Risk Management Deeper Dive Part 7: Risk Monitoring

Executing Monitoring and Controlling

In this final part of “Risk Management Deeper Dive” I will briefly discuss “Risk Monitoring”. Monitoring your risks involves the following:

  • Conducting regular meetings (as outlined in the Project Management Plan) where the risks and risk plans are reviewed. I recommend every week or every other week depending on the levels of risk exposure.
  • The Risk Owners, the Project Sponsor(s) and the Project Manager(s), at a minimum, should be present at the meetings.
  • In the meetings you should review the risks in order of risk exposure, with the highest exposure risks addressed first. In case your meeting time is limited, this ensures the most important risks are discussed.
  • The risk probabilities and impacts are reviewed and changed as needed.
  • The risk triggers are reviewed to ensure reliable monitors are in place. Any triggers tied to a near-term upcoming date are reviewed in detail.
  • Risk mitigation plans are reviewed to confirm the plans are being executed.
  • Risk contingency plans are reviewed to verify the plans are still valid.
  • Close any risks that are no longer valid.
  • New risks are raised and discussed. You can continue to use the Risk Hierarchy chart to help identify new risks.

After each meeting, the updated risk plan should be posted to the project repository. Open high-exposure risks should be highlighted in the project status report.

Advertisements

Risk Management Deeper Dive Part 2: Risk Prioritization

Executing Monitoring and Controlling

After you have identified your risks, the next step is to prioritize them. We do that by assigning a probability rating and an impact rating, then combining the two to determine your exposure (i.e. priority).

The Risk Probability is a measure of the likelihood of the risk occurring. In most cases it is difficult to assign an exact probability. It usually will be sufficient to define probabilities as “High”, “Medium”, and “Low” and define these probabilities as ranges. Here is an example of the ranges I typically use:

  • High = 70% or greater probability
  • Medium = between 40 – 69 % probability
  • Low = less than 40% probability

You can use whatever definition you choose as long as all of the parties helping you assign probability are aware of the defined ranges.

The Risk Impact is a measure of the effect of the Risk occurrence on the schedule, scope, budget and quality of the project. Again, since in most cases this may be difficult to quantify, using ranges represented by “High”, “Medium” and “Low” will suffice. Here is an example of range definitions for Risk Impact:

  • High = greater than 10% impact on one or more of schedule, scope, budget and quality
  • Medium = 5-10% impact on one or more of schedule, scope, budget and quality
  • Low = less than 5% impact on one or more of schedule, scope, budget and quality

The Risk Exposure is a product of both the Risk Probability and the Risk Impact. It is also measured as “High”, “Medium” and “Low” if that is the way you defined the probability and impact. Here is how the Risk Exposure can be determined:

  •  Probability (High) + Impact (High) = Exposure (High)
  •  Probability (High) + Impact (Medium) = Exposure (High)
  •  Probability (High) + Impact (Low) = Exposure (Low)
  •  Probability (Medium) + Impact (High) = Exposure (High)
  •  Probability (Medium) + Impact (Medium) = Exposure (Medium)
  •  Probability (Medium) + Impact (Low) = Exposure (Low)
  •  Probability (Low) + Impact (High) = Exposure (Medium – but watch closely due to impact)
  •  Probability (Low) + Impact (Medium) = Exposure (Medium)
  •  Probability (Low) + Impact (Low) = Exposure (Low)

Now that you have your Risk Exposure determined you should monitor and act on them in order of exposure, with the ones rated “High” given the most attention. This will help you allocate your risk management resources appropriately.

Risk Management: Deeper Dive Part 1 – Risk Identification

Executing Monitoring and Controlling

The first step in managing risk is to identify the risks you need to manage. This is the most important step in risk management and something new project managers tend to struggle with. I will present some techniques that have over the years have worked well for me.

  1. What worries you? – You can ask this question to your project team members and stakeholders. Do this first individually, then in groups. Many do not understand the term “risk” as it applies to projects and may come up with a blank if you ask them about risks. Everyone can relate to the term “worry” and I have found this helpful. You may get answers such as “I don’t have enough resources” or “the timeline is too tight” or “I don’t have enough expertise on my team in this area”. These types of answers are a great start in risk identification.
  2. The “Pre-Mortem” – we are familiar with doing “lessons learned” and “post-mortems” on projects. Doing a “Pre-Mortem” can help identify risks. You ask the project team and stakeholders  “It’s 9 months from now, the project is over and it was a disaster. What are the reasons?”. Your mind works better at identifying risk when looking backwards so this technique can be very effective. You may get responses like “The Sponsor wasn’t involved in decision making” or “We didn’t train the staff on the new tools”. These types of answers are risks that need to be managed. You can also ask the opposite question: “It’s 9 months from now, the project is over and it was wildly successful. Why?”. Responses like “John Jones was assigned as the technical lead” or “The Steering Committee made prompt decisions” will help you identify risks and mitigate them.
  3. Risk Breakdown Structure(RBS) – if you Google this term you will find many examples. An RBS is simply a hierarchy of areas in which risks can occur. You would present each of these areas to the team and brainstorm potential risks for each area. Here is a sample RBS:

