Project Risk Management
Is risk the dark side of project
management? It certainly adds drama. Project risk management is a
vast and fascinating subtopic involving both negative and positive aspects.
Project managers
may use risk models to explore the possible outcomes using risk
simulations. For a model in Excel, software such as Frontline's Risk Solver, may be used
to perform a Monte Carlo simulation on a model. Project managers can
run a simulation that performs many (thousands of) experiments or trials --
each one samples possible values for the uncertain inputs, and calculates the
corresponding output values for that trial.
The first run of a simulation model
can often yield results that are surprising to the modelers or to management --
especially when there are several different sources of uncertainty that
interact to produce an outcome. Even before an in-depth analysis of the results,
simply seeing the range of outcomes -- for example, how low and how high Net
Profit can be, given our model and sources of uncertainty -- can encourage a
re-thinking of the risks we face, and the actions we can take.
Because a simulation yields many
possible values for the outcomes we care about -- from Net Profit to
environmental impact -- some work is needed to analyze the results. It is very
useful to create charts to help us visualize the results -- such as charts and cumulative frequency charts.
We can summarize the range of outcomes using various kinds of statistics, such
as the mean or median, the standard deviation and variance, or the 5th and 95th
percentile or Value at Risk.
Another tool for assessing model
results is sensitivity analysis, which can help us identify the uncertain
inputs with the biggest impact on our key outcomes. For example, a tornado chart can
give us a visual summary of uncertainties with the greatest positive and
negative impact on net profit.
Rules for Risk Management
Rule 1: Make Risk Management Part of Your Project
The first rule is essential to the success of project risk
management. If you don't truly embed risk management in your project, you cannot
reap the full benefits of this approach. You can encounter a number of faulty
approaches in companies. Some projects use no approach whatsoever to risk
management. They are either ignorant, running their first project or they are
somehow confident that no risks will occur in their project (which of course
will happen). Some people blindly trust the project manager, especially if he
(usually it is a man) looks like a battered army veteran who has been in the
trenches for the last two decades. Professional companies make risk management
part of their day to day operations and include it in project meetings and the
training of staff.
Rule 2: Identify Risks Early in Your Project
The first step in project risk management is to identify the
risks that are present in your project. This requires an open mind set that
focuses on future scenarios that may occur. Two main sources exist to identify
risks, people and paper. People are your team members that each bring along
their personal experiences and expertise. Other people to talk to are experts
outside your project that have a track record with the type of project or work
you are facing. They can reveal some booby traps you will encounter or some
golden opportunities that may not have crossed your mind. Interviews and team
sessions (risk brainstorming) are the common methods to discover the risks
people know. Paper is a different story. Projects tend to generate a
significant number of (electronic) documents that contain project risks. They
may not always have that name, but someone who reads carefully (between the
lines) will find them. The project plan, business case and resource planning
are good starters. Another categories are old project plans, your company
Intranet and specialized websites.
Are you able to identify all project risks before they occur?
Probably not. However if you combine a number of different identification
methods, you are likely to find the large majority. If you deal with them
properly, you have enough time left for the unexpected risks that take place.
Rule 3: Communicate About Risks
Failed projects show that project managers in such projects were
frequently unaware of the big hammer that was about to hit them. The
frightening finding was that frequently someone of the project organization
actually did see that hammer, but didn't inform the project manager of its
existence. If you don't want this to happen in your project, you better pay
attention to risk communication.
A good approach is to consistently include risk communication in
the tasks you carry out. If you have a team meeting, make project risks part of
the default agenda (and not the final item on the list!). This shows risks are
important to the project manager and gives team members a "natural
moment" to discuss them and report new ones.
Another important line of communication is that of the project
manager and project sponsor or principal. Focus your communication efforts on
the big risks here and make sure you don't surprise the boss or the customer!
Also take care that the sponsor makes decisions on the top risks, because
usually some of them exceed the mandate of the project manager.
Rule 4: Consider Both Threats and Opportunities
Project risks have a negative connotation: they are the
"bad guys" that can harm your project. However modern risk approaches
also focus on positive risks, the project opportunities. These are the
uncertain events that beneficial to your project and organization. These
"good guys" make your project faster, better and more profitable.
Unfortunately, lots of project teams struggle to cross the
finish line, being overloaded with work that needs to be done quickly. This
creates project dynamics where only negative risks matter (if the team
considers any risks at all). Make sure you create some time to deal with the
opportunities in your project, even if it is only half an hour. Chances are
that you see a couple of opportunities with a high pay-off that don't require a
big investment in time or resources.
Rule 5: Clarify Ownership Issues
Some project managers think they are done once they have created
a list with risks. However this is only a starting point. The next step is to
make clear who is responsible for what risk! Someone has to feel the heat if a
risk is not taken care of properly. The trick is simple: assign a risk owner
for each risk that you have found. The risk owner is the person in your team
that has the responsibility to optimize this risk for the project. The effects
are really positive. At first people usually feel uncomfortable that they are
actually responsible for certain risks, but as time passes they will act and
carry out tasks to decrease threats and enhance opportunities.
