Management System Do the Job?
Richard B. Lanza
OVERVIEW
When a project is approved, business owners are making a conscious investment in time — and therefore, money — toward the development of the project’
s deliverables.
Because all these owners are not project managers, it must be ensured that they understand and have promptly quantified the risks affecting the project. Normally, this should be done by the project manager, but many times, depending on the size of the project or the human resources available, anyone on the project team may step in to assess and measure risk. This chapter addresses risk management, regardless of the resource enacting the process. Although the principles discussed in this chapter could be applied to various types of projects (e.g., bridge construction, railway expansion) this chapter focuses mainly on software development projects.
GENERAL DEFINITIONS
In order to begin understanding project risk assessment, it is necessary to start from a common understanding of the following definitions.
What Is Project Management?
The generally accepted definition is presented by the Project Management Institute in its Project Management Body of Knowledge (PMBOK) as the “application of knowledge, skills, tools, and techniques to project activities in order to meet or exceed stakeholder expectations from a project.”
The project lifecycle can be generally broken into three categories as follows: 1. Definition — the earliest part of the project, in which the purpose and requirements are clarified.
2. Planning — the second part of the project, in whcih responsibility is assigned and work is scheduled.
3. Implementation — the final phase in which deliverables are produced to meet the project objectives.
What Is Risk Management?
One of the most beneficial tools for ensuring a successful project is risk management.
The PMBOK defines risk management as “processes concerned with identifying, analyzing, and responding to project risk.”
Risks can be categorized as follows:
§ Known risks — risks whose existence and effect are known (e.g., knowing you could get a $100 ticket for driving your car past the inspection date)
§ Unknown known — risks whose existence is known whose effect is not (e.g., driving away from an officer of the law who is trying to enforce the late inspection sticker)
§ Unknown unknowns — risks of which there is no awareness at the present time of their existence and effect (e.g., not remembering to inspect your car and driving it past the inspection date)
How Is Risk Management Implemented?
Risk management follows a pattern that can be explained using various terms but can be quickly outlined in the following four steps:
1. Identify. Risks are identified but not judged as to their scope, magnitude, or urgency.
2. Assess. Risks are evaluated and prioritized based on their size and urgency.
3. Respond. All risks have a corresponding response that ranges from full acceptance of risk to prevention procedures.
4. Document. The identification, assessment, and response is documented to display the decision making process used in the project and to assist in knowledge sharing on future projects.
Note that risk management is normally initiated in the planning stages of a project (after the project has been properly defined) and continues routinely throughout the implementation of the project.
What Are the Common Ways to Respond to Risk?
There are three standard ways to deal with risk:
1. Prevention — eliminating the cause before it is an issue 2. Mitigation — completing tasks to lessen the risk such as implementing a new strategy or purchasing insurance so that the risk of loss is shared with outside investors
3. Acceptance — noting the risk and accepting any consequences it may entail Therefore, action plans could avoid the risk completely, reduce the risk, transfer the risk (insurance), or recognize the risk and take a chance. The key determinant as to whether to take a more stringent approach (e.g., prevention) is dependent on the cost benefit relationship surrounding that risk.
Using the risk categories above in “What is risk management?,” the following corresponds a response for each known/unknown risk category:
§ Known risks. If the effect of the risk is large, chart a new strategy to prevent the risk or, if the risk effect is small, mitigate or accept the risk.
§ Unknown/known risks. First, estimate the effect of the risk and, depending on the projected risk magnitude, use the strategies explained for “known risks.”
§ Unknown/unknowns risks. As much as the likelihood and magnitude of this risk cannot be predicted, it is wise to add a contingency estimate to the project — for example, adding 10 percent of cost to a financial plan for
“contingency allowances” without knowing exactly where this reserve will be applied.
COMMON RISK MANAGEMENT MISTAKES
Now that many of the definitions have been established, focus is now directed on the most common oversights in implementing a risk management system.
Most projects follow the principle of “if it ain’
t broke, don’
t fix it.” As a result, small
issues early in a project later become major problems. Risk management quickly transforms itself into crisis management, leading to missed deadlines or over-budget situations. These “crisis” situations generally follow a pattern in which the environment was not initially set for risk management to flourish. If only the benefits of a properly functioning risk management system were seen by business owners, they would begin to understand its necessity in any project, which leads to the number-one mistake.
Mistake 1 — The Benefits of Risk Management Are Not
Presented to Business Owners
Business owners want results and many times do not want to be told of the multitude of issues affecting the completion of their project. They just want the project done, regardless of how a project team gets it done. Business owners tend to stay in a passive role when they should be actively operating in the project. Like a homeowner who is having a house built, a business owner needs to see the work site at set intervals throughout the build process, or the investment may fizzle away.
It is recommended that a meeting be called in the early stages of the project to present the concept of risk management and to explain the benefits of this process.
Below is a list of key benefits of risk management listed in priority order:
§ An early warning system of issues that need to be resolved. Risks can be identified either before the project begins or during the course of the project.
Once identified, they need to be prioritized, not only as to the effect they may have on the project but also to what level they need to be presented to management for resolution. A properly functioning risk management system can provide a daily assessment of the top ten risks affecting a project for immediate resolution. If the risks are not assessed routinely, the environment is set to allow these risks to fester. In this environment, a small issue can become much larger if not a damning problem down the road.
§ All known risks are identified. Being able to sleep well at night is tough enough these days without having to think about all the unknown risks on a project. Through a properly designed risk management system, all probable
and potential issues are likely identified. Reacting to this knowledge is key, but in order to act, a risk and the corresponding resolution must first be identified.
§ More information is made available during the course of project for better decision making. By identifying all of the problems and projected solutions associated with a project, a deeper understanding of the project’
s feasibility
can be obtained. Especially early on, this information is invaluable and can provide more confidence to business owners and the project team that the project can be achieved on time and within budget. Further, risk management normally leads to improved communication among the project’
s stakeholders,
which can lead to improved team management and spirit. For example, a highly challenging project leads people to bond together in order to get the job done, just as passengers on a sinking ship need to stick together in order to save themselves. Finally, this information promotes a learning process for future periods during which risks (and their resolutions) can be reviewed as raw material when similar future projects are underway.
Mistake 2 — Not Providing Adequate Time for Risk
Assessment
There is no getting around the fact that risk management provides a layer of management and additional time to the project, which leads to a layer of resources
— or does it? It could also be argued that by completing a proper thinking phase up front, there is an application of the rule “Measure twice, cut once.” This phase should not be underestimated inasmuch as many projects tend to work under the principle of “Get it done by a certain date, regardless of the quality of the end product” rather than “Do it right the first time.” In many projects, there never seems to be enough time to do it right the first time but always enough time to do it right the second time. This mistake can be avoided by getting the agreement from business owners that the cost in time to implement risk management is fully outweighed by the benefits.