected, whether the project is influenced by external or internal factors. If an unexpected event turns out to be harmful to the project it is in general terms considered to be a risk. A risk can be defined as the product of the probability of the risk and the impact of the risk. Should a problem be very likely to happen, but have a little or no impact on the project there is little reason in prioritizing the mitigation of the problem. For a problem having a high impact, but very low probability the need to mitigate this problem is likewise not a priority. The impact of a risk is however more severe than the probability. For instance are smaller injuries, which happen often, easier to accept than heavier injuries, which happen more seldom. The probability of a problem should however not be neglected. A common way to illustrated this is by playing a small game:
In the construction business many factors must by in order for the project to move forward. Six people are given a dice and a problem. Whenever a person rolls a 1 a problem has occurred which delays the project. Thus the probability of a problem happening is 1/6. The probability of no problem happening is:
This means that only a third of the time, the project will progress.
A useful risk management strategy comprises of the following steps:
- Identify - Potential risks are identified.
- Analyze - Identified risks are rated, related to probability and impact.
- Assess - Analyzed risks are ranked and compared to each other to determine which risk to handle first.
- Process - Solutions are found to counter effect the risks.
- Monitor - During the project lifetime, identified risks are monitored and new, potential risks are identified.
This article will examine ways to do a successful risk management.
To help understanding the risk management processes a example has been made to illustrate each chapters subject.
Contents |
Example
Hidden text
Definition of Risk
PMBOK defines a risk as: "An uncertain event or condition that, if it occurs has a positive or negative impact on one or more project objectives such as scope, schedule, cost and quality" [2].
Risk identification
During the risk identification, a project is scrutinized for potential risks. During the scrutinisation experience is a good asset when determining the potential risks, but other methods do however exists. Risk identification is the simplest of the risk management steps, since it only requires the project group to think of possible threads and opportunities. Risk identification is however the most important step and should be repeated iterativly during the project lifetime to ensure the safety of the project.
Identification methods
Instead of relying on experience and common sense, when determining the possible risks, taxonomy-facilitated brainstorming Cite error: Closing </ref> missing for <ref> tag is to ask "What could go wrong?", and answer it when relating to the following subjects:
- Current and proposed staffing, design, process, resources, suppliers, dependencies, operational employment, ect.
- Monitoring test results
- Reviewing shortfalls against expectations
- Analyzing negative trends
Example:
Hidden text
Risk analysis
With the risks identified it is now possible to do a risk analysis.
Remember ref
Uncertainty factor | Associated question to be answered |
---|---|
Uniqueness | Is this risk issue unique or new compared to risks that have occurred in other projects? |
Cross-cutting Character | Does this risk issue affect a large number of functions, hardware elements, software elements, or procedures and/or have the potential to cross organizational lines? |
Complexity | Does this risk issue involve complex interactions between or among hardware elements, software elements, organizations, and/or individuals? |
Propagation Potential | Could this risk issue lead to a propagation of events that could result in more severe consequences than the immediate events caused by the risk? |
Detectability | Is there anything that inhibits the ability to detect the full extent of the risk and track its progress? |
Probability level | Likelihood | Probability |
---|---|---|
1 | Not likely | ~10% |
2 | Low likelyhood | ~30% |
3 | Likely | ~50% |
4 | Highly likely | ~70% |
5 | Near certainty | ~90% |
Impact level | Technical performance | Schedule | Cost |
---|---|---|---|
1 | Minimal or no consequence to performance | Minimal or no impact | Minimal or no impact |
2 | Minor reduction in performance or supportability | Able to meet key dates | Budget or unit production cost increases. <1% of budget |
3 | Moderate reduction in performance or supportability with limited impact in objectives. | Minor schedule slip. Able to meet key milestones woth no schedule float. | Budget or unit production cost increases. <5% of budget |
4 | Significant degradation in performance or major shortfall in supportability. May jeopardize succes. | Critical path affected | Budget or unit production cost increases. <10% of budget |
5 | Severe degradation in performance. Will jeopardize succes | Cannot meet key milestones | Exceeds threshold >10% of budget |
Example
Hidden text
Risk assessment
Methods to assess identified risks.
Risk processing
Methods for mitigating an identified risk
When the risks have been determined and assessed, it will be natural to determine what to do. Below is a list of responses and possible solutions to use depending on the probability and impact of the risk.
Accepting the risk
Whether the risk is harmful or not, if the probability is low there is no need for doing anything to mitigate it. The occurrence of the event opposed to price of mitigating it will mostly be always turn out to too expensive. Should a benign risk with a high impact and high probability be determined for a project, then this too should also be accepted, since it is very likely to happen.
Mitigating the risk
Malignant risks with low impact, but a frequent occurrence should be mitigated. This is done by making contingency plans, investing in safety equipment and other actions which can lower the probability and/or impact.
Transfer the risk For malignant risks, with a low probability, but high impact, the most reasonably course would be to transfer the risk to someone else. This can be done by outsourcing the risky parts or by buying insurance in case the risk happens.
Avoid the risk
Should a risk be harmfully serious and very likely too happen, no insurance company will help. These occurrences should be avoided at all cost. This can be done in numerous ways depending on the risk. The safest way to avoid the risk is to change the part of the project which is in danger. If this is not possible, then the project should either be canceled or delayed until the risk no longer is probability or impact has lessened.
Researching/nurturing the risk
In the rare cases where a benign risk will have a major impact on a project, but not likely to happen, the risk should be further researched, leading to ways to improve the likelihood. It goes without saying that the cost of implementation should not be larger than the potential gains. If the research proved fruitful the risk should be nurtured to a more probable level.
Harmful risk - responses:
- Avoid: For high probability, high impact
- Transfer: For low probability, high impact
- Mitigate: For high probability, low impact
- Accept: For low probability, low impact
Useful risk – responses:
- Accept: For high probability, high impact
- Research: For low probability, high impact
- Accept: For high probability, low impact
- Accept: For low probability, low impact
Example:
Hidden text