A Risky Business
This week on our Project Management Guide, we’re going to take a look at risks.
Every project will face risks. Risks are those things which could go wrong, or change, and adversely effect the project. The idea of handling risk in a project is not to avoid all risk. Any project will face some risk – projects are about bringing about change, and any change will bring some risk. The aim of risk management in a project is to make sure we reduce the risk to an acceptable level in a cost-effective way.
This means that we need to accept we will face risks, and to examine them with an open mind. It also means we need to track those risks, and think about how we would handle them if they occur.
The first step in managing risk is identifying them. We’ve already seen in Project Plans – The Art of Prophecy that risk analysis needs to be part of the project plan. But how do we go about it?
A system that I use is as follows:
- Identify the risks: Preferably as part of a group, start to write down as many possible risks as you can think of. At this point, don’t try and think about how likely a particular risk is, just try and capture as many as you can. Include risks from a wide variety of areas, from technical nitty gritty details, all the way up to the environmental risks, such as natural disasters! Also include business risks, financial risks, etc.
- Evaluate the risks: You should now have a nice list of risks. Now we need to evaluate the risks in terms of their probability and impact. Probability is the likelihood of a risk occurring – so, for example, a natural disaster is astonishingly unlikely to happen, while a computer failure is much more likely. (Knowing my luck, the Redoubt volcano in Alaska will blow just as I post this…) Impact is how much of an effect the risk would have – natural disasters next door, quite a lot. Computer failure, not so much.
- Plan a response: You will now have a set of risks, with probabilities and impacts. You can now start to decide what to do about them. Your options are likely to include avoidance (doing things differently so the risk doesn’t occur), mitigation (take some action so the probability, impact, or both, of the risk are reduced), acceptance (just live with it) and contingency (a prepared plan of what to do if the risk occurs to deal with it quickly).
We don’t just stop there – this is just the first run through. You should record these risks in a risk log (or risk register, etc.) and make sure you monitor them throughout the project – and add new ones as necessary. We’ll look at this in more detail later.
Two tips:
- When it comes to evaluation of the risks, usually simpler is best. Grade the impact as High, Medium, or Low, and do the same for the probability. If you assign High a value of 3, Medium a value of 2, and Low a value of 1, you can simply multiply the probability and impact together to get a quick and dirty numerical grading for your risks.
- The grading of risks should have some bearing on how much you are willing to spend to deal with them. Obviously risks that have a high probability and a high impact should be looked at first!
Hope you’ve enjoyed this quick guide to getting started with risks. Do you have any tips? How do you start identifying risks? Let me know!
project management, project management guide | Trevor Roberts | February 4, 2009
It’s easier when you use only several values for probability too, e.g.: 0%, 30%, 60%, 90%.
I’d also add that it’s important to choose good granularity of risks while identifying them. It’s one of problems with risks management when risks are either too detailed or too general because it’s hard to confront them with other positions from risk log.
[…] already talked about the idea of risk management as part of the project. Obviously the first requirement for the rest of the risk management process is actually to have […]