In my previous blogs, I describe the framework around how to manage a project, the process groups and we have discussed the knowledge areas from Scope to Communication. Next on the list is Risk.
Risk is inherent in life and projects are no exception. Evolution has hard-coded a level of risk avoidance and acceptance into all of us, but it does a poor job of estimating the impact of those risks. We get caught up on risks that are unimportant whilst ignoring the killer risk lurking in plain sight. We need a method to identify those risks and analyse their real impact. In my previous blogs, I’ve steered away from going into depth with the PMI’s 47 processes that form part of the knowledge areas. However, in this case, I’m going to make an exception as there are 3 processes which we can perform sequentially to really solve the problem of risk impact.
The first process is to think about what risks can affect our project. Now, the most important advice I can give you with respect to risk identification is that it should be performed as a team and not just by the select few i.e. the project manager. Get the whole team into the same room (this might be difficult but try) and get them to think about what could go wrong with the project.
I use the following methods to identify risks:
- - By the gathering of information. For example, brainstorm the possible risks on a whiteboard, or ask the stakeholders what they are concerned about, or look at the lessons learned from previous projects and conduct a root cause analysis to understand what happened
- - By looking at the quality checklists. What must you deliver for the project and what could go wrong with that delivery?
- - By encouraging assumptions to be communicated: Assumptions are dangerous as people aren’t aware they are making them and often they are not then communicated. Encourage the assumptions to be presented and discussed. They will often be true to a point, but the remainder is a risk.
- - Consider your strengths and weaknesses. Where are your opportunities and threats? This is a SWOT analysis
- - Finally, the grand catch all of project management techniques – Expert Judgement. Are there experts in the company who have done this before? Speak to them, they will often advise on what common risks they have encountered
I should point out that risks will change over time, some will disappear, and new ones will be created. Therefore, this needs to be a repeated process.
Once we have identified all the risks it is now time to analyse them. This is often a two-step process, the first step being a qualitative analysis. What this means is a low-effort analysis to order the risks into a list in terms of how painful they could be. As it’s low effort we can perform it on all the identified risks. We characterise the risks based on two criteria. The probability, or the likelihood that it is going to happen and the impact, or how bad it could be.
Probability should be self-evident but here's a way to estimate the impact. Remember this is low-effort at this point so we shouldn’t be doing detailed analysis, just a gut-feel.
Say we have a late in-feed of a customer delivery. This will risk the schedule being delayed by up to 20%. Clearly this is a schedule risk. Cost could also be affected but schedule is the primary constraint. Looking across the table on the Time row until we get to the 5th column where the description matches the expected delay of up to 20%. The heading for this column is High which has a value of 0.40. This is our impact.
We’ll want to report these risks to our stakeholders, but we don’t want to report them all. Therefore, we need to define which risks are low, medium or high. On my projects, I use the following table, a probability / impact matrix. Probability values on the left and impact values on the top. The values in the centre are the grade which is probability multiplied by impact. You can see that anything above 0.05 is a yellow or medium risk. Anything above 0.14 is a red or high risk. As a project manager, I would be keeping my stakeholders aware of any high risks. I would be keeping a close eye on those medium risks but a much less frequent eye on those low risks.
The second part of our two-step risk analysis is the quantitative analysis. This is a high effort assessment to really pin down the probability of the risk occurring and the impact it will have. It’s high effort and therefore high cost so we only want to do this on a select few risks that we feel are critical. Depending on the size of the project, we may choose to not do it at all but in case you do, here are a few techniques:
Interviewing – Talk to a range of stakeholders, get them to give you their pessimistic, most likely and optimistic view of the risk probability
Sensitivity analysis – Used to assess the risk’s impact. One technique is to use a tornado diagram. It examines the extent to which the uncertainty of each project element affects the objective being studied when all other uncertain elements are held constant.
Expected monetary value analysis – We model the expected outcome when the future includes scenarios which may or may not happen.
Modelling and simulation – Here we simulate the risk happening. For example, if the customer in-feed is late how does that ripple through your schedule?
This is an insight into the knowledge area of Risk. We have outlined a three-step process for identifying which risks are present and how they will affect our project. From this we can mitigate or remove the risks and increase the likelihood of the project being a success. In the next blog, I will continue our examination of the knowledge areas with the Procurement knowledge area.
Andrew Miles PMP
Andrew Miles is a physical implementation engineer turned project manager. He is PMP certified and has led many projects for a number of tier one companies. He helps to run the Sondrel Project Management Office (PMO). If you'd like to know how Sondrel's project managers can help your project then please contact firstname.lastname@example.org