 |
Risk Management in Projects: 17 Steps to Success
By Jeff Crump
Theoretically, every decision on a project should be subjected to some
form of risk analysis. However, to repeat a formal assessment is impractical
for all but significant project events and changes. In other circumstances
it is sufficient for the project manager to have a “risk awareness”
of any changes taking place. The effective management of risk includes
both this informal awareness and a structured approach.
Within a project, there are 17 steps that can be taken to help manage
risk. These steps can be grouped into four major categories:
| • |
Planning: Identifying the type of response appropriate
for each risk; developing a detailed plan of action; confirming its
desirability and objectives; and obtaining management approval. |
| • |
Resourcing: Identifying and assigning the people and other resources
(e.g. money and equipment) necessary to do the work; also confirming
that the plan is feasible. |
| • |
Controlling: Making sure that events on the plan are really happening. |
| • |
Monitoring: Making sure that execution of the plan is having the
desired effect on the risks identified. Also ensuring that the management
of risk processes is applied effectively. |
The extent to which these activities need to be addressed depends upon
the size and nature of the particular project under review. Also, these
activities are not necessarily carried out sequentially. This paper will
walk clients through the 17 steps and actions involved in risk management
on a project basis.
The basis of risk management is in the “action plan”, which
is developed in steps 1 – 7. It’s important to note that inadequate
attention to some of the early steps may waste time and effort later.
Step 1: Determine risk indicators and pass information
to risk evaluation. The level of acceptability of a risk or group of risks
needs to be decided as part of the planning process prior to its use in
the evaluation activity of risk analysis.
Step 2: Using the ordered set of risks, assess each against
its indicators. When risk estimation is finished during the risk analysis
phase, all the identified risks are placed into an order of importance
based on their likelihood and potential consequences. It is now necessary
to superimpose upon this list the risk indicators that have been defined.
Step 3: Select the most appropriate means of reducing
each risk. No further action, other than monitoring, is required for risks
that are below their risk indicator. Actions on risks, which are above
their defined level of acceptability, may also be deemed undesirable.
If the cost of such action is not justified then either the risk indicator
needs to be adjusted or the project must be halted.
Step 4: If the risk is to be accepted without trying
to avert it, go to Step 6. If risk is to be eliminated, its likelihood
or consequences reduced, or its consequences mitigated, then design an
appropriate course of action. If a risk is to be accepted without any
reduction measures taken, then it need only be monitored. It is important,
however, that the approach to monitoring is planned. If the elimination
of risks, or reduction of their likelihood or consequence is selected,
some proactive action is implied.
Step 5: Ensure that the course of action selected does
not produce any unintended consequences. Part of the planning process
is to ensure that whatever means are selected to deal with the risks identified,
these new actions themselves will not make things worse.
Step 6: Create a preliminary risk management plan and
define the initial monitoring requirements. A detailed risk management
plan is created as a result of the planning process, to implement the
risk reduction measures decided upon. The risk management plan summarizes
the risk analysis conducted, as well as recommends courses of management
based upon the level and types of risk present.
Step 7: Present plan to management for authority to proceed.
Execution of the risk management plan must not begin until senior management
has formally approved the plan. This step is undertaken to ensure that
staff or cost commitments are fully appreciated, and that the approach
being proposed for risk management is in line with the overall strategy
of the organization.
To undertake the identified tasks, resources must be allocated to each
task and final adjustments to plans made. These plans must reflect skills,
experience and availability of the identified resources.
Step 8: Allocate resources to risk management plan. The
allocation of resources to risk reduction is one of the critical activities
of the risk management phase, and can proceed in parallel with Step 6
of the planning activity. The risk planning process must concentrate on
ensuring that the highest priority risks are attended to first.
Step 9: Assign responsibility for the activities identified
in the risk management plan. As part of the resourcing activity, authority
for risk management activities is delegated and responsibility assigned
throughout the organization to individuals and groups.
Step 10: Ensure the risk management plan is feasible,
and perform re-analysis of risks if necessary. Having allocated resources
to the plan it is necessary to make a final judgment concerning feasibility
of the plan. Aspects to consider at this stage primarily concern appropriateness
of resource allocation and whether this allocation has implications for
planned cost and time.
