The Project Management Institute (PMI) encourages its members to advance the profession. One of the ways to do this is by helping others increase their project management skills. The target audiences for this blog are professional PM’s early in their careers as well as those who manage projects but are not PM’s by title or trade. I will be posting every week or so, offering practical tips and tools on the full range of project management topics. I hope you will find this useful and help you advance your career.
With your risks identified, prioritized and monitored, it is now time to develop strategies for managing the risks. The first type of strategy is “Risk Mitigation”. These are actions you can take before a risk occurs that can reduce the exposure to the risk. You should “brainstorm” these strategies with the members of the project team you identified in the Risk Management section of your “Project Management Plan” (refer to prior posts on this topic).
There are four mitigation strategies you can employ:
- Risk avoidance – this is the most expensive of the risk options. You can spend money or resources to eliminate the risk. An example would be if you have a lesser skilled resource assigned to a task, which raises a risks of on-time completion and/or deliverable quality, you can spend more money for a resource skilled enough to eliminate those risks.
- Risk limitation – this is the most common strategy. You take some action to reduce the probability and/or impact of the risk. One example would be if you are concerned about server downtime or performance during peak loads, you can implement redundancy and load-balancing to mitigate this risk.
- Risk transference – involves handing off the risk to another (willing) party. Examples are buying insurance, or outsourcing services.
- Risk acceptance – if the cost of mitigating the risk outweigh the cost of the risk itself, you may choose to just accept the risk with no mitigation actions. This strategy is typically employed for risks with low probability and/or low impact.
Documenting your mitigation strategies puts you in control of the project. You can manage your risks or they will surely manage you.
In this series Part 1, I addressed Risk Identification. In Part 2, I addressed Risk Probability, Impact and Exposure. In this entry I will discuss the concept of the “Risk Trigger”.
An important aspect of Risk Management is knowing and detecting that the risk has occurred. This is know as a “Risk Trigger”. In some cases it may be obvious. An example of this would be a risk such as “If the project team loses key resource “A”, then the task estimates assigned to “A” will need to be extended which may impact key milestone commitments”. In most cases the PM will know when they have lost a key resource. However, in the case of very large project teams, the key resource may be embedded deep in the project hierarchy, hiding the loss unless there is a communication plan to notify the PM
Your risk triggers must define the method you will use to monitor the risk. For example, if there is a possible change to a government regulation that will impact your project, you can engage your Legal team to monitor the status of this regulation on a regular basis and report any changes directly to the PM.
Here is another example: if there is a risk your server capacity is insufficient to meet peak demand, you might direct your technical team to establish monitors for CPU and disk usage and raise a flag if they are approaching the safe limits.
The lesson here is don’t assume you will just know when a risk has occurred. Define Risk Triggers (even the obvious ones) for all of your risks.
Now that you know your risks, exposures, and when they occur, the next step is to manage them with mitigation and contingency plans. I will tackle these topics in the upcoming posts.
After you have identified your risks, the next step is to prioritize them. We do that by assigning a probability rating and an impact rating, then combining the two to determine your exposure (i.e. priority).
The Risk Probability is a measure of the likelihood of the risk occurring. In most cases it is difficult to assign an exact probability. It usually will be sufficient to define probabilities as “High”, “Medium”, and “Low” and define these probabilities as ranges. Here is an example of the ranges I typically use:
- High = 70% or greater probability
- Medium = between 40 – 69 % probability
- Low = less than 40% probability
You can use whatever definition you choose as long as all of the parties helping you assign probability are aware of the defined ranges.
The Risk Impact is a measure of the effect of the Risk occurrence on the schedule, scope, budget and quality of the project. Again, since in most cases this may be difficult to quantify, using ranges represented by “High”, “Medium” and “Low” will suffice. Here is an example of range definitions for Risk Impact:
- High = greater than 10% impact on one or more of schedule, scope, budget and quality
- Medium = 5-10% impact on one or more of schedule, scope, budget and quality
- Low = less than 5% impact on one or more of schedule, scope, budget and quality
The Risk Exposure is a product of both the Risk Probability and the Risk Impact. It is also measured as “High”, “Medium” and “Low” if that is the way you defined the probability and impact. Here is how the Risk Exposure can be determined:
- Probability (High) + Impact (High) = Exposure (High)
- Probability (High) + Impact (Medium) = Exposure (High)
- Probability (High) + Impact (Low) = Exposure (Low)
- Probability (Medium) + Impact (High) = Exposure (High)
- Probability (Medium) + Impact (Medium) = Exposure (Medium)
- Probability (Medium) + Impact (Low) = Exposure (Low)
- Probability (Low) + Impact (High) = Exposure (Medium – but watch closely due to impact)
- Probability (Low) + Impact (Medium) = Exposure (Medium)
- Probability (Low) + Impact (Low) = Exposure (Low)
Now that you have your Risk Exposure determined you should monitor and act on them in order of exposure, with the ones rated “High” given the most attention. This will help you allocate your risk management resources appropriately.
The first step in managing risk is to identify the risks you need to manage. This is the most important step in risk management and something new project managers tend to struggle with. I will present some techniques that have over the years have worked well for me.
- What worries you? – You can ask this question to your project team members and stakeholders. Do this first individually, then in groups. Many do not understand the term “risk” as it applies to projects and may come up with a blank if you ask them about risks. Everyone can relate to the term “worry” and I have found this helpful. You may get answers such as “I don’t have enough resources” or “the timeline is too tight” or “I don’t have enough expertise on my team in this area”. These types of answers are a great start in risk identification.
