Risk management is a project management process that helps defend against the potential damaging events. Risk management also helps you identify opportunities for your project. This aspect is an important one in risk planning since a lot of people focus on the negative aspects of risks. Although doing something innovative or new with your project could be a risk if it doesn’t work properly, your organization may ultimately revolutionize technology that leads to far more profit or opportunity than expected. In order to manage risk management activities, you need to create a plan. This plan describes the strategy you will use for your project in relation to risk. It describes how much time you will spend, how your team will work on risk, the measurements you will use to describe risk, and why you are taking the time to manage risk.
The major steps of risk management are:
Creating a risk management plan (RMP).
Identifying risks.
Analyzing risks.
Creating a risk response plan.
Monitoring and controlling risks throughout the project.
Elements of the RMP
An RMP should contain at least the following eight elements that will help your project team members understand how they need to manage risk.
Methodology Describes how you will manage risk management. Your team and stakeholders need to understand the purpose and objectives of the risk management strategy. What are the processes the team will follow to perform risk management? What kind of analysis will you use for your risks? Will you hire consultants? Will you use expert judgment, or will you use sensitivity analysis? Will you keep it simple, or due to the complexity of your project, will you need to put a lot of time and expertise into managing risk, including bringing in outside consultants or the organization’s risk management experts? In this section, you will describe in detail how you are going to manage risk and why.
Roles and responsibilities Describes who will be in charge of the risk management plan, and who will be in charge of risk management responses. This step identifies the overall management team (such as the project manager or independent facilitator being the lead), and who will analyze the risks and implement risk response plans if a negative or positive risk event occurs. This responsible party is often a functional manager, or someone who understands the risk well, who has the subject matter expertise, or who has the authority to be able to gather the resources to analyze and respond appropriately and quickly.
Budgeting Describes how much the risk management process costs. If you are going to hire a risk management expert and have her or him manage the process and have meetings every two weeks, that will cost something toward project management processes. The project may simply by complex enough to warrant a larger budget. In small projects, the risk process might be a part of the weekly status meeting, and the project manager ensures that risk discussions continue regularly in the project team meetings. The budget would be small, but appropriately relative to the complexity of the project.
Timing Describe how often the risk management processes will occur on the project. This may also reflect different timing for different phases in the project. For instance, you might meet once a week during the concept phase, once a week during the design phase, and twice a week during the implementation phase. You might also plan some kind of independent Risk Identification to be performed early in the design phase.
Scoring and interpretation How will you rate and react to risks you identify? You will come up with a method to rate the probability of a risk occurring, and the impact it will have on the project. This process has to be done before you actually start identifying and rating the risks on your project. Completing this step ensures that your team has a consistent understanding so when the rating processes occurs you are not debating how you will score risks while you are in the midst of the process itself.
Describe thresholds Defines which risks will be addressed. You could have a big list of risks. You cannot work on all of them, or your budget would be astronomical. This process describes the thresholds of risks you will work on. For instance, you might work on all risks that have a greater than 50 percent probability of occurring. Or ones that have a combined probability and impact of greater than .25 rating. You would possibly base this on your organization or stakeholder tolerance for risk.
Reporting formats Describes your Risk Identification and response reporting and how you will communicate risk processes and results to your stakeholders. You will see more about formats in Exercise 7.7 when you create a risk response plan. This step might also include describing risk performance reporting and its processes for your executives. You may have one format for your team, and another format for executives.
Tracking Describes the process for how you will track your project’s risks. You might describe your risk management database that will store and track risks. You will also record the benefit of risk management results for lessons learned.
Once you understand the components of a risk management plan, you should be ready to learn the steps involved with creating a risk management plan.
Creating a Risk Management Plan (RMP)
In risk management, you will hear the term “risk response plan,” which is how you plan to actually respond to particular risks. However, a risk management plan is a road map for how you and your team will deal with risk processes and how you plan to analyze and manage risks. The two are vastly different kinds of plans but both are important outputs of the risk management process. Following are the steps you’ll need to take to create a risk management plan.
Decide on and document your processes and strategy for risk management based on the following questions. Is it new technology? Is it extremely difficult or financially risky? Is it a large project? Is the customer extremely “finicky?” Create a methodology around risk to match the complexity of the project. Don’t forget to see if your organization already has risk management processes, guidelines, or expertise.
Create a risk management team.
Get input from the team and stakeholders and other risk management experts about best practices and how they would like to see risk managed on the project.
Assign risk management roles and responsibilities. You will select leads for each risk, and it is often best to pick a functional manager, or someone with expertise that could help analyze a risk, then put a plan in place to take care of the risk. Create a roles and responsibilities matrix for risk and include it in the plan. The following table provides an example of a risk roles and responsibilities matrix.
The major steps of risk management are:
Creating a risk management plan (RMP).
Identifying risks.
Analyzing risks.
Creating a risk response plan.
Monitoring and controlling risks throughout the project.
Elements of the RMP
An RMP should contain at least the following eight elements that will help your project team members understand how they need to manage risk.
Methodology Describes how you will manage risk management. Your team and stakeholders need to understand the purpose and objectives of the risk management strategy. What are the processes the team will follow to perform risk management? What kind of analysis will you use for your risks? Will you hire consultants? Will you use expert judgment, or will you use sensitivity analysis? Will you keep it simple, or due to the complexity of your project, will you need to put a lot of time and expertise into managing risk, including bringing in outside consultants or the organization’s risk management experts? In this section, you will describe in detail how you are going to manage risk and why.
