The Project Management Institute (PMI) encourages its members to advance the profession. One of the ways to do this is by helping others increase their project management skills. The target audiences for this blog are professional PM’s early in their careers as well as those who manage projects but are not PM’s by title or trade. I will be posting every week or so, offering practical tips and tools on the full range of project management topics. I hope you will find this useful and help you advance your career.
Some years ago, a company I worked for invested in improving our Project Management practices. They engaged with IBM professional services for 6 months to guide and mentor the in-house Project Managers. The first thing the IBM consultants did was establish a baseline that would be used to measure success at the end of the engagement. This baseline was “The Project Health Scorecard” (aka “PHS”). The PHS was measured at the beginning and end of the engagement as evidence of progress in our project management practices. I am a big fan of this concept and now use it on my project dashboard for all of my projects.
The PHS is an “early warning system” for potential project trouble. In that sense it is a child of Risk Management. Because of its condense and concise nature, it is appropriate for use in Project dashboards as well Project Portfolio dashboards, where you can see the health of all active projects at once. I typically update the PHS weekly in the regular project status meetings.
The PHS contains six key measures of project management best practices. Each measure is given a status value of “green”, “yellow” or “red”. I will present each of these measures along with the guidance for status values in a six part series as follows:
- Part 1: Schedule
- Part 2: Budget
- Part 3: Scope
- Part 4: Value
- Part 5: Resources
- Part 6: Risk
In this final part of “Risk Management Deeper Dive” I will briefly discuss “Risk Monitoring”. Monitoring your risks involves the following:
- Conducting regular meetings (as outlined in the Project Management Plan) where the risks and risk plans are reviewed. I recommend every week or every other week depending on the levels of risk exposure.
- The Risk Owners, the Project Sponsor(s) and the Project Manager(s), at a minimum, should be present at the meetings.
- In the meetings you should review the risks in order of risk exposure, with the highest exposure risks addressed first. In case your meeting time is limited, this ensures the most important risks are discussed.
- The risk probabilities and impacts are reviewed and changed as needed.
- The risk triggers are reviewed to ensure reliable monitors are in place. Any triggers tied to a near-term upcoming date are reviewed in detail.
- Risk mitigation plans are reviewed to confirm the plans are being executed.
- Risk contingency plans are reviewed to verify the plans are still valid.
- Close any risks that are no longer valid.
- New risks are raised and discussed. You can continue to use the Risk Hierarchy chart to help identify new risks.
After each meeting, the updated risk plan should be posted to the project repository. Open high-exposure risks should be highlighted in the project status report.
A Risk Owner must be assigned to each risk. The Risk Owner for each specific risk is responsible for identifying and executing all parts of the Risk Management Plan related to that risk. It is the Project Manager’s responsibility to regularly review the risk with the Risk Owner and update the plan with new information. The Project Manager should also make suggestions and act as a “sounding board” to assist the Risk Owner.
Here are some questions to ask the Risk Owner:
- Probability/Impact/Exposure – Have the mitigation plans reduced the probability and or impact? Have other conditions changed that have raised or lowered the probability and or impact?
- Trigger – Has the Risk Owner assigned someone to monitor the risk trigger? Is the method of monitoring adequate? Will the risk be detected in time to react?
- Mitigation Plans – Are these plans still adequate? Has the Risk Owner started execution of some or all of these plans? Are there additional plans that can be added?
- Contingency Plans – Are these plans still adequate? Are there additional plans that can be added?
It is important that the Risk Owner understands their role. Some may assume the Project Manager is taking care of it for them. Make sure the roles and responsibilities are clear to all parties.
In the prior post I discussed risk mitigation strategies, which can reduce the potential impact of risks that haven’t occurred yet. In contrast, risk contingency plans are meant to deal with risks after they have occurred. It is sometimes amusingly referred to as “Plan B” (and “C”, “D”, etc if necessary). Contingency plans answer the question “What will we do if …”.
It can be much easier to create contingency plans in advance because you are not under the stress of the risk having already occurred and you have more time to brainstorm the potential plans. Anticipating risks and having well vetted contingency plans keeps you in control of the project and minimizes “crisis mode”.
Here are a few examples:
- If there is a risk of testing taking longer than planned, you can have a list of additional testing resources identified to join the effort if testing falls behind.
- If there is a risk of inclement weather disrupting outdoor activities, you can have indoor activities lined up to keep the project moving.
- If there is a risk of a key resource leaving the project, you can have a consultant resource procured in advance to step in if needed.
As with all elements of Risk Management, conditions may change over time, so the contingency plans should be revisited on a regular basis to ensure they are still viable.
