Formal Risk Management Methods (2)

In our last article, we've discussed a basic framework of all formal project risk management methodologies. They basically follow a life cycle of Identification -> Analysis -> Response Planning -> Monitoring and Controlling. Below we discuss some common techniques throughout this cycle.

Risk Identification

Document review is a common technique for identifying risks at the early stage of a project. Review of project plan, schedule, WBS, resource plan, cost budget, quality plan and so on can generate useful ideas about where the risks lie.

Other meeting-based risk identification tools include interviews, brainstorming, and Delphi technique. Interviewing is very common in real life. A project manager would try to gather as much information about the project through talking to other project managers, the customer, other team members, internal units, vendors or anyone who would be involved in the project. Risks would be identified along the way.
Risk Analysis

There are basically three elements of risks - Event, Probability, and Impact.
















The above framework is very popular in analyzing risks and their associated priority. There are many variations depending on the level of granularity required. In my opinion, however, a 3x3 table is sufficient for most purposes. I've seen company using a 7x5 or 7x7 scale. There is a false sense of accuracy when people are using a more granular scale. However, bear in mind that any estimate of the probability and impact of a risk, especially probability, is only an 'educated guess', and may deviate from the true picture by a wide margin. So what is the point of using a seemingly fine and accurate scale? Garbage in, garbage out, right?

Risk Response

The risk response strategies of different formal methods are surprisingly, or shall we say unsurprising, similar. For example, PMBOK published by PMI enlists four strategies for negative risks or threats: Avoid, Transfer, Mitigate, Accept. In the NIST 800-30, they are Assumption (a form of Acceptance), Avoidance, Limitation (similar to Mitigation), Planning, Research & Acknowledgement, and Transference. For the Risk Management Standard published by IRM, AIRMIC and ALARM in the UK, the risk treatment approaches are Control, Mitigation, Avoidance, Transfer and Financing. You can see they refer more or less to the same set of strategies, and stay at a high level without going into details how you can apply them in real life.

Risk Monitoring

Again the formal methods lack in-depth guidance here. Most of them ask you to keep monitoring status of existing identified risks, and take heed of any possible new risks. Should any risks materialize even after mitigation or limitation measures have been applied, the pre-meditated contingency plan should be carried out.

One tool that is useful for keeping track of risks, as well as for communication with stakeholders, is Risk Register. It's basically a list of identified risks with correponding attributes such as Category, Probability, Impact Level, Impacts (qualitative analysis such as scenario, or quantified measures such as financial loss), Proposed Action, Owner, and so on.













A Critique of Formal Methods

o

Formal methods share the following characteristics:

• Risk-by-risk approach
  
• Emphasis on proactive and preventive planning
• Regular formal meetings for monitoring and review, likely at different levels
• Formal documentation and reporting (risk register/ risk log, risk report)

There are a few observations about the limitation of formal Risk Management methods:

o

1. Definition of Risk too narrow - All focus on the success of the project, instead of expanding the definition to include impacts on the organization and stakeholders involved.
   
2. Highly dependent on organization culture, formal structures and processes - If the organization or client do not support these methods, there is no way a project manager can apply them.
   
3. Heavy on planning, light on follow-up action - Just like any existing methodologies, the processes and tools & techniques included for Risk Planning are the best written and provide the most insights. Comparatively, the Control & Monitoring section is rather weak and lacking details.
   
4. Difficult to quantify probability and impact, hence risk level is only an educated guess.
   
5. Show me the money! Is it more expensive to apply formal risk methods, in particular for small or medium projects, than simply take a reactive approach?

Next, we'll share with you insights provided by a research paper in Project Risk Management done in Hong Kong.

To be continued...

Copyright 2008 Knowledge Century Limited.

Formal Risk Management Methods (1)

What are the popular formal Risk Management standards nowadays?

There are different standards for different industries and functional areas. Since our theme is about project management in the business and technology sectors, we just list several standards that are well accepted in these sectors and relevant to our discussion. These include PMBOK 2004, AS/NZS4360:2004-Risk Management, UK Risk Management Standard by IRM/AIRMIC/ALARM, and NIST 800-30 Risk Management Guide for Information Technology Systems.

We do not intend to go through them one by one. Instead we want to highlight some commonalities among them.

Definition of Risk

PMBOK: An uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives.

Risk Management Handbook by Max Wideman: The cumulative effect of the chances of uncertain occurrences which will adversely affect project objectives.

APM / BS: Combination of the probability or frequency of occurrence of a defined threat or opportunity and the magnitude of the consequences of the occurrence.

RUP: An ongoing or upcoming concern that has a significant probability of adversely affecting the success of major milestones.

Notice that all definitions focus on impacts on the successful delivery of a project. This definition may not be entirely relevant to the business world. For a real-life project, anything that can jeopardize the organization, stakeholders, or even the project manager herself, should be considered risks. The project itself is just a means to an end - the ultimate business objectives of the project, which is usually some tangible/intangible benefits to the organization or a group of stakeholders. If something bad may happen to them as a direct or indirect results of the project, they are to be considered risks and be probably managed.

Common Logic of Formal Risk Methods

All formal methods follow more or less the same logic.

Step 1: Identify risks
Step 2: Analyze risks (can be both qualitative and quantitative)
Step 3: Plan risk responses
Step 4: Monitor and control risks

In the next article, we will continue to explore formal methods for handling project risks. Some of their drawbacks and practicalities in the real world will also be discussed.

To be continued...

Copyright 2008 Knowledge Century Limited.