Technical

Technology

Complexity of Interfaces

Performance and Reliability

Quality

External

Vendors

Regulatory

Market

Customer

Weather

Environmental

Government

Internal

Dependencies on other projects

Resources

Funding

Requirements

Resistance to change

Inexperience

Schedule

Equipment

Quality

Customer satsifaction

Project Management

Estimates

Plans

Controls

Communications

Scope

——————————-

You should state your risks in a consistent manner. A common way to phrase your identified risks are: “If (risk event occurs), then (impact to project in terms of scope, schedule, cost, quality)”

Here is an example: “If the vendor is late delivering Component X, then we may not be able to meet the project milestone for the first build”. Note that I stated “may” not “won’t”. Remember, risks are probabilities, not certainties. If it is a certainty, it is an issue, not a risk.

Risk Management Deeper Dive – Introduction

Executing Monitoring and Controlling

When I teach project management principles to non-professional PM’s, I emphasize that the two things you must do to greatly increase your chance of success are (1) create a complete Project Charter, and (2) manage risk. Those two practices, when done well, contribute to the bulk of project success.

In previous topics I discussed Risk Management in two places:

  1. The Project Charter
  2. The Project Management Plan

In the Project Charter, only the initially identified high exposure risks are typically listed and you may not yet have fully developed mitigation and contingency plans. In the Project Management Plan, the Risk Management Plan describes the process of risk management but it does not address the specific risks.

In the “Risk Management – Deeper Dive” series, I will present the following topics in detail:

Part 1: Risk Identification

Part 2: Risk Prioritization (probability/impact/exposure)

Part 3: Risk Triggers

Part 4: Risk Mitigation Strategies

Part 5 : Risk Contingency Plans

Part 6: Risk Ownership

Part 7: Risk Monitoring

Managing risk is a key project management best practice. I strongly suggest you make this one of the first areas of mastering project management.

The Project Charter – Risks & Assumptions

Initiation

In upcoming posts I will discuss Risk Identification and Management in detail. For now, you just need to know that a risk is an uncertain future event that can have a negative impact on your project’s schedule, scope, budget or quality. The event has a probability of occurring less than 100% and greater than 0%. If the probability is 100%, then you have an issue, not a risk. Some risks can have a positive impact but we will not discuss that here.

You state the risk as follows:

  • If <risk event> occurs, then <state the outcome that affects your project> causing the project  to be impacted in the following specific ways <scope, schedule, budget, quality>.

At the Project Charter level, you are interested in identifying only the highest impact risks so that your risk management strategies can be accounted for in the scope and schedule.

Some Project Charters will list “Assumptions” in its own section. I have eliminated assumptions from my own charter template as I feel if you have assumptions that can impact your project, then that is just another form of risk. I now include any assumptions in my risk section.

The Project Health Scorecard Part 6: Risk

Executing Monitoring and Controlling

Here is the suggested guidance for the status of the Project Risk Health:

Your Risk Health is Green if:

  • Issues and risks are documented in a central repository
  • Risks have triggers, mitigation and contingency plans for high-exposure and high-impact risks
  • Risks are reviewed on a regular basis by the project manager and risk/issue owners;

Your Risk Health is Yellow if:

  • Issues and risks are defined in a central repository but not reviewed on a regular basis by the project manager and risk/issue owners AND/OR…
  • Risks have no mitigation and contingency plans associated with the high-exposure items

Your Risk Health is Red if:

  • Issues and risks are not documented in a central repository
  • Risks are not formally managed.

Risk Management Deeper Dive Part 7: Risk Monitoring

Executing Monitoring and Controlling

In this final part of “Risk Management Deeper Dive” I will briefly discuss “Risk Monitoring”. Monitoring your risks involves the following:

  • Conducting regular meetings (as outlined in the Project Management Plan) where the risks and risk plans are reviewed. I recommend every week or every other week depending on the levels of risk exposure.
  • The Risk Owners, the Project Sponsor(s) and the Project Manager(s), at a minimum, should be present at the meetings.
  • In the meetings you should review the risks in order of risk exposure, with the highest exposure risks addressed first. In case your meeting time is limited, this ensures the most important risks are discussed.
  • The risk probabilities and impacts are reviewed and changed as needed.
  • The risk triggers are reviewed to ensure reliable monitors are in place. Any triggers tied to a near-term upcoming date are reviewed in detail.
  • Risk mitigation plans are reviewed to confirm the plans are being executed.
  • Risk contingency plans are reviewed to verify the plans are still valid.
  • New risks are raised and discussed. You can continue to use the Risk Hierarchy chart to help identify new risks.

After each meeting, the updated risk plan should be posted to the project repository. Open high-exposure risks should be highlighted in the project status report.