With your risks identified, prioritized and monitored, it is now time to develop strategies for managing the risks. The first type of strategy is “Risk Mitigation”. These are actions you can take before a risk occurs that can reduce the exposure to the risk. You should “brainstorm” these strategies with the members of the project team you identified in the Risk Management section of your “Project Management Plan” (refer to prior posts on this topic).
There are four mitigation strategies you can employ:
- Risk avoidance – this is the most expensive of the risk options. You can spend money or resources to eliminate the risk. An example would be if you have a lesser skilled resource assigned to a task, which raises a risks of on-time completion and/or deliverable quality, you can spend more money for a resource skilled enough to eliminate those risks.
- Risk limitation – this is the most common strategy. You take some action to reduce the probability and/or impact of the risk. One example would be if you are concerned about server downtime or performance during peak loads, you can implement redundancy and load-balancing to mitigate this risk.
- Risk transference – involves handing off the risk to another (willing) party. Examples are buying insurance, or outsourcing services.
- Risk acceptance – if the cost of mitigating the risk outweigh the cost of the risk itself, you may choose to just accept the risk with no mitigation actions. This strategy is typically employed for risks with low probability and/or low impact.
Documenting your mitigation strategies puts you in control of the project. You can manage your risks or they will surely manage you.
In this series Part 1, I addressed Risk Identification. In Part 2, I addressed Risk Probability, Impact and Exposure. In this entry I will discuss the concept of the “Risk Trigger”.
An important aspect of Risk Management is knowing and detecting that the risk has occurred. This is know as a “Risk Trigger”. In some cases it may be obvious. An example of this would be a risk such as “If the project team loses key resource “A”, then the task estimates assigned to “A” will need to be extended which may impact key milestone commitments”. In most cases the PM will know when they have lost a key resource. However, in the case of very large project teams, the key resource may be embedded deep in the project hierarchy, hiding the loss unless there is a communication plan to notify the PM
Your risk triggers must define the method you will use to monitor the risk. For example, if there is a possible change to a government regulation that will impact your project, you can engage your Legal team to monitor the status of this regulation on a regular basis and report any changes directly to the PM.
Here is another example: if there is a risk your server capacity is insufficient to meet peak demand, you might direct your technical team to establish monitors for CPU and disk usage and raise a flag if they are approaching the safe limits.
The lesson here is don’t assume you will just know when a risk has occurred. Define Risk Triggers (even the obvious ones) for all of your risks.
Now that you know your risks, exposures, and when they occur, the next step is to manage them with mitigation and contingency plans. I will tackle these topics in the upcoming posts.
After you have identified your risks, the next step is to prioritize them. We do that by assigning a probability rating and an impact rating, then combining the two to determine your exposure (i.e. priority).
The Risk Probability is a measure of the likelihood of the risk occurring. In most cases it is difficult to assign an exact probability. It usually will be sufficient to define probabilities as “High”, “Medium”, and “Low” and define these probabilities as ranges. Here is an example of the ranges I typically use:
- High = 70% or greater probability
- Medium = between 40 – 69 % probability
- Low = less than 40% probability
You can use whatever definition you choose as long as all of the parties helping you assign probability are aware of the defined ranges.
The Risk Impact is a measure of the effect of the Risk occurrence on the schedule, scope, budget and quality of the project. Again, since in most cases this may be difficult to quantify, using ranges represented by “High”, “Medium” and “Low” will suffice. Here is an example of range definitions for Risk Impact:
- High = greater than 10% impact on one or more of schedule, scope, budget and quality
- Medium = 5-10% impact on one or more of schedule, scope, budget and quality
- Low = less than 5% impact on one or more of schedule, scope, budget and quality
The Risk Exposure is a product of both the Risk Probability and the Risk Impact. It is also measured as “High”, “Medium” and “Low” if that is the way you defined the probability and impact. Here is how the Risk Exposure can be determined:
- Probability (High) + Impact (High) = Exposure (High)
- Probability (High) + Impact (Medium) = Exposure (High)
- Probability (High) + Impact (Low) = Exposure (Low)
- Probability (Medium) + Impact (High) = Exposure (High)
- Probability (Medium) + Impact (Medium) = Exposure (Medium)
- Probability (Medium) + Impact (Low) = Exposure (Low)
- Probability (Low) + Impact (High) = Exposure (Medium – but watch closely due to impact)
- Probability (Low) + Impact (Medium) = Exposure (Medium)
- Probability (Low) + Impact (Low) = Exposure (Low)
Now that you have your Risk Exposure determined you should monitor and act on them in order of exposure, with the ones rated “High” given the most attention. This will help you allocate your risk management resources appropriately.