Roles and responsibilities Describes who will be in charge of the risk management plan, and who will be in charge of risk management responses. This step identifies the overall management team (such as the project manager or independent facilitator being the lead), and who will analyze the risks and implement risk response plans if a negative or positive risk event occurs. This responsible party is often a functional manager, or someone who understands the risk well, who has the subject matter expertise, or who has the authority to be able to gather the resources to analyze and respond appropriately and quickly.
Budgeting Describes how much the risk management process costs. If you are going to hire a risk management expert and have her or him manage the process and have meetings every two weeks, that will cost something toward project management processes. The project may simply by complex enough to warrant a larger budget. In small projects, the risk process might be a part of the weekly status meeting, and the project manager ensures that risk discussions continue regularly in the project team meetings. The budget would be small, but appropriately relative to the complexity of the project.
Timing Describe how often the risk management processes will occur on the project. This may also reflect different timing for different phases in the project. For instance, you might meet once a week during the concept phase, once a week during the design phase, and twice a week during the implementation phase. You might also plan some kind of independent Risk Identification to be performed early in the design phase.
Scoring and interpretation How will you rate and react to risks you identify? You will come up with a method to rate the probability of a risk occurring, and the impact it will have on the project. This process has to be done before you actually start identifying and rating the risks on your project. Completing this step ensures that your team has a consistent understanding so when the rating processes occurs you are not debating how you will score risks while you are in the midst of the process itself.
Describe thresholds Defines which risks will be addressed. You could have a big list of risks. You cannot work on all of them, or your budget would be astronomical. This process describes the thresholds of risks you will work on. For instance, you might work on all risks that have a greater than 50 percent probability of occurring. Or ones that have a combined probability and impact of greater than .25 rating. You would possibly base this on your organization or stakeholder tolerance for risk.
Reporting formats Describes your Risk Identification and response reporting and how you will communicate risk processes and results to your stakeholders. You will see more about formats in Exercise 7.7 when you create a risk response plan. This step might also include describing risk performance reporting and its processes for your executives. You may have one format for your team, and another format for executives.
Tracking Describes the process for how you will track your project’s risks. You might describe your risk management database that will store and track risks. You will also record the benefit of risk management results for lessons learned.
Once you understand the components of a risk management plan, you should be ready to learn the steps involved with creating a risk management plan.
Creating a Risk Management Plan (RMP)
In risk management, you will hear the term “risk response plan,” which is how you plan to actually respond to particular risks. However, a risk management plan is a road map for how you and your team will deal with risk processes and how you plan to analyze and manage risks. The two are vastly different kinds of plans but both are important outputs of the risk management process. Following are the steps you’ll need to take to create a risk management plan.
Decide on and document your processes and strategy for risk management based on the following questions. Is it new technology? Is it extremely difficult or financially risky? Is it a large project? Is the customer extremely “finicky?” Create a methodology around risk to match the complexity of the project. Don’t forget to see if your organization already has risk management processes, guidelines, or expertise.
Create a risk management team.
Get input from the team and stakeholders and other risk management experts about best practices and how they would like to see risk managed on the project.
Assign risk management roles and responsibilities. You will select leads for each risk, and it is often best to pick a functional manager, or someone with expertise that could help analyze a risk, then put a plan in place to take care of the risk. Create a roles and responsibilities matrix for risk and include it in the plan. The following table provides an example of a risk roles and responsibilities matrix.
Scenario of Risk Management Plan
TPMP is helping Mountain Communications (MC), a well-established telecommunications company, create risk management processes. One of your first assignments is to create risk planning for a project that is replacing two old systems with newer systems to reflect modern technological advances. The old systems will need to continue functioning while data is converted. The new systems are provided by a vendor who is asking MC to be one of the first companies to implement them. The MC company has decided to use a gateway program, which will convert the old data into the formats of the new systems. The company has decided to create this program itself, although several are available on the market. The program is critical to both conversion efforts, and a plan has been created for a phased conversion—the data will not be converted all at once—MC has been able to segment the data to be converted over the next couple of years. The project has around 100 people working on the conversion and implementation of the new systems. Some of the team members are the program manager, Tasha Smith (whom you are advising to establish the risk management processes); the production manager who is responsible for the current systems and will take over the new systems; a development manager responsible for the gateway program; another development manager responsible for implementing the new systems and managing the conversion plan; the client who will need to maintain current service while the new systems are converted; and the vendor who is helping to implement both systems.
TPMP is helping Mountain Communications (MC), a well-established telecommunications company, create risk management processes. One of your first assignments is to create risk planning for a project that is replacing two old systems with newer systems to reflect modern technological advances. The old systems will need to continue functioning while data is converted. The new systems are provided by a vendor who is asking MC to be one of the first companies to implement them. The MC company has decided to use a gateway program, which will convert the old data into the formats of the new systems. The company has decided to create this program itself, although several are available on the market. The program is critical to both conversion efforts, and a plan has been created for a phased conversion—the data will not be converted all at once—MC has been able to segment the data to be converted over the next couple of years. The project has around 100 people working on the conversion and implementation of the new systems. Some of the team members are the program manager, Tasha Smith (whom you are advising to establish the risk management processes); the production manager who is responsible for the current systems and will take over the new systems; a development manager responsible for the gateway program; another development manager responsible for implementing the new systems and managing the conversion plan; the client who will need to maintain current service while the new systems are converted; and the vendor who is helping to implement both systems.