- The “Pre-Mortem” – we are familiar with doing “lessons learned” and “post-mortems” on projects. Doing a “Pre-Mortem” can help identify risks. You ask the project team and stakeholders “It’s 9 months from now, the project is over and it was a disaster. What are the reasons?”. Your mind works better at identifying risk when looking backwards so this technique can be very effective. You may get responses like “The Sponsor wasn’t involved in decision making” or “We didn’t train the staff on the new tools”. These types of answers are risks that need to be managed. You can also ask the opposite question: “It’s 9 months from now, the project is over and it was wildly successful. Why?”. Responses like “John Jones was assigned as the technical lead” or “The Steering Committee made prompt decisions” will help you identify risks and mitigate them.
- Risk Breakdown Structure(RBS) – if you Google this term you will find many examples. An RBS is simply a hierarchy of areas in which risks can occur. You would present each of these areas to the team and brainstorm potential risks for each area. Here is a sample RBS:
Complexity of Interfaces
Performance and Reliability
Dependencies on other projects
Resistance to change
You should state your risks in a consistent manner. A common way to phrase your identified risks are: “If (risk event occurs), then (impact to project in terms of scope, schedule, cost, quality)”
Here is an example: “If the vendor is late delivering Component X, then we may not be able to meet the project milestone for the first build”. Note that I stated “may” not “won’t”. Remember, risks are probabilities, not certainties. If it is a certainty, it is an issue, not a risk.
When I teach project management principles to non-professional PM’s, I emphasize that the two things you must do to greatly increase your chance of success are (1) create a complete Project Charter, and (2) manage risk. Those two practices, when done well, contribute to the bulk of project success.
In previous topics I discussed Risk Management in two places:
- The Project Charter
- The Project Management Plan
In the Project Charter, only the initially identified high exposure risks are typically listed and you may not yet have fully developed mitigation and contingency plans. In the Project Management Plan, the Risk Management Plan describes the process of risk management but it does not address the specific risks.
In the “Risk Management – Deeper Dive” series, I will present the following topics in detail:
Part 1: Risk Identification
Part 2: Risk Prioritization (probability/impact/exposure)
Part 3: Risk Triggers
Part 4: Risk Mitigation Strategies
Part 5 : Risk Contingency Plans
Part 6: Risk Ownership
Part 7: Risk Monitoring
Managing risk is a key project management best practice. I strongly suggest you make this one of the first areas of mastering project management.
There are no “secrets” to project management success. It’s a combination of education in PM best practices (the Project Management Body of Knowledge, or PMBOK), communication skills, and staying confident, focused and cool under fire. Most successful Project Managers follow these five steps:
Step 1: Know Your Outcomes
In the Project Charter topic, I mentioned the first and most important step in your project is to properly define the business and project outcomes. If you don’t know where you are going, how will you know you have arrived? This is as true for personal projects and goals as it is for business projects.
Step 2: Have a Plan and Take Action
You can speak passionately about your desired outcomes but unless you do something about it they are as worthless as having no outcomes at all. Taking action starts with good planning and the topics on the “Project Management Plan” and the “Project Plan” are excellent places to start. Once you have a plan, you can begin execution.
Step 3: Collect Relevant Information Regarding Progress
It is a rare project that goes exactly according to plan. You need to regularly evaluate whether your outcomes are still achievable and the level of progress towards achieving those outcomes. Having this information leads to the next step …
Step 4: Be Flexible and Change Plans as needed
If your project is not proceeding according to the plan, be prepared to change the plan and do whatever it takes to achieve your desired outcomes. This could mean some combination of the following: changing the order of activities, reassigning resources, changing the scope, crashing the schedule, etc.
The Marines have a motto: “Improvise, Adapt, Overcome”. This is also a good motto for Project Managers.
Step 5: Look and Feel Confident
Your project team will take its cue from you. If you are expressing doubts, look worried and anxious, or show uncertainty, your team will start to feel the same. Using PM best practices and following Steps 1 thru 4 in this post will allow you to proceed with confidence.
After you have created your initial cut of the schedule, you will often find that this schedule will not meet the target date. Adjusting the schedule and adapting to changing circumstance is where Project Managers earn their money.
Here are some of the actions you can take:
- Focus on the tasks that are on the Critical Path
- Revisit the estimates – do some of the estimates have more safety time built in than is needed? Where can you reduce estimates and not take on more risk?
- Fast-Tracking – look at activities that you have scheduled in sequence due to assumed dependencies. Can you do some of these in parallel or at least have some overlap? For example, you might have “Solution Construction” following “Design” but in reality you can start building some of the solution after some (but not all) of the design is completed. Fast-tracking is a very common practice and you will use this on most large projects.
- Crashing the schedule – this is where you throw additional resources at critical path tasks without regard to efficiency or budget. If meeting the target date is imperative, this is a useful tactic. It is best to plan for this contingency when you are doing your Risk Management Plan in order to have contingency funds in the budget that you can draw on in case the schedule risk is triggered.
- Obtain stronger resources – you can examine the critical path task assignments and look for opportunities where more experienced and knowledgeable resources would allow you to substantially reduce the task estimates.
- Reduce Scope – review the ranked requirements and obtain Sponsor approval to remove or delay requirements that are not essential for the initial go-live date.
- Sacrifice Quality – you can ask the Sponsor for approval to reduce test time for functions that are used rarely or are not business critical.
You are likely to use some or all of the tactics listed above in any project of significant size. It is a critical skill for Project Managers.