So, lets get started!!!
Planning Risk Management
Risk management planning is the process used to decide how the risk management activities for the project at hand will be performed. The major goals for planning risk management are threefold: Ensure that the type, level, and visibility of risk management are proportionate to the actual risk involved in the project and the importance of the project to the organization; secure sufficient resources, including time for risk management activities; and set up an agreed-upon basis for evaluating risks.
To be more explicit, you use the risk management planning process to determine the following:
• How to approach the risk management activities for this project
• How to plan the risk management activities
• How to execute the risk management activities
The picture below explains the process used for Planning Risk Management:
Developing the Risk Management Plan
You perform risk management planning to develop a document called the risk management plan. As an input to this development process, you need to look at the project scope statement, which contains elements such as the following, which are relevant to risk management planning:
• Assumptions and constraints - Assumptions should be evaluated for their uncertainty and thereby the possible risks. Constraints represent fixed parameters, such as available funds and deadlines that can also pose risks to the project.
• Project objectives and requirements - You must address the risks that might prevent the team from meeting the project objectives and requirements.
• Product description - There might be risks involved in performing the work for meeting the product description.
• Initial risk identification - The project scope statement might contain some of the risks you initially identified. Now you have more information to build on that work.
The cost management plan may have information on risks related to budget, contingency, and management reserves. The schedule management plan may have information on how the schedule contingencies will be used and reported. The communication management plan should have information on who should receive reports about the different risks.
The enterprise environmental factors relevant to risk planning include the organizational attitude toward risks and the risk tolerance level of the organization. This information can be found from the policy statements of the organization and from actual experience with previous projects. The organizational process assets relevant to risk planning include organizational approaches toward risk management, definitions of concepts and terms used within the organization, standard risk templates you can use, a roles and responsibilities list, and authority levels for decision making.
You develop the risk management plan by holding planning meetings, which might include the following attendees:
• Project manager
• Selected members from the project team (Usually the team leads and other experienced members of the team)
• Selected stakeholders
• Any member from the performing organization who has responsibility for risk planning and executing
In these meetings, the input items are used to develop the risk management plan, the only output of the risk management planning process.
Risk Management Plan
The only output of the Plan Risk Management process is the risk management plan, which includes the following elements.
Methodology - This specifies the system of approaches, tools, and data sources that will be used to perform risk management on the project at hand. These tools and approaches might vary over projects, so you have to make the best selection for the given project.
Identifying and assigning resources - This identifies and assigns resources for risk management, such as human resources, cost, and time.
• Roles and responsibilities - This specifies the roles and responsibilities for each role involved in risk management. These roles are assigned to members of the risk management team. The risk management team might include members from outside the project team.
• Budgeting - The cost for risk management activities needs to be estimated and included in the budget and the project cost baseline.
• Timing and scheduling - The plan specifies how often risk management processes will be performed and which risk management activities will be included in the project schedule, which is planned and developed by using processes discussed in the chapter on Planning for Project Schedule and Communication.
Risk categories - This element specifies how the risks will be categorized. The risk categories typically correspond to the sources of risks. Depending upon the size and complexity of the project, you might need to develop a risk breakdown structure (RBS), which is a hierarchical structure that breaks the identified risk categories into subcategories. In developing this structure, you will end up identifying various areas and causes of potential risks. The performing organization might already have prepared a categorization of typical risks. However, you need to examine this categorization for each project and tailor it according to the needs of the project at hand. The risk categorization helps you identify risks to the extent that you will be identifying various areas and causes of potential risks for your project.
Risk probability and impact - Defining different levels of risk probabilities and impacts is necessary to ensure the quality and credibility of the qualitative risk analysis that we will discuss in just a bit. The basic issues are defining the scale of likelihood that the risk will happen and defining the scale of the strength of its impact if the risk occurs. These definitions, even if they already exist in the organization, must be examined and tailored to the needs of the specific project.
You can define the risk probability scale from very unlikely to almost certainly, called the relative scale. As an alternative, you can define a numerical scale in which the probability is represented by numbers, in which a value close to 0.0 means very unlikely and a value close to 1.0 means almost certainly. The impact scale represents the size of the risk impact on the given project objective should the risk occur. Just like the probability scale, you can define the impact scale relatively or numerically. The relative scale can range from very low impact to very high impact, with points in the middle such as low, moderate, and high. As an alternative, you can define the impact numerically; it might be linear, such as the first point at 0.1, the second point at 0.2, and the tenth point at 1.0, or it might be nonlinear, such as the first point at 0.001, the second point at 0.01, and the third point at 0.1.
Look at the picture below for a simple example: It shows an example of linear and nonlinear impact scales, in which the impact scale for Objective 1 is nonlinear and the impact scale for Objective 2 is linear. You can think of the X axis as a variable on which the risk impact depends.
Risks are prioritized according to the size of their impact on the project objectives, which can be recorded in what is called an impact matrix or lookup table. Even if your organization already has a typical impact matrix, you should examine it and tailor it to the needs of the specific project at hand. I will discuss the probability and impact matrix in more detail later in this chapter.
To understand the risk impact better, lets look at a sample that defines the impact of risks on the various project objectives.
|Project Objectives||Very Low (0.05)||Low (0.10)||Moderate (0.35)||High (0.65)||Very High (0.90)|
|Time||Insignificant time increase||1-10% time increase||10-30% time increase||30-60% time increase||60-100% time increase|
|Cost||Less than 1% cost increase||1-20% cost increase||20-50% cost increase||50-80% cost increase||80-100% cost increase|
|Scope||Scope decrease unnoticeable||Scope of only a few minor areas affected||Sponsor approval necessary for scope reduction||Scope reduction unacceptable to the sponsor||Project and item are effectively useless|
|Quality||Unnoticeable quality reduction||Only a few applications will be affected||Quality requires sponsor approval||Quality reduction unacceptable||Project and item are effectively useless|
Risk reporting and tracking - This element describes the format of risk reports, such as the risk register, a document that contains the results of risk analysis and risk response planning. Furthermore, it describes how different aspects of risk activities will be recorded so that the risks can be monitored for the current project. Also, should the performing organization decide to audit the risk management process, one should be able to track these activities. Another reason for recording these activities could be to save the information for the benefit of future projects in the form of lessons learned.
During the process of planning risk management for a specific project, you revisit the tolerance levels of the stakeholders for certain risks, and these levels may be revised. Risk management planning is the process that generates the risk management plan document, which contains the information that will be used in risk identification, risk analysis, and risk response planning.
You cannot manage a risk if it’s not identified. Dont worry, thats going to be the next chapter.
Prev: Big Picture of Risk Management
Next: Identifying Risks