Risk Management (Project Manager's Spotlight Series)

Project Manager's Spotlight on Risk Management\ \ By Kim Heldman \ John Wiley & Sons\ ISBN: 0-7821-4411-X \ \ \ Chapter One\ What Is Risk Management? \ Can you name the ultimate project management four-letter word? You guessed it: R-I-S-K. This word is uttered either in complete confidence or under the breath as something the project manager wished he or she knew something more about.\ Risk management is an integral part of project management. I'll start this chapter with a discussion of the basics of risk management, including the definition of risk, the purposes of risk management, the processes involved with risk management, and principles of risk management.\ At the conclusion of this chapter, I'll introduce a case study that you can follow throughout the book. The project manager in the case study will handle issues in her project that I've discussed during the chapter. Don't be caught off guard if there are a few surprises along the way. After all, that's how most projects work.\ Are you ready to dive in?\ Defining Risk\ Most of us tend to think of risk in terms of negative consequences. It's true that risks are potential events that pose threats to the project. But they're also potential opportunities. That's the side of the equation we often forget.\ For instance, did you know you're taking a risk by reading this book? You're investing a few hours of your time reading about the topic of risk and risk management-and for that I thank you-but it's time that you can't regain once you expend it. You will (I hope) get to the end of this book and realize you learned a lot more about risk than what you knew before you started. In that case, you've taken on a risk and benefited from it. The risk (the threat of a loss of time that you can't regain) will thus end in opportunity because you'll have achieved something at the conclusion of the activity that you didn't have in the beginning.\ NOTE\ Risks are like exercise: no pain, no gain. Accomplishment is rarely possible without taking risks.\ Likewise, you take other risks in your daily routine of which you probably aren't consciously aware. Perhaps you cross a busy intersection on the way from the bus stop to your office. You wait for the walk sign, look both ways before stepping out onto the curb, and proceed to the other side. But let's say you're late for a meeting with the big boss. You can stand on the corner and wait for the walk light, making you even later for the meeting, or you can cross against the light once the traffic has cleared. You weigh the consequences of both actions and decide to walk against traffic.\ Chances are you probably didn't consciously perform a complete analysis of all the risks and their consequences involved in these two scenarios before reaching a decision. You likely made a snap judgment in both cases. In the first example, you picked up this book and thought you'd learn something by reading it, so you purchased a copy. In the second, you weighed the probability of getting hit by a car against the likelihood of getting yelled at by the big boss for being late. Even though the consequences of getting hit by a car have significantly more impact, you decided that being yelled at was a more likely outcome and chose to avoid this risk by taking on the other.\ Organizations and individuals make decisions regarding project risks every day. They might use a formally recognized, documented process or go with the "fly-by-the-seat-of-your-pants" approach. I hope after reading this book you won't exercise snap judgment about project risks anymore but will instead develop a sound methodology for identifying, analyzing, prioritizing, and planning for risks.\ Project Risk\ All projects begin with goals. The point of the project is to meet and satisfy the goals the stakeholders agreed on when the project was undertaken. Risk is what prevents you from meeting those goals. (What? Your stakeholders didn't agree on the goals? We'll talk more about that in Chapter 4, "Preventing Scope and Schedule Risks.")\ NOTE\ This may come as a surprise to all you eternal optimists out there, but all projects have risks. Unfortunately, covering your eyes and saying "you can't see me" doesn't make them go away.\ As I stated earlier, most organizations, and most individuals, really, think about risks in terms of harm or danger. What's at stake, how much could we lose, and how bad will it hurt? are the initial questions that surface when we think about risk. I don't mean to be a downer-but I'll spend the majority of this book discussing risks from the perspective of the threats they pose to the project (and their consequences), because after all, unidentified and unplanned for risks are project killers. Chances are you've experienced a failed project or two as a result of unidentified or unplanned risks. As you progress through the book, I'll discuss techniques that lower or eliminate the consequences of risk and thus give your projects a head start to success.\ Organizations and Project Risk\ Executive managers are responsible for making decisions that benefit the corporation, the shareholders, the constituents, and the others they represent. Whether it is a for-profit company, a governmental organization, a not-for-profit organization, an education-focused business, and so on, the executives at the top have one goal in mind-maximize benefits to the organization and to their shareholders (all the while making themselves look good for future promotional purposes, but that's another book). To do that, the company must minimize bad risks while maximizing the opportunities that good risks may present. This is where you come in.