Return
to Industry News listing of articles
Your Risk Management Process - A Practical
and Effective Approach
Vicki Wrona
Some
experts have said that a strong risk management process
can decrease problems on a project by as much as 80 or 90
percent. In combination with solid project management practices--having
a well-defined scope, incorporating input from the appropriate
stakeholders, following a good change management process,
and keeping open the lines of communication--a good risk
management process is critical in cutting down on surprises,
or unexpected project risks. Such a process can also help
with problem resolution when changes occur, because now
those changes are anticipated and actions have already been
reviewed and approved, avoiding knee jerk reactions.
Defining
"Risk"
Before
one can embark on a risk management process, one must have
a solid understanding of some key definitions. Project risks
as defined from a PMI perspective are, at their core, unknown
events. These events can be positive or negative, so that
the word "risk" is inherently neutral. That said,
most of the time and focus is spent handling negative project
risks, or "threats," rather than positive project
risks, or "opportunities."
Often,
companies that do perform a risk management process on a
fairly typical multi-month project (no longer than 12 months)
will identify and manage possibly five to ten easily recognized
project risks. However, that number should in fact be much
higher. With a high number of project risks identified early
on, a team's awareness of what to look for is increased,
so that potential problems are recognized earlier and opportunities
are seen more readily.
It
may seem that project risks cannot be managed without taking
away from the actual work of the project. However, this
can effectively be accomplished with a seven-step risk management
process that can be utilized and modified with each project.
The
Risk Management Process
Step
one of the risk management process is to have each person
involved in the planning process individually list at least
ten potential risk items. Often with this step, team members
will assume that certain project risks are already known,
and therefore do not need to be listed. For example, scope
creep is a typical problem on most projects. Yet it still
must be listed because even with the best practice management
processes in place, it could still occur and cause problems
on a project over time. Therefore it should be addressed
rather than ignored.
Step
two of the risk management process is to collect the lists
of project risks and compile them into a single list with
the duplicates removed.
Step
three of the risk management process is to assess the probability
(or likelihood), the impact (or consequence) and the detectability
of each item on the master list. This can be done by assigning
each item on the list a numerical rating such as on a scale
from 1 to 4 or a subjective term such as high, medium, or
low. Detectability is optional, but it can be simple to
assess - if a risk is harder to see, such as with scope
creep, then it's a riskier item. If it's easier to catch
early, such as loss of management support or loss of a key
resource, then it's lower risk.
Step
four of the risk management process is to break the planning
team into subgroups and to give a portion of the master
list to each subgroup. Each subgroup can then identify the
triggers (warning signs) for its assigned list of project
risks. All triggers should be noted, even minor ones. Normally
there will be at least three triggers for each risk.
Step
five of the risk management process is for those same subgroups
to identify possible preventive actions for the threats
and enhancement actions for the opportunities.
Step
six of the risk management process is for the subgroups
to then create a contingency plan for most but not all project
risks - a plan that includes the actions one would take
if a trigger or a risk were to occur. This plan will be
created for those risks scoring above a certain cut-off
point, which is determined after looking at the total scores
for all risks. This keeps the risk management process manageable.
The risk management process is not effective if it is so
time-consuming that it is never done.
Step
seven, the final step in planning the risk management process,
is to determine the owner of each risk on the list. The
owner is the person who is responsible for watching out
for triggers and then for responding appropriately if the
triggers do in fact occur by implementing the pre-approved
and now established contingency plan. Often, the owner of
the risk is the project manager, but it is always in the
best interest of the project for all team members to watch
for triggers while working on the project.
Rather
than start this risk management process from scratch for
every new project, it can be followed once to establish
a list of generic project risks and triggers, skipping step
three. Then, a team simply has to add project-specific project
risks and triggers and assess the probability, impact, and
detectability for each risk, saving a great amount of time
and helping to ingrain a risk mentality into your project
culture.
Creating
a Risk Register or Risk Matrix
Upon
completion of the risk management process, a master document,
known as a risk register or risk matrix, is created. The
most effective format for this document is a table, because
it will allow a great deal of information to be conveyed
in a few pages. If the information is instead presented
in paragraph form, it may not be read by people and will
be rendered ineffective. The columns in the table can include
risk description, probability, impact, detectability, triggers,
preventive actions, and contingency plan. Other columns,
such as quantitative value, can also be added as appropriate.
Important
Things to Remember
Often,
the steps in which triggers and preventive actions are identified
are overlooked. However, these are vital to the entire risk
management process. After a team has completed this exercise
once, the members will be better conditioned on what to
pay attention to while managing the project so they are
more proactive in catching changes or issues early. If these
steps in the risk management process are skipped, the team
can find themselves in constant reaction mode, simply implementing
a contingency plan for each risk after that risk catches
them by surprise. They could also ignore a seemingly overwhelming
list of project risks, which is why narrowing the list down
to the most important risks is critical for making sure
the list is used.
Once
the risk register is complete, it is easy to maintain. It
can be reviewed during regular status meetings, with as
little as 15 minutes spent making sure the list is still
current. Determine if any project risks can be closed (but
not removed completely), if any risks have increased or
decreased in value, and if there are any new project risks
to add. This will ensure that the list is continually seen
as relevant and useful throughout the life of the project.
Conclusion
A risk
management process does not have to be complicated or time
consuming to be effective. By following a simple, tested,
and proven approach that involves seven steps taken at the
beginning of each project (fewer if a generic list of project
risks has already been established), the project team can
prepare itself for whatever may occur. Of course there will
always be changes and there may still be surprises, but
the end result is that they are fewer, that the team feels
prepared and that the project is not taken off course.
Source
|
