Risk planning & risk management (RM)

Acknowledgements to Euan Wilson (Staffordshire University)

Project risk

• all projects involve risk

• risks stem from work nature

• not practical to eliminate risk

• not desirable to eliminate risk

• acknowledge risk existence

• methods to handle risk

Risk management

• increasingly important– greater complexity levels– vastly varying skill & technology– interdependency

higher level of project uncertainty

Risks to projects

• strategic– abandonment– massive over-run/over-spend– loss of client confidence– loss of future business

Risks to projects

• operational– constant change/re-planning– inefficiency– over-run/over-spend– low morale– unacceptable work conditions

Risk management process

risk planningrisk planning

risk identification

risk identification

risk analysisrisk analysis

risk responserisk response

risk actionrisk action

riskplan

risk database

project plan

Risk management

• part of ‘project office’– wider than ‘project team’– standard procedure for all projects

• applied to all projects• maintain risk ‘database’

– ‘feed forward’ information (past tasks)

– compile actual vs. forecast information (new tasks)

Risk management

• link(s) to quality/monitoring– milestones/inspections– feedback to project plan

Risk planning

• small projects – project manager responsibility

• large projects – full time risk manager

• adopt risk management approach/policy– contingency plan

• identify risk factor identification mechanisms

Risk identification

• easier said than done

• difficult to ensure full risk identification

• second/third opinions

• manager must be honest re: risks

• must highlight all risks regardless of repercussions

Identifying risks

• how to identify & specify risk– must be defined precisely – must be capable of measurement– must have measurable impact

Specifying risk example

poor contract staff performance

may not be as productive as estimated

may not conform to in-house standards

Identification of risk

• starting point for identification– contract & project plan– customer– users– acceptance criteria & mechanisms– functional requirement

Identification of risk

– technical requirement– performance, reliability, availability

& maintainability– developer skill– development environment– tools, methods, hardware & software– all tasks on critical or near-critical

paths

Risk assessment/analysis

• impact & likelihood assessment

• focus attention– higher occurrence probability– higher impact effect

• related to time/quality/cost criteria

Assessment scheme

• risk occurrence probability– high >30%– medium 10%-30%– low <10%

• project impact (overspend/over-run)– high >30% or abandon– medium 10%-30%– low <10%

Risk Assessment MapLikelihood of occurrence

High Medium Low

Small

Moderate

Large

Probablescale ofimpact

Assessment scheme

• risk urgency– how soon risk may occur– how soon avoidance measures need to

be in place

Risk ownership/response

• identify ‘owner’ of risk• balance required

– involvement & authority

• requires– sufficient task knowledge/expertise– necessary resources/time to monitor risk– sufficient authority to achieve risk action

Risk actions

• three types– avoidance actions

• prevention of risk occurrence

• no contract staff

• experienced project team members

• potentially expensive

Risk actions

– mitigation/reduction actions• reduce potential risk occurrence

• assess contract staff ability

• assess attitudes to standards

• reduce risk impact

– acceptance actions• possible for low probability risks

• accept small impact risks

Risk action problem

• creation of secondary risks– e.g. no contract staff = not enough

project team members

Risk register (risk database)

• various forms– paper based register– word processing file– database

• storage form dependant on– project scale– risk volatility

• central repository for risk information

Risk database

• reference– unique identifier– WBS by reference

• title/description– of task

• current status of risk– risk ‘live’

Risk database

• potential impact(s)– quantifiable terms (time/cost/quality)– multiple impacts– record description/likelihood/scale

• risk owner– tracks risk– responsible for implementing risk

actions

Risk database

• risk actions– avoidance/mitigation/acceptance plan

• action log– record of action taken

Risk plan

• statement of scope & degree of risk management

• description of risk management process– assessment method– when & how monitoring

• roles & responsibilities– who responsible for RM process– reporting structure

• description of RM deliverables