Few projects go off without a hitch, especially when client/sponsor relationships are not strong. That’s why I would argue that risk management is one of the most important components of project management.
When unexpected events occur, it is clear that the identification and analysis of risks is a central cog in the wheel preventing small mishaps from morphing into complete project disasters.
To ensure smooth projects, the project manager should create a risk management plan. The Project Management Body of Knowledge (PMBOK) addresses the production of this plan in the Plan Risk Management process within the Project Risk Management knowledge area.
There is no guideline for length. The most important thing is that the mission critical information is in place.
For smaller projects the risk management plans can be a section of the larger project management plan. For larger, more complex or highly sensitive projects they can be a stand alone document, but should be summarized in the project management plan because it is still a subset of it.
There are six components of a good risk management plan:
- Risk Breakdown Structure
- Probability & Impact Matrix
- Accuracy Estimates (cost & schedule)
- Risk Register
The first five are simply different ways to analyze overall project risk. The real project risk management takes place in risk register, therefore I will spend most of my time there.
In future sections the risks will be identified and given prioritization rankings such as “high/medium/low.” In the Probability & Impact Matrix there will be categories such as “Probability of 0.05 = Very Low.” This section defines what those mean and uses words to clarify them. Usually a definition is written out, such as:
- Very Low: The event is highly unlikely to occur under regular circumstances.
- Low: The event is unlikely but should be noted by the project team.
- Medium: The event has a normal chance of occurring and the project team should be aware of it.
- High: The event has a reasonable chance of occurring. It should be regularly discussed and mitigation actions taken.
- Very High: The occurrence of the event should be actively managed and mitigation actions taken.
The assumptions of the project have a major impact on risk analysis. Ask yourself these questions.
- What assumptions support the project costs?
- What assumptions support the project schedule (completion date, milestones, etc.)?
- What expertise or prior experience does the company have in this work? How long ago was this experience? What areas require additional training?
- Which relationships are being assumed to be strong that are not neccesarily (owner, sponsor, client, contractor, consultant)?
- How many previous projects with similar components have been completed successfully? What were the project issues?
Risk Breakdown Structure
This is a categorical listing of the major categories of risk, and it highly specific to the industry. For example, an I.T. project will look something like this:
The Project Management Institute has only recently incorporated Risk Breakdown Structures in the Project Management Body of Knowledge, and it is not a critical component of the plan. It is essentially reserved for large projects where the establishment of risk categories adds value.
Probability & Impact Matrix
Since risk is defined as Probability x Impact, both factors need to be considered when determining the priority of each risk event. Thus, the probability-impact matrix gives you a more detailed definition of the probability and impact structure used by the risk register (more on that later). The matrix helps you to consider both factors and sets the stage for the determination of numerical probability and impact values for each risk event.
A good risk management plan should have some sort of confidence range estimates, particularly for larger, complex projects. These are excellent for management perusal and discussion. They are simply an analysis by the risk management team (or project manager) of the potential deviation from the project plan.
It can be as simple as low/medium/high probabilities or as complex as statistical analysis of the probability of meeting deadline dates.
As I alluded to earlier, the real meat and potatoes of the risk management plan is in the risk register. It contains a listing of the most important risks the project faces and how the project management team will deal with them. The risk register is usually in table form and has the following columns:
- Risk Name/Description
The risk event can be described with descriptors, such as “The contractor could incur additional material supply cost and attempt to pass this on to us.” Risk identification is a fairly time consuming endeavor that should not be skirted. See our potential risk checklist.
The likelihood of the event occurring. If possible, a numeric value between 0 and 1 should be used which can be multiplied by the Impact (next column) to determine meaningful risk values. But for smaller projects a 1-10 scale or “low/medium/high” is also satisfactory.
The impact of the risk event. Again, a number between 0 and 1 or a dollar value is good because it results in meaningful overall risk values.
Since Risk = Probability x Impact, multiply the two previous columns together. If a qualitative scale like low/medium/high was used, simply use the same qualitative scale to describe the overall risk level in light of the probability and impact of the event.
A good risk management plan will identify the most important risks to the project. In this column, the risks will be prioritized starting from 1 and moving consecutively down until they are all prioritized. Project sponsors, clients, and owners love this, by the way.
- Response Plans
To complete the risk register, a response plan should be created for the top 3 (approximately) risks to the project. Alternatively, they could be included outside of the table, but often a quick synopsis can make the risk register stronger. Something like: “Account for project team, call hazardous spill group, and fill out incident form.” Make it so you don’t have to think about the initial response.
Good luck with your Risk Management Plan, and let me know what tidbits you discovered along the way.