Risk Management

It's Not Just a Good Idea...

Abstract

Risk management, identifying the things that might go wrong on your project and deciding what to do about them, is almost universally considered to be a good idea. In fact, I can't remember ever having someone tell me that they don't think it is a good idea. "Oh yes!" I am often told, "we should do that!"

"Should?"

Why Not Risk Management?

With so much agreement that we should be managing risk, why do I find that it is so rare? When I probe, I get many different answers as to why it is not done in specific organizations. But after a while, three themes have begun to emerge:
  1. The organization is too busy with real problems to worry about potential ones,
  2. There is a perception that there is not too much that can go wrong, or
  3. They have a fatalistic belief that not much can be done about risks.
With these being the three predominant reasons why we end up not doing something that we know we should, let's take a look at some easy ways to overcome them.

Too Busy For Risk Management

How much time does risk management take? In spite of the fact that it represents an entire Knowledge Area in the PMBOK(R) and an entire Process Area in the CMMI(R), managing risks requires a surprisingly small investment.

For a 12-month project employing a dozen professionals, a complete Risk Identification Workshop can be completed in less than three hours (36 person-hours). And unless things are going wrong, the Updating Risks part of a weekly status meeting will take an average of about 5 minutes (costing 52 person-hours for the whole project).

So, for this fictitious 12-month project, proper risk management will cost less that one half of one percent of the budgeted effort, and will delay project initiation by approximately 1% of the yearlong schedule. It doesn't take much benefit to justify such a small investment! (And we will address justifying Risk Management next!)

What Could Go Wrong?

Projects often begin with a sense of euphoria. The benefits are obvious, the challenges seem insignificant, and the risks are easy to miss. This is precisely the reason for performing Risk Identification during project initiation. When we don't make a small investment in identifying the project's risks, we leave ourselves open to very big surprises later in the project.

The justification for making this investment is already sitting in your own files. What surprises have you experienced on recent projects? What went wrong? How badly was the project affected? And the most important question: Could it have been foreseen?

While most of these things could not have been predicted with certainty, it is likely that the majority would have been identified as possible during a Risk Identification Workshop. And if you had foreseen those possibilities, you may have been able to do something about them (which we will discuss next).

What Can Be Done About It?

The fatalistic idea that we can't do much about the risks we face is just plain wrong.

The first thing we can address is a risk's probability -- how likely it is to happen. We may be able to drive down the likelihood that a risk will actually happen Ð sometimes driving it to zero! For example for customer-related risks, we can increase our level of interaction with them throughout the project. For technical risks, we can hire consultants who have the requisite experience. And for loss of key staff, we can improve their quality of work-life.

The other thing we can address is a risk's impact on our project Ð how bad it would be. We can sometimes drive a risk's impact down, and again, sometimes it can be driven to zero. For example for customer-related risks, we can solicit their feedback on work products early in the project. For technical risks, we can prototype critical items to uncover problems early. And for loss of key staff, we can cross-train and implement work sharing.

Yes, some risks can be avoided, some can be transferred to others, and some can be prepared for so that if they do happen, they won't be so bad. On top of all this, we can also prepare contingency plans so if a really big risk happens to us, we will be ready for it. In fact, most of our risks are things that we can do something about. So much so that failing to manage risks is often classified as negligence!

Value From Managing Risks

OK, we're sold on it. We want to make Risk Management part of our next project. The good news is that the investment is small enough that we may be able to just do it! But what if we need approval? How do we justify the time and effort to the "powers that be"? How do we get our boss, our customer, or a senior executive to approve of this investment in project success?

Again, that information is already in our files. Wee need only find some examples of problems we have experienced on prior projects. How much did those problems cost the projects? And how much would it have cost to mitigate or totally avoid those costs, if we had foreseen them? The more examples we can find of cases where Risk Management would have paid for itself, the stronger will be our argument to use it from now on. And one big win (avoiding a catastrophic problem by managing risks) will solidify Risk Management as a normal part of our methods.

Finally!

(R) "PMBOK" and "Project Management Body of Knowledge" are registered trademarks of the Project Management Institute.

(R) "CMMI" and "Capability Maturity Model Integration" are registered in the US Patent Office by Carnegie Mellon University.