\ For executives to make good decisions, they need information. Risk identification and analysis is a part of the vital information they'll use when determining a go or no-go decision regarding the project. And you are the one responsible for reporting on the risks and their potential impacts to the executives to assist them in their decision-making process.\ Risk management, unfortunately, is probably one of the most often skipped project management knowledge areas on small-to-medium-sized projects. Many project managers I know take the attitude that they'll deal with the risks when and if they occur rather than take the time to identify and plan for them before beginning the work of the project.\ On a small project, even just an hour or two of time spent on risk management can mean the difference between project success and project failure. The information you learn doing simple risk analysis could prove invaluable to your organization. I can't guarantee you project success, but I can guarantee you a much higher potential for project failure if you don't practice basic risk management techniques and inform your executives of the potential for bad juju before it hits.\ Applying the risk management processes you'll learn about in this book will help you manage successful projects that improve your organization's performance, profits, efficiency, and market share; provide better market presence; and meet the organization's goals.\ The Spotlight Series is geared toward those of you who manage small-to-medium-sized projects. You and I are the ones out there keeping the everyday business functions forging ahead with the small-to-medium-sized projects such as consolidating servers, launching websites, conducting space planning, implementing new purchasing procedures, and so on.\ You may be asking, "What does small mean?" Well, the answer is relative. A small project with minimal impact to one organization could be huge with devastating impacts to another. For example, your $50,000 project in an organization that generates $500 million a year in revenues is relatively harmless to the bottom line if the project should fail. Conversely, the failure of a $50,000 project to a small business owner could send her into bankruptcy. A small business owner likely couldn't afford the impact of even one risk consequence whereas the large organization could easily invest twice the original amount of the project without batting an eye. Therefore, the risk to the organization is relative as well. (Don't fool yourself, though; you'll have to report to someone about why the original $50,000 wasn't enough. The risk in this case rests with you. Did you plan the project appropriately? Did you estimate activities and budget accurately? And did you identify and plan safe, client-approved strategies for managing risks that could have caused the need for more project funds?)\ Remember that your success with small projects will win you larger and larger project assignments. One way to assure you get those juicy assignments is not skipping the risk management processes.\ Your company takes on risk with every project the executive team approves. They supply resources, time, money, and sometimes even stake their reputations on projects. Those same resources could be applied to other projects. But the decision makers weigh the possible outcomes of your project over another and decide to run with the project you're assigned. When projects are approved, the benefit, or perceived opportunity, outweighs the perceived threat of not completing the project. When the opposite is true, the project never sees the light of day.\ NOTE\ Most organizations (and individuals) will take risks when the risk benefits outweigh the consequences of an undesirable outcome.\ You may be scratching your head right now wondering why the coworker downwind from you got his project approved while yours was nixed for no apparent reason. Many things can come into play in decisions such as this, including power plays (someone somewhere doesn't like someone else who may benefit from the project), the executive in charge doesn't like the project, favoritism, and other similar office politics. More apparent reasons might play a part as well, such as the project isn't in keeping with the company's mission, no money exists for the project, enough resources aren't available to apply to the project, the risks outweigh the benefits, and so on. I'm certain you can come up with as many reasons as I can.\ As you explore risks and consequences and their impact on the organization through the course of this book, keep in mind that executives sometimes seem to defy logical reason when making decisions. They choose projects that have risks with potentially devastating consequences to the organization while brushing off other projects that to us seem like a no-brainer. So when you're wondering about why your project wasn't approved-my advice is don't. Move on to your next assignment and apply solid project management and risk management techniques to help assure its success.\ Purpose of Risk Management\ The good news is risk isn't the enemy. The bad news is the consequences of ignoring risk can be. What you don't know can hurt you when it comes to risk. The goal of risk management is identifying potential risks, analyzing risks to determine those that have the greatest probability of occurring, identifying the risks that have the greatest impact on the project if they should occur, and defining plans that help mitigate or lessen the risk's impact or avoid the risks while making the most of opportunity.\ Project management means applying skills, knowledge, and established project management tools and techniques to your projects to produce the best results possible while meeting stakeholder expectations.\ Risk management means applying skills, knowledge, and risk management tools and techniques to your projects to reduce threats to an acceptable level while maximizing opportunities.