Management of risks

    In Deadline, Tom Demarco writes that to manage a project, it is enough to manage its risks. Indeed, the whole work of PMA can be reduced to one thing - the fight against risks that can prevent the project from completing on time, on budget and with the necessary level of quality. If, for some reason, there are no risks in the project, then there is no subject of PM work.

    But projects without risks probably do not exist in nature and one has to work with them anyway. You can read about how to do this on PMBOK , on Wikipedia, and on thematic resources. This article has more practice than theory. Its purpose is to show by examples an inexpensive and effective approach to project risk management.



    Risk management plan


    PMBOK recommends risk management in 4 steps:
    1. Identification. Identify risks that may interfere with project objectives.
    2. Analysis. Determine which of the identified risks are the most dangerous.
    3. Planning. Plan the most dangerous risks.
    4. Monitoring and control. Keep the project plan and risk list up to date.




    We plan them:

    what
    Who
    When
    how
    Risk identification
    PM + project team
    Tuesday 14–00
    The meeting. 1 hour
    Risk assessment
    PM + leads
    Tuesday 15–00
    The meeting. 1 hour
    Risk planning
    PM + PM of other projects
    Tuesday 16–00
    The meeting. 2 hours
    Monitoring and control
    PM
    Daily 13–00
    Activity. 30 minutes

    We will repeat the entire cycle with a frequency of two weeks, this should be enough. The plan is ready, it remains to describe in detail the steps.

    Risk identification


    The purpose of this step is to identify a number of unknown project risks. We believe that there are infinitely many potential problems around us, so we will pose the problem quantitatively. At the beginning of the project, it’s good to identify 50–100 risks, in the future - 20-30 each.

    Input: project plan, current list of risks (if any);

    Process:
    1. PM collects a rally with the whole team, reports on its purpose, duration and agenda;
    2. PM reports on the status of the project, on the main current risks and problems, answers questions;
    3. Rally participants voice potential risks. All ideas are accepted without exception, without discussion or comment;
    4. The PM records the results in a “cause-risk-effect” format. As soon as the goal is achieved, or the time is up, the rally ends;

    Output: An updated list of risks in the format “cause-risk-effect”.

    Example:



    Risk analysis


    It is obvious that dealing with all risks is immediately expensive and ineffective. The purpose of this stage is to identify the most important of them. For each risk, we evaluate its Probability and Consequences on a ten-point scale. Multiplying them, we get the Importance. We also denote a certain boundary of Importance (for example, 50) in order to understand which risks are critical and continue to work only with them.

    At the entrance: a list of risks;

    Process:
    1. PM collects a meeting with team leaders, reports on its purpose, duration and agenda;
    2. PM discloses the risk, the rally participants assess its likelihood and consequences;
    3. The PM records assessments as soon as the goal of the rally is reached, or the time is up, the rally ends;
    4. The PM considers the importance of risks as Probability * Consequences, sorts the list in descending order of Importance;
    5. PM denotes risks that have exceeded the boundary of Importance in the list;

    At the exit: a list of critical risks;

    Example:



    Risk planning


    In fact, at this stage the project is managed. For each risk, from the critical list, it is necessary to come up with a strategy that our project will protect from it. There are three strategies used in total:

    Transfer. We transfer responsibility for the consequences of risk to a third party (customer, partner company, insurance company, and so on). It makes sense to apply this strategy if we ourselves cannot influence the risk and there is someone to shift this responsibility onto.

    Accept We accept responsibility for the consequences of risk on ourselves, but we do nothing, we leave everything as it is. It makes sense to apply this approach only when we cannot do anything with the risk, and making a transfer to a third party is unreasonably expensive.

    Mitigate.We deal with risk, taking responsibility for it. To deal with risk, it’s good to have several plans. The main one, in order to suppress the risk, and waste, in case the risk still happened and affects the project:
    • The core plan needs to be implemented immediately before the risk has occurred. It should reduce either Probability or Risk Consequences. Here we will be helped by recording risks in the format “cause-risk-effect”. To reduce the likelihood of risk, you need to deal with its cause. To overcome the consequences, you need to protect the subject of its impact.
    • A waste plan is implemented if measures to combat risk have not yielded results, the risk has occurred and has become a problem.

    At the entrance: a list of critical risks;

    Process:
    1. PM gathers a meeting with the leaders of other projects, reports on its purpose, duration and agenda;
    2. PM discloses the risk, the rally participants determine the strategy for working with it, the main plan and a backup plan (for Mitigate);
    3. The PM writes the plans to the risk list, as soon as the goal of the rally is reached, or the time is up, the rally ends;
    4. The PM updates the project plan by adding basic risk plans;

    On the way out: a list of critical risks with a strategy and a plan for each risk, an updated project plan;

    Example:



    Monitoring and control


    This is more a process than a stage. Its purpose is to keep the list of risks and the project plan up to date.

    At the entrance: a planned list of risks, a project plan, daily team reports;

    Process:
    1. The PM performs an audit of the risk list, updates assessments, updates outdated plans;
    2. PM identifies the risks that have occurred, makes a decision on the implementation of waste plans, updates the project plan;

    On the way out: an updated list of risks, an updated project plan;

    Example:



    Total


    For a project with a team of 15 people, the cost of risk management will be 50-60 man-hours per month. At the same time, about 50 new risks will be identified, of which, on average, the 10 most important will be planned and suppressed. Assuming that the critical risk takes the project at least 40 man-hours, we get from 400 man-hours of savings per month.

    The process described in this article can and should be improved. You can complicate it for complex large projects, you can simplify and spend 2 hours a month on risk management. One way or another, it’s much cheaper to work with risks somehow than not to work with them at all.

    Also popular now: