In the previous chapter we learnt that the risk register is going to be constantly updated as we progress through the various processes in the Risk Management knowledge area. From the RMP exam perspective we will be using a term called the “Risk Register Update Cycle” which refers to how the risk register is going to get updated right from the moment it gets created in the “Identify Risks” process to the last process in risk management “Monitor & Control Risks”
The Risk Register Update Cycle is illustrated in the picture below:
If you are preparing for the RMP Certification, it would be a good idea to print out this picture and keep it handy because this is going to give you a high level idea of the overall risk management activities in your project. More importantly, understanding this whole cycle is vital in understanding the subsequent chapters in our RMP preparation series.
Let us now take a detailed look at the various stages in this Risk Register Update Cycle.
1. Identify Risks
Identify Risks is the risk management process that actually creates the Risk Register. When we create the risk register, the following initial/basic information is available:
a. List of identified risks with their description, owner, consequences if the risks were to occur
b. Root causes of risks
c. Potential risk responses
A point to note here is that risk owners or root causes or potential responses may not be immediately available when the initial version of the risk register is created. But, at this stage we must make a dedicated attempt to furnish as much information as possible so that the subsequent processes can take things forward.
2. Perform Qualitative Risk Analysis
The Perform Qualitative Risk Analysis process takes the risk register created in the Identify Risks process and makes further updates to the same. The updates that happen to the risk register in this process include:
1. Ranking or a priority list of risks
2. Risks grouped by categories
3. Causes of risks
4. List of risks that require a near-term response
5. List of risks that require additional analysis & response
6. Watch list of low priority risks
7. Trends in qualitative risk analysis results
As you must remember from the previous section on the Risk Management Plan, we will use the Probability & Impact matrix to classify risks and to create a prioritized list of risks. The purpose of categorizing risks is to group related risks and to address them together. Usually this is done because this categorization can help us identify the root cause and addressing one root cause can help us eliminate multiple risks.
In this process, we identify those risks that are urgent (ones with high probability & impact) and try to take care of them immediately. There are also cases where we may need to perform further analysis before we decide on the further course of action on the risk. In those cases, we note them down and analyze them in the next process which is the Perform Quantitative Risk Analysis. During our analysis we may also find out certain risks that are either very low risk or impact or both. In such cases we usually move them to a watch list for the moment and continue with the other risks. We must constantly monitor those watch list items to ensure that their probability or impact hasn’t changed to ensure that we don’t get any unwanted surprises.
The trends identification part may have taken you by surprise. Identifying trends is not easy and requires a lot of experience. Do you remember that I said that Risk Management is an iterative process? We usually do multiple iterations of these processes and during such cases, if we watch closely we may be able to identify trends on those risks that may be due to a totally different or even a bigger problem.
3. Perform Quantitative Risk Analysis
After we complete qualitative analysis, we would’ve identified a subset of risks that need further analysis. We will be analyzing those risks quantitative in this process. During this phase, the following updates happen on the risk register:
1. Probabilistic Analysis of the Project
2. Probability of Achieving cost & time objectives
3. Prioritized list of quantified risks
4. Trends in quantitative risk analysis results
Conducting a probabilistic analysis of the whole project helps us avoid cost and schedule overruns. Here we will be trying to figure out the probability that we will complete the project in time or under budget. This will also give us a fair idea of how much reserves are required.
At the end of this process, we would have further prioritized the risks. The trends part here is similar to the trends we covered under the Qualitative analysis process.
4. Plan Risk Responses
After we have analyzed and prioritized all the risks, the next step is to figure out “What to do in case the risk occurs” and that is what we will be doing in this process. This is the process that makes the most number of updates to the risk register. Also, most of these updates are interrelated.
The updates that happen to the risk register in this process are:
1. Agreed upon response strategies
2. Risk Owner & Assigned Responsibilities
3. Specific actions to implement the chosen response strategy
4. Symptoms & warning signs of risk occurrence
5. Budget and schedule activities required to implement the chosen responses
6. Contingency reserves of time & cost designed to provide for stakeholder risk tolerances
7. Contingency plans and triggers that call for their execution
8. Fallback plans
9. Residual risks expected to remain
10. Secondary risks
11. Contingency reserves that are calculated based on quantitative analysis
By this point all risks must have an assigned owner who is in-charge of those risks. If some of the items in the list above seem new to you, don’t get overwhelmed. This is just the introductory phase of our preparation for the RMP Certification. There is still a long way to go and we will be covering all of these in great detail…
Usually our response strategies are based on our organizational policies as well as risk tolerances. Also, the organizational and stakeholder risk tolerance has a direct bearing on the contingency reserves. Usually if the stakeholder risk tolerance is how, the reserves will be low and vice versa. It is our responsibility to gauge the risk tolerance level and arrive at the appropriate contingency reserves.
Fallback plans are those “Plan B” kind of plans that we will implement in case the original response is not fully effective. Residual risks are those risks that remain even after our original responses are implemented. Secondary risks on the other hand are those risks that are caused because of the risk response plan we implemented. These risks must not be ignored and have to be dealt with accordingly.
5. Monitor & Control Risks
This is the last process in our risk management knowledge area. In this process the following updates happen to the risk register:
1. Outcomes of risk assessment, risk audits and periodic risk reviewsAn important point to note here is that, risk reassessments and audits may unearth new risks as well. We need to ensure that those risks are handled appropriately as well. Also, documenting the actual outcomes can help us as well as other projects in future that may encounter similar scenarios as those that just failed for us. So, it is extremely vital that we document all those items accurately and truthfully.
2. Closing risks that are no longer applicable
3. Actual outcomes of Project risks & risk responses
Prev: Overview of Risk Register
Next: Section Summary - Risk Register