Step 11: Finalize the risk management plan and begin
its execution. Although the elimination of risks is the aim of management
of risk, generally this is not plausible or practical due to the scarcity
of resources available for risk reduction, the unacceptably high cost
of any action, which would be effective, or the nature of the risk. Thus,
a combination of acceptance, elimination, reduction and mitigation measures
must be put into place.
Once the risk management plan has been finalized and execution begins,
then the activities defined within the plan must be undertaken with suitable
control being exercised.
Step 12: Ensure progress against the risk management
plan is within resource limits. Control activities concentrate on ensuring
that the risk management activities specified in the project plan are
being properly executed.
Step 13: Coordinate the execution of the risk management
plan with existing organizational activities. Communication makes up a
large part of the control activities. All risk reduction activities have
to be coordinated with each other and with other activities, notably those
concerned with the development of the project itself. Specific action
may be necessary to harmonize the implementation of both risk reduction
and project work.
Step 14: Resolve any conflicts over resource allocation.
Resource conflicts must be addressed before they compromise the implementation
of the risk management plan or the project development activities. There
must be no hesitation in using the escalation procedure if the problem
cannot be resolved at the project manager level.
Having planned and then controlled the activities on the project, it is
necessary to monitor progress against the plan and assess whether everything
is proceeding healthily. Project progress is specifically assessed at
the control points, such as end-stage and mid-stage assessments.
Step 15: Capture lessons learned on the effectiveness of risk
reduction measures. As project plans are executed, they must be monitored
to ensure that their objectives are achieved as intended. It should be
recognized that, in a high-risk environment, the one thing that can be
expected is that not everything will happen according to plan. What is
important is that an understanding of what needs to be done develops during
the planning and monitoring processes.
Step 16: Check that the risk indicators are not being
exceeded, and that reduction efforts are effective. At regular periods,
the progress should be checked against the plan to ensure that:
| • |
Risks identified earlier are still valid, and the risk
indicators have not changed |
| • |
Any changes of risk significance are understood and communicated
to those who need to know |
| • |
Implemented responses have been effective and lessons learned are
captured |
| • |
The risk reduction measures can be considered a success (or if they
are failing then identify new measures that need to be put into place) |
| • |
Residual risks are acceptable, or are subject o continuing action
on the plan; in this event the monitoring must continue |
| • |
No other risks have materialized over time |
Step 17: Discover the reason(s) for change in the risk
status. If minor corrective action is required, return to Step 14. It
is, of course, possible that the risk reduction measures are not working
as well as had been expected, and thus that corrective action is required.
If the corrective action required is significant in terms of cost and
time, especially if it involves several risks (a highly likely situation),
a new risk analysis may be required.
In summary, helping to identify the possible options is central to risk
analysis; choosing between such options is central to risk management.
The effort expended on analyzing and managing risk depends upon several
factors, including:
• Project size, length
• Criticality of project to the business
• Experience of the project team
The effort expended on managing risk should be reasonable enough to keep
risk exposure to acceptable levels within the overall constraints of the
project.
Note: The fundamental content for this paper was taken directly from the
Management of Risk Library, An Introduction to Managing Project Risk,
© Crown 1995, Introduction to the Management of Risk, © Crown
1994, and Management of Project Risk, © Crown 1994. Some paraphrasing
and consolidation has occurred to achieve intended results.
| Jeff Crump is a tech-savvy leader with nearly 20
years of information technology experience including enterprise
change management, ChangeMan consulting, project management, customer
relationship management, sales and business development, managing
international professional services groups, and delivery efforts
for high-tech commercial and government customers. Jeff is a Director
of EnterpriseCM, Inc. (ECMI), a collaboration of powerful technology,
process improvement expertise, and veteran change management professionals.
ECMI brings together Enterprise Change Management thought leadership
and real-world implementation experience to offer customers educated,
informed and seasoned consultation services. Jeff can be contacted
Toll Free: +1.866.788.5383, Direct: +1.480.710.0953, E-mail: JCrump@EnterpriseCM.com,
Web: www.EnterpriseCM.com.
|
top of page
|
 |