Risk Management in Daily Life (2)

In our last article, we discussed two daily life scenario where you can apply some techniques in risk management. This time we continue with two more life situations.

Scenario 3: Finding a new job

You have worked in your company for 5 years. You are an above average performer and the average rate of salary increase over the past 3 years is 10%. Last year’s salary increase is only 8%.

A company has just offered you a new job and a salary increase of 30%.

Would you take the job offer? Analyze the risks and impacts and justify your decision.

It's tempting to take the new job. After all there would be nothing to lose with a 30% salary increase, right? Wrong. A more proper analysis is to perform a decision tree analysis using EMV, and extend the time horizon to at least three years.

On one side of the tree you should consider the total salary income for the next three years if you stay in your current company. Your past performance and credential should be taken into consideration.

On the other side, the total salary income for the new job over the next three years should be calculated. Remember to consider the scenario, no matter how unlikely it looks, when you would be let go in 6 to 12 months (risk of new job or sudden economic downturn). Note also that there may not be significant salary increase in the next one or two years due to the fact that you are new to the company, and you have not built up too much credentials yet.

Try to compare the total earnings and career prospect in the next three years.

In my opinion the fastest move in one's career is usually within the same company. If you consider yourself a top performer in a company, it's exactly the place where you want to be to propel up the career ladder. That is if your company is in good shape and growing.

Scenario 4: Buying a new apartment

Your family (you, your spouse, and two kids) is now living in a rented apartment. The rental amounts to 20% of your total monthly family income.

You are considering buying a new apartment of similar size in a nearby building. You figure that you have to use all your savings as down payment, and 30% of your total monthly family income will go to mortgage payment assuming a 20-year mortgage is secured.

Would you buy or not buy the new apartment? Justify your decision by analyzing the risks and impacts.

There are several things to consider:

• Rental may go up. This should be compared with the probability of interest rate going up. Both affect your future monthly payment depending on whether you rent or buy.

• Housing market may go up, remain steady, or go down. This affects your ability to get out in case you need to sell. If price goes up or remains steady, the sum amount received is higher than the remaining mortgage, and you have no trouble. In late 90's and early 2000's, many people in Hong Kong were trapped in 'negative equity' as price had dropped significantly. When they sold their apartment they need to pay the difference between the outstanding mortgage and selling price.

• What is your family's future income stream going to be like? What if one of the bread winners lose job? Or any accident that impairs your earning power? Can you still afford the mortgage payment? Do you have sufficient cash for sustaining your current level of living standard for at least 6 months should anyone in your family lose job?

Our conclusion is there is risk in everything. If there are risks in everyday life events there are definitely risks in a corporate environment where projects are performed. As the famous Charles Tremper once said: "The first step in the risk management process is to acknowledge the reality of risk."


Next we will examine risk management in a corporate environment.


To be continued...

Copyright 2008 Knowledge Century Limited.

Risk Management in Daily Life (1)

Before I venture into the use of risk management practice in a corporate environment, let's first look at how people manage risk in their daily life.

Scenario 1: Crossing a Road with No Traffic Light

Where would you cross the road? A? B? or C?

You typically make a decision based on weighing its benefits and risks.

Let's consider A. The obvious benefit is you gain at least 15 seconds compared to other options. Unfortunately the risk of being knocked over by the intimidating fire truck cannot be under-estimated, particularly the driver is sitting above ground level and concentrating on cars coming from the right. Given that the impact is quite severe as well, you must be a real risk taker if you choose A. Some people will label you as 'reckless' too.

What about C? It seems to be the safest option. The driver is at ground level. It has stopped for the traffic. On the negative side, you lose some time (perhaps less than 30 seconds). Since the traffic is moving, by the time you reach C, the car may have moved forward too, hence you may even lose more time.

A more reasonable option is B. You have a good chance of reaching point B before the road condition changes. Even if it has changed you'd still be able to cross the road since it'll take some time for a fire truck to start moving. You'd save some time too by crossing the road at B instead of C. However I think both B and C are reasonable option, depending on your appetite for risk.

A final option is to stand still and wait for the traffic to subside. You may be surprised but this could be the most time saving and life saving option, balacing all the benefits, costs, and risks.


Scneario 2: Investing in Stock Market

You have saved $50,000 and want to invest in the stock market.

The benchmark index has dropped 20% from its historical peak. 70% of the stock analysts predict it would rebound by 10% in the next 3 months.

However the remaining 30% of stock analysts forecast that the benchmark index would further fall by as much as 30% in the next 6 months.

Will you buy stocks now?

There are two things you have to consider:

(1) In risk management there is an Expected Monetary Value (EMV) concept. EMV is calculated by multiplying the probability of a risk and its impact, typically quantified in $ value or %.
Let's apply the calculation to the above scenario.
Upside EMV = 0.7x0.1 = 7%
Downside EMV = 0.3x0.3 = 9%

If we use EMV alone to make a decision, it'll be a not-invest.

(2) The second concept in risk management is even more important. What if the market suddenly fall for 30%, 40%, 50% or more? Do you have holding power? Many people lose their shirts because they need the money one month or two months later, and they have to sell at a deep loss. The same concept applies to decision that could have a severe negative consequence, no matter how unlikely it first seems. For example, if you are going to launch an initiative for your company that if it turns sour, could lead to really poor publicity, our advice is think twice. Many executives lost their jobs in the past because of exactly such actions which were deemed as 'low risk' in the first place.

Going back to our stock market decision, the more reasonable option is not to invest.

To be continued...

Copyright 2008 Knowledge Century Limited.