Ownership also exists on another level. If a project threat
occurs, someone has to pay the bill. This sounds logical, but it is an issue
you have to address before a risk occurs. Especially if different business
units, departments and suppliers are involved in your project, it becomes
important who bears the consequences and has to empty his wallet. An important
side effect of clarifying the ownership of risk effects is that line managers
start to pay attention to a project, especially when a lot of money is at
stake. The ownership issue is equally important with project opportunities.
Fights over (unexpected) revenues can become a long-term pastime of management.
Rule 6: Prioritize Risks
A project manager once told me "I treat all risks
equally." This makes project life really simple. However, it doesn't
deliver the best results possible. Some risks have a higher impact than others.
Therefore, you better spend your time on the risks that can cause the biggest
losses and gains. Check if you have any showstoppers in your project that could
derail your project. If so, these are your number 1 priority. The other risks
can be prioritized on gut feeling or, more objectively, on a set of criteria.
The criteria most project teams use is to consider the effects of a risk and
the likelihood that it will occur. Whatever prioritization measure you use, use
it consistently and focus on the big risks.
Rule 7: Analyze Risks
Understanding the nature of a risk is a precondition for a good
response. Therefore take some time to have a closer look at individual risks
and don't jump to conclusions without knowing what a risk is about.
Risk analysis occurs at different levels. If you want to
understand a risk at an individual level it is most fruitful to think about the
effects that it has and the causes that can make it happen. Looking at the
effects, you can describe what effects take place immediately after a risk
occurs and what effects happen as a result of the primary effects or because
time elapses. A more detailed analysis may show the order of magnitude effect
in a certain effect category like costs, lead time or product quality. Another
angle to look at risks, is to focus on the events that precede a risk
occurrence, the risk causes. List the different causes and the circumstances
that decrease or increase the likelihood.
Another level of risk analysis is investigating the entire
project. Each project manager needs to answer the usual questions about the
total budget needed or the date the project will finish. If you take risks into
account, you can do a simulation to show your project sponsor how likely it is
that you finish on a given date or within a certain time frame. A similar
exercise can be done for project costs.
The information you gather in a risk analysis will provide
valuable insights in your project and the necessary input to find effective
responses to optimize the risks.
Rule 8: Plan and Implement Risk Responses
Implementing a risk response is the activity that actually adds
value to your project. You prevent a threat occurring or minimize negative
effects. Execution is key here. The other rules have helped you to map, prioritize
and understand risks. This will help you to make a sound risk response plan
that focuses on the big wins.
If you deal with threats you basically have three options, risk
avoidance, risk minimization and risk acceptance. Avoiding risks means you organize
your project in such a way that you don't encounter a risk anymore. This could
mean changing supplier or adopting a different technology or, if you deal with
a fatal risk, terminating a project. Spending more money on a doomed project is
a bad investment.
The biggest categories of responses are the ones to minimize
risks. You can try to prevent a risk occurring by influencing the causes or
decreasing the negative effects that could result. If you have carried out rule
7 properly (risk analysis) you will have plenty of opportunities to influence
it. A final response is to accept a risk. This is a good choice if the effects
on the project are minimal or the possibilities to influence it prove to be
very difficult, time consuming or relatively expensive. Just make sure that it
is a conscious choice to accept a certain risk.
Responses for risk opportunities are the reverse of the ones for
threats. They will focus on seeking risks, maximizing them or ignoring them (if
opportunities prove to be too small).
Rule 9: Register Project Risks
This rule is about bookkeeping (however don't stop reading).
Maintaining a risk log enables you to view progress and make sure that you
won't forget a risk or two. It is also a perfect communication tool that
informs your team members and stakeholders what is going on (rule 3).
A good risk log contains risks descriptions, clarifies ownership
issues (rule 5) and enables you to carry out some basic analyses with regard to
causes and effects (rule 7). Most project managers aren't really fond of
administrative tasks, but doing your bookkeeping with regards to risks pays
off, especially if the number of risks is large. Some project managers don't
want to record risks, because they feel this makes it easier to blame them in
case things go wrong. However the reverse is true. If you record project risks
and the effective responses you have implemented, you create a track record
that no one can deny. Even if a risk happens that derails the project. Doing
projects is taking risks.
Rule 10: Track Risks and Associated Tasks
The risk register you have created as a result of rule 9, will
help you to track risks and their associated tasks. Tracking tasks is a
day-to-day job for each project manager. Integrating risk tasks into that daily
routine is the easiest solution. Risk tasks may be carried out to identify or analyze
risks, or to generate, select and implement responses.
Tracking risks differs from tracking tasks. It focuses on the
current situation of risks. Which risks are more likely to happen? Has the
relative importance of risks changed? Answering these questions will help to
pay attention to the risks that matter most for your project value.
The 10 golden risk rules above give you guidelines on how to
implement risk management successfully in your project. However, keep in mind
that you can always improve. Therefore rule number 11 would be to use the
Japanese Kaizen approach: measure the effects of your risk management efforts
and continuously implement improvements to make it even better.
References:
No comments:
Post a Comment