Project managers often skip the risk management process because the sponsor wants them to start quickly without wasting time on "useless paperwork" like risk management. This dooms the PM to non-stop fire fighting for the life of the project. On even a small project we can undertake a simple risk assessment process, investing as little as an hour and possibly saving days of lost time. That's why we use three tiers of project management techniques so we can match them to the scale and significance of the project. Examples of these three tiers are:
- A project done within a department or small company where the PM and team all report to the project sponsor
- A cross-functional project which affects multiple departments in the same organization
- A strategic initiative or consulting engagement that includes both technical expertise and project management services for an outside client or customer.
We can begin very simply with identifying risk events and doing a "fast and dirty" qualitative assessment of the risk's effects.
Risk Analysis Template
Below is a risk template from our AdPM™ Methodology which we use for risk analysis on small projects where it is not reasonable to take much time. We may assemble a few stakeholders and the sponsor for a short meeting or go to lunch and complete the whole process.
- Identify the risks that threaten delivering the scope on time
- Qualitatively assess the probability of the risk occurring
- Qualitatively assess the magnitude of the impact if the risk occurs
- Select the most significant risks
- Plan how to avoid them or minimize the damage if we can’t avoid them
We might use the template below to record the results.
Risk event |
Probability of Occurrence |
Magnitude of Impact |
Risk Response |
||||
Name |
Medium |
High |
Low |
Medium |
High |
No Action |
Type of Action |
In risk identification, we are simply looking to harvest as many risks as we can without making judgments about their significance. When we have the list of risks, we're ready to begin qualitative risk analysis where we focus on assessing the significance of each risk using relatively quick and inexpensive techniques. Specifically, we are assessing the likelihood a risk will occur and the impact (cost and time) if it does occur. We use these assessments to prioritize our risks in terms of their significance.
For our in-department project, risk identification and qualitative analysis is all we’ll do before planning our risk responses. On the cross-functional and consulting projects, we’ll use qualitative analysis as a screening tool before applying more sophisticated quantitative analyses. Let’s start with our in-department project.
Tier #1 In-department Risk Management Plan
- The PM and two team members spend 30 minutes on risk identification with a limit of 7 risks in two risk categories that threaten project success.
- The PM and two team members spend 30 minutes on qualitative/subjective risk analysis as the only support for the risk response plan. The project’s scale does not warrant the cost or time for quantitative analysis. The two members of the team and the project sponsor will subjectively set the impact and likelihood values for our risk and impact analysis.
- The PM and sponsor will agree on the risk response plan in 30 minutes.
Let's look in on how the process would work.
The PM and the two team members take a short lunch and talk about the risk events that could cause them to fail to deliver the project scope and then about events that would affect finishing on time. They return with a list of 7 risks to consider. Six are negative risk events and the last is a positive risk event. It would let them finish a week early.
After they’ve completed the risk identification, the PM and the two members of the team go to the PMs cubicle. The PM smiles at them and says, “We’re a third done. Now let's spend about 30 minutes analyzing the risks we identified. Here’s a form we’ll use to get everyone’s assessment of the risks we face on the project. We want to describe each risk in terms of two separate dimensions; the probability or likelihood of the risk event occurring and the impact it will have on the project if it occurs. We’ll use a simple scale with three choices for probability and for impact; low - meaning very unlikely to occur or a small impact; high - meaning very likely to occur or a large impact and medium - is between those two extremes.”
Probability/Impact Estimating Form
Identified Risk Events |
Risk Probability |
Risk Impact |
Low, medium or high |
Low, medium or high |
|
1-Customers will not utilize the new procedure for trouble reports |
||
2-Turnover among our problem-solvers increases because of the need to provide 24/7 coverage |
||
3-A decrease in quality on new products or services increases the number of trouble reports more than 10% above the present level |
Following the risk assessment, then the project manager charted the results and displayed the simple grid for the group.
P/I Results
Probability |
|||
High |
Trouble Reports increase |
Don’t use new procedure |
|
Medium |
|||
Low |
Turnover increases |
Delay in schedule |
|
Magnitude >>> |
Low |
Medium |
High |
Then the PM says, “We all seem to agree that while we have several risks, only one risk has both a high probability and a high magnitude and that's the risk of customers not using the new procedure.”
The boss says, “I thought this risk stuff was going to be a waste of time, but I’m already thinking of things we can do to educate the customers about the new procedures because that is one problem I would not want to hear at the end of the project.”
Now, our in-department project manager is ready to move on to risk response planning. Having engaged the sponsor and team on the risks, they can next accomplish the aim of risk management which is to take action before risks occur. That doesn’t require fancy or sophisticated risk management, just an effective process.
Tier #2: Cross-Functional Risk Management Plan
Project Situation:
- The risk management plan calls for using qualitative risk assessment as a screening tool for quantitative analysis. It’s anticipated that a dozen or more risks will then be put through an intensive quantitative analysis.
- Qualitative risk assessment is being performed by three committees, each of which is focusing on a particular category of risk within the categories supplied by the organization.
- A final determination about which risks are passed on to quantitative analysis is made by the risk steering committee, made up of the sponsor, senior management and the project manager.
