Thursday, October 4, 2012

Risk on Projects


Risk

A risk is simply something that can go wrong (and something usually does on projects), that keeps you from achieving project success.  Of course there are things that can occur that are positive, which can also be referred to as risks.  We will focus on those risks that have a potential negative impact on your project.  Risk management is a discipline that allows you to increase your chances of success by planning how to identify and reduce the likelihood of risks occurring; risk management also helps you identify how to minimize the consequences of the risk if they do occur– in spite of your planning efforts. 

How is it created? 
Risks fall into three categories on a project: scope, resource and schedule.  In the categories of scope and resource risks, innovation is a major risk factor. Any time the project team, the organization or the external stakeholder ventures into unknown terrain or looks to make a significant change to how things are currently being done, the risk factors multiply. The less experience you have with a certain type of application or technology and the more change you try to make to an organization, the likelier you are to run into trouble.

The second most likely set of risk factors is associated with complexity. Complexity introduces relationships among parts of the project, so that there are more dependencies. If something goes wrong in one area, it is more likely to affect some other area. Complexity also often increases project size, since there are more things to be done. And sheer size is a risk factor, because the difficulty of communicating among team members and with stakeholder grows geometrically. Finally, complexity is often associated with lack of experience. Just as, according to Tolstoy, all happy families are alike, but each unhappy family is unhappy in its own particular way, so all simple systems resemble each other, but each complex system is complex in its own unique way. And lack of experience has the same consequences as innovations.

Finally, there are risks that do not vary much from project to project: a fire destroying the developers’ workspace; a key team member is injured and hospitalized; the company is taken over and the new management must be brought up to date before the project is allowed to continue; the sponsor or the organization’s management is indecisive and stakeholders keep changing their minds...  


Once you have identified and assessed the risks on your project, you can start planning how to address them. There are two things you can do to improve the situation: risk reduction, decreasing the probability of a risk materializing, and risk mitigation, decreasing its consequences, should it materialize.

Once you have identified and assessed the risks on your project, you can start planning how to address them. There are two things you can do to improve the situation: risk reduction, decreasing the probability of a risk materializing, and risk mitigation, decreasing its consequences, should it materialize.

Risk Reduction
To reduce risks, you can use several approaches:
  • Create an awareness of the risk among your team members and the project stakeholders: “forewarned is forearmed.” For example, you might point out that computers do crash and that it is prudent to save your work from time to time when you are engaged in a long-lasting task.
  • Create a specific process to reduce risk. For instance, you may have found in the past that there is a risk of system testing being incomplete (causing defects to slip through) unless you include user representatives in test planning. You would then, as a minimum, require sign-off by a user before the test plan is declared complete.
  • Invest resources in risk prevention. For instance, you could have the organization install fire extinguishers. A more relevant example is to install a good computer backup system, which will reduce the risk of losing completed work and also reduce the risks associated with system modifications.

Risk Mitigation
Risk mitigation is how you plan to minimize the impact if any of the risk factors that you have identified should materialize. You will never be able to reduce the risks to a point where it is guaranteed that nothing wrong will happen: at some time, some risk will materialize. (This is popularly known as “Murphy’s Law.”

The two main approaches to risk mitigation are early detection – finding out that an incident has happened before the consequences have had time to spread – and contingency planning. Contingency planning consists in figuring out beforehand how to handle a crisis and setting apart resources to deal with it. For example, you might have a succession plan for key personnel, so that if someone falls sick, you can quickly get a replacement (for example, from a temporary work agency). In all cases, you need to set aside a contingency in both the project budget and the schedule. The contingency does not need to cover the sum of all possible risks, since only a small number of risks are likely to materialize. The most important thing about the contingency is that it is a reserve for the entire project based on the likelihood and impact of the risks identified, not a reserve that you build into each individual activity. If you did, you would soon find that team members would treat the contingency as an addition to the estimated time to complete the task, and they would therefore gradually consume the whole contingency without any risk actually having occurred.

Of course, if the consequences of a risk happening are so minor that they won’t affect cost, schedule, scope or quality, you can remove the risk from your risk management plan.

Risk Management Plan
A risk management plan consolidates in a single document all of the work of identifying, reducing and mitigating risks. The list below was developed for our sample project and represents a typical example of risks on a fairly small project to implement a new system.