Elevating Project Risk
...n of the need for effective risk management has yet to become aligned with the devastating effect of not managing risk effectively. A greater focus on managing project risk is now not only describable but also essential. Sarbanes-Oxley procedures, for example, lay out specific processes regarding management and reporting of both organizational and project risk. Increasingly, there is a need for senior executives to have real-time information not only on the health of a project but on the risks and opportunities it presents to the business going forward. Such changes are forcing organizations to transform the way they conduct project risk management. Turning a blind eye to the unknown or a lack of understanding of risk management principles are no longer valid reasons for not implementing a risk management plan. Likewise, there is a growing recognition that early, up-front identification of project risk leads to a far better chance of project success than simply ignoring risks altogether. Indeed, major risks must be identified before a project is approved and resources are committed. In summary: creating a deterministic project schedule and cost estimate is no longer sufficient when managing project. Art versus science Project management can be defined as both an art and a science-and this approach is also helpful when considering risk management. Estimating both the chance of a project risk event occurring, together with its impact on the project can be highly subjective in nature and prone to error and discrepancy among project managers and team members. So the business requires a formalized, uniformly adopted means of identifying tracking and responding to project risks that can provide the framework and basis for a project risk management plan (RMP). The RMP is the ¡§risk management bible¡¨ and key to a successful risk management culture. It determines how risk is identified, into which classifications they should fall how tolerant a business is to their occurrence and how it should respond to them. Accentuate the positive Historically, the focus of risk management has been based upon negative impacts on a project¡¦s success. More recently a growing trend has emerged that also recognizes the benefit of potential positive risk in the form of opportunities within a project. Thus, risks can be viewed as either threats or opportunities and as such both should be fully accounted for when planning and controlling a project. Additionally, care should be taken to distinguish between uncertainty about schedule and cost estimates and that of potential increases or decreases in these estimates as a result of project risk. The best project estimates are generated by adopting a two-stage approach. First, either deterministic or stochastic (for example, three -point) estimates for project tasks are produced using standard statistical techniques. Stochastic estimates can be then evaluated using risk analysis simulation methods such as Monte Carlo (quantitative risk management). The second stage is to determine an expected increase or decrease in estimates based upon the anticipated level of threat or opportunity that will arise from risk events. This second process is best managed using a risk register (¡¥qualitative risk management¡¦). The risk register provides a structured means of identifying risks within sections of a project accurately modelling and assigning a score to the risk based on probability and severity. It also provides the basis for mapping out a risk response plan. Once the expected amount of risk impact has been determined a suitable amount of contingency can then be added to the area in question to generate a planned estimate (for both task costs and duration). Response Risk response can range from avoidance to acceptance. Avoidance must be a serious option if the ability to mitigate risk is unacceptably low. Clearly when team members have an interest in the project continuing, the need for a higher-level, more objective appraisal of project risk must be considered. But all business opportunities - which are what projects represent - contain risk and clearly an overcautious approach will result potential business benefits being denied. More typically, risk response is in the form of risk mitigation, that is the pro-active reduction of risk scores by planning risk reduction steps. Mitigation steps often result in additional work being required and, as such, can actually increase the scope of work within the project, but it is additional worthwhile work without which the project - and ultimately the business would inevitably suffer. Again, communication is an issue here; it¡¦s important to clearly record, assign and track mitigation steps defined for each risk and analyze their effect within the overall risk score on the project. Methods for reporting and tracking risk vary in granularity and sophistication, and depend upon how detailed are a company¡¦s analysis of the tasks and work packages that form the components of a project. Risk examination generally involves button-up identification of risk and top-down analysis. Typically, a business might consider reporting via: ƒÜ Risk matrices-immediately identifying areas of the highest and lowest risk through a probability/severity score. ƒÜ Waterfall diagrams, showing ho...