Our cross-functional project manager distributes the qualitative risk assessment form to each of the three risk committees for use in assessing the risks facing the project. Since the team members are quite familiar with estimating probabilities and magnitudes, the project manager used a 1-10 scale for the estimates. The first page of one committee’s form is below:
Probability/Impact Estimates with Numbers
Identified Risks |
Probability |
Impact |
Risk |
Probability of the risk event occurring |
Impact if the risk does occur |
1-Customers will not utilize the new procedure |
||
2-Turnover among our problem-solvers increases because of the need to provide 24/7 coverage |
||
3-A decrease in quality on new products or services increases the number of trouble reports more than 10% above the present level |
||
4- Equipment downtime makes the new trouble report service unreliable for our customers |
||
5 -Delay in the project schedule causes customers to go to our competitors |
Then the project manager gave the committee leaders their instructions, "What we're going to do here is each person will make an independent judgment as to the probability of each of our risk events occurring and the impact on the project if they do. We’ll use a 1 to 10 scale for each assessment. So if a risk event is very likely to occur you should give it a 9 or even a 10. For a risk event that is very unlikely, give it a score of 1 or 2. We will do the same thing on the impact. When you come to that decision, forget the probability of the risk event occurring. Simply assess how big an impact it will have. If its impact will bury the project and do us irreparable harm, you should score it a 10. If a risk event has minimal impact on the project, give it a 1 or 2.”
One of the team members said, "Aren't we going to discuss each risk first?"
The project manager answered, "No, I think its best if each person gives their assessment without being influenced by the others. Remember that we have people whose immediate superior is on the same committee. If people reveal their opinions before we each score the risks, the manager's opinion may count for too much. Let’s have everyone make a judgment without knowing what the managers think. We may get better information with independent judgments and avoid some of the politics. For that same reason, we'll keep the ballots anonymous; you’ll notice there is no place to fill in a name."
A few days later, the project manager gathered the completed forms and tabulated the data into a spreadsheet designed just for this purpose. The result was a table of data values and a graph for each of the committees.
Probability and Impact for 5 Risks
Our cross-functional project manager took the data and recommendations from each of the committees to the risk management committee made up of the sponsor and an executive vice president. The project manager selected one or two risks from each committee’s qualitative analysis and recommended that a quantitative analysis be conducted.As three of the risks on the chart above had probabilities and impacts above eight, the committee decided that all three warranted quantitative analysis. They were particularly concerned about the risk of customers not using the new trouble report procedure. They asked the project manager exactly what they would get from this quantitative analysis.
The project manager said, "We will start with an influence diagram we developed during risk identification. Then we’ll gather some opinions from industry experts and build a decision network to analyze where we can have our biggest influence in avoiding that risk."
Tier # 3: Strategic Project Risk Management Plan
Project Situation:
- The final risk decisions are being made by a committee of executives based on detail work developed by risk committees focusing on special categories of risks.
- The size of the project budget and its strategic significance for the client warrant elaborate quantitative analysis which has been included in the risk-management plan.
- The budget for quantitative risk analysis includes funds to pay experts’ fees and for research and data gathering.
Our project manager has presented the qualitative risk analysis information to client management. As these executives are familiar with making decisions based on data, the consultant has included qualitative measures of probability and impact and also a data precision value. One of the executives asked, “What is the significance of that data precision score? Didn’t our people do a good job in the risk assessment?”
List of Prioritized Risks with P/I Data and Data Precision Info
Risk event |
Data precision score 1-100 |
Probability 1-10 |
Impact |
1-Customers will not utilize the new procedure for trouble reports |
10 |
8.75 |
9.00 |
2-Turnover among our problem-solvers increases because of the need to provide 24/7 coverage |
89 |
8.4375 |
8.75 |
3-A decrease in quality on new products or services increases the number of trouble reports more than 10% above the present level |
80 |
5.1875 |
4.75 |
Our consulting project manager answered, "No, that's not the case at all. That data precision score is reflective of the accuracy and validity of the data we have about each of the risks. It reflects our understanding of the risk, the amount of information we have available about it and the reliability and integrity of that data. The score is based on my firm’s collective experience with projects of this type. As you can see, there are a number of risks about which we know a great deal. As an example, the quality of the data we have about the third risk on the list is quite good. We have very reliable data from the company's own quality control and quality assurance processes and I have given that risk a data precision score of 80 to reflect the quality of that data. On the other hand, the risk we are most concerned about is that the customers will not utilize the new procedure. I've given that a low data precision score because your organization has very little information and what we have is regarding other segments and is of questionable reliability. We are concerned about the risk because of its high probability and high magnitude but the absence of good data is, frankly, every bit as important. And for that reason I’m going to suggest as we do a Monte Carlo simulation so we can more accurately assess the impact of that risk on the project's overall duration and budget.”
The client executives accepted the consultant's recommendations and the list of prioritized risks and authorized the project team to move on to quantitative risk analysis.
Summary
We can apply risk management at various level of intensity, scaling it so the effort is appropriate to the project at hand. You can learn these techniques in our online individual project management training classes or in in-person seminars for companies.