\ More specifically, risk management concerns these five areas:\ Identifying and documenting risks\ Analyzing and prioritizing risks\ Performing risk planning\ Monitoring risk plans and applying controls\ Performing risk audits and reviews\ I'll describe each of these processes in further detail in their own chapters, so in this section I'll stick with a high-level definition for each. These processes are highly interactive, and to understand how they all work together, you'll first look at the purpose for each.\ Identifying and documenting risks This one is fairly straightforward. The first step of your risk management approach is identifying and writing down all the potential risks that exist on your project. It doesn't stop there, however. Identifying risks occurs throughout the life of the project. Every life-cycle phase brings its own challenges and opportunities, which means more opportunity for project risk.\ Analyzing and prioritizing risks These processes are a little more complicated. Now that you know what the risks are, you'll apply tools and techniques to determine which ones have the greatest potential for harm (and for good) to the project. The analyzing and prioritizing process determines which risks require plans.\ Performing risk planning Risk planning concerns developing strategies that document how you'll deal with the risks if they occur. Not all risks require response plans. You may choose to live with the consequences of a risk event if it occurs.\ Monitoring risk plans and applying controls This process involves evaluating the risk response plans you've put into action and implementing any corrections needed to make certain the plan is effective and the risks are handled appropriately and timely.\ Performing risk audits and reviews This process is different from the previous one because it's performed after the project is completed. Monitoring risks occurs throughout the life of the project. Performing a risk audit is a lot like documenting lessons learned. You'll document information as the project progresses, but the risk audit analysis is performed at the end of the project.\ Iterative Process\ You can see from the discussion in the previous section how the risk management processes interact. Once the project manager (or project team) identifies a risk, she analyzes it to determine its potential impact on the project. Then she develops a plan that outlines how to deal with the impacts of the risk should they occur, and monitors, tracks, and perhaps changes the plan as a result of new information. This means she may identify new risks, requiring more plans, and so on.\ Risk management, just like project management, is an iterative process, and effective communication is at its core. Without communication and constructive information exchange between key stakeholders, project team members, management, the project sponsor, and so on, risk management wouldn't work well. The same is true for the project management processes.\ The following illustration shows the iterative nature of risk management and the interaction between its processes.\ Risk management is tightly integrated with the project management processes and, like project management itself, is not a one-time process. To illustrate this point, the next illustration shows the project life-cycle processes (in italics in the graphic) plotted with the risk management processes to demonstrate how closely linked they are. (Appendix A contains a refresher on the project management life-cycle processes if you need a review.)\ Probability and Impact\ I've already touched on two topics that need a little further explanation before you proceed-probability and impact. You'll spend a great deal of time with these subjects in Chapter 5, "Analyzing and Prioritizing Risks," but for now some explanations are in order.\ Probability is simply the likelihood that a risk event will occur. Let's say you're busy planning the annual St. Patrick's Day parade. The weather forecasters say today has a 20 percent chance of rain. Therefore, the probability it will rain on your parade is 20 percent.\ Risk impact is the result of the probability of the risk event occurring plus the consequences of the risk event. Impact, in laymen's terms, tells you how bad or how good the realized risk is going to hurt.\ Back to the rain example. Perhaps your organization has invested $75,000 in a float scheduled to appear in the parade's third position. This is a prime spot because folks watching the parade are still energized and watching the events closely. This means the advertising panel on the side of the float with your organization's name in huge letters is going to get a lot of visibility. This translates, you hope, into more business. However, if it rains, the impact to the organization is the $75,000 (at a minimum) invested in the float. The potential loss of business is also an impact of this risk event and could be added to the $75,000 to determine a total financial impact. So how bad will it hurt if it rains? The cost is $75,000 plus the loss of business and other time or resources expended preparing the float, assuming a total washout.\ (Continues...)\ \ \ \ \ Excerpted from Project Manager's Spotlight on Risk Management by Kim Heldman Excerpted by permission.\ All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.\ Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site. \ \

Ch. 1What is risk management?1Ch. 2Identifying and documenting risks29Ch. 3Why projects fail - more risks and how you can prevent them61Ch. 4Preventing scope and schedule risks95Ch. 5Analyzing and prioritizing risks123Ch. 6Defining risk response plans149Ch. 7Implementing and monitoring risk response plans171App. ANine knowledge areas refresher191App. BRisk management templates203