Risk Identification
Document review is a common technique for identifying risks at the early stage of a project. Review of project plan, schedule, WBS, resource plan, cost budget, quality plan and so on can generate useful ideas about where the risks lie.
Other meeting-based risk identification tools include interviews, brainstorming, and Delphi technique. Interviewing is very common in real life. A project manager would try to gather as much information about the project through talking to other project managers, the customer, other team members, internal units, vendors or anyone who would be involved in the project. Risks would be identified along the way.
Risk Analysis
There are basically three elements of risks - Event, Probability, and Impact.
The above framework is very popular in analyzing risks and their associated priority. There are many variations depending on the level of granularity required. In my opinion, however, a 3x3 table is sufficient for most purposes. I've seen company using a 7x5 or 7x7 scale. There is a false sense of accuracy when people are using a more granular scale. However, bear in mind that any estimate of the probability and impact of a risk, especially probability, is only an 'educated guess', and may deviate from the true picture by a wide margin. So what is the point of using a seemingly fine and accurate scale? Garbage in, garbage out, right?
Risk Response
The risk response strategies of different formal methods are surprisingly, or shall we say unsurprising, similar. For example, PMBOK published by PMI enlists four strategies for negative risks or threats: Avoid, Transfer, Mitigate, Accept. In the NIST 800-30, they are Assumption (a form of Acceptance), Avoidance, Limitation (similar to Mitigation), Planning, Research & Acknowledgement, and Transference. For the Risk Management Standard published by IRM, AIRMIC and ALARM in the UK, the risk treatment approaches are Control, Mitigation, Avoidance, Transfer and Financing. You can see they refer more or less to the same set of strategies, and stay at a high level without going into details how you can apply them in real life.
Risk Monitoring
Again the formal methods lack in-depth guidance here. Most of them ask you to keep monitoring status of existing identified risks, and take heed of any possible new risks. Should any risks materialize even after mitigation or limitation measures have been applied, the pre-meditated contingency plan should be carried out.
One tool that is useful for keeping track of risks, as well as for communication with stakeholders, is Risk Register. It's basically a list of identified risks with correponding attributes such as Category, Probability, Impact Level, Impacts (qualitative analysis such as scenario, or quantified measures such as financial loss), Proposed Action, Owner, and so on.
A Critique of Formal Methods
o
Formal methods share the following characteristics:- Risk-by-risk approach
- Emphasis on proactive and preventive planning
- Regular formal meetings for monitoring and review, likely at different levels
- Formal documentation and reporting (risk register/ risk log, risk report)
o
- Definition of Risk too narrow - All focus on the success of the project, instead of expanding the definition to include impacts on the organization and stakeholders involved.
- Highly dependent on organization culture, formal structures and processes - If the organization or client do not support these methods, there is no way a project manager can apply them.
- Heavy on planning, light on follow-up action - Just like any existing methodologies, the processes and tools & techniques included for Risk Planning are the best written and provide the most insights. Comparatively, the Control & Monitoring section is rather weak and lacking details.
- Difficult to quantify probability and impact, hence risk level is only an educated guess.
- Show me the money! Is it more expensive to apply formal risk methods, in particular for small or medium projects, than simply take a reactive approach?
To be continued...
Copyright 2008 Knowledge Century Limited.
Posts
No comments:
Post a Comment