A Model for Risk Response on Projects
by Lisa Young
Identifying and Assessing
A risk is an uncertain, Risk:
possible event that Managing risk is all about identifying
may positively or possibilities and deciding how to
respond to those possibilities. To
negatively impact a manage risk, you want to start by asking
yourself the question: “What can
project. Managing risk happen?”. This may appear to be an
awfully large undertaking until you zero
enables us to keep our in on this key point—you only want to
attention on delivering manage risks which are probable and
will have an impact. Managing risk costs
what we promised and people, time and money, so invest wisely
and do not waste time on risks that are
increases clear highly improbable or have no real
impact.
communication and
direction with the For example: Project A is a highly visible,
top priority project tied directly to the
project team and company's strategy. A highly improbable
risk is that the project's key development
project sponsor. This is resources would be assigned to another
project. Given that improbability, any
because risks are being effort to manage risk would be better
identified and managed applied to something more probable,
such as delayed receipt of the cutting
with full support from edge technology, Sun SPOT, which is
critical to the project delivery.
the sponsor, rather
Once you have identified a probable risk,
than being left to linger the next thing to consider is the
and remain unclear. likelihood that the risk will happen,
making use of personal experiences and
Risks left unmanaged past project history if it is available. A
rating based on a pre-defined scale,
spell disaster for a works best. This allows risks to be
measured individually, as well as against
project. other risks. I have found the numerical
scale of 1-10 to be useful, with 10
representing “almost certain”.
ITX Corp.
Keep in mind that if an event is
1169 Pittsford-Victor Rd, Suite 100 determined to be a certainty then it is not
Pittsford, NY 14534 a risk. An event that is a certainty is an
issue, and a course of action needs to be
1-800-600-7785 identified to resolve the issue.
www.itx.net
© 2006 ITX Corp. ITX and the ITX logo are registered
trademarks of ITX Corp. All rights reserved.
Using the previous example, if the
project manager is notified that the
vendor supplying that new technology
has just gone out of business—that's
an issue. In other words, it is a
certainty and needs an immediate
course of action applied to resolve it.
Coupled with the likelihood of risks is
the impact, or result, should that risk
occur. The impact should be
understood in terms of what would
happen in theory, along with a rating
representing the scale of the impact. A
numerical scale of 1-10 with 10
representing “devastating” is
recommended.
Once you have the likelihood and
impact identified, you can determine
your exposure for the risk, which in our
example using numerical scales, is the
product of likelihood and impact.
Exposure quickly highlights the risks
requiring the most focused attention.
Risks with greater exposure are like
the critical path of your project
schedule—they require the most
attention and the tightest
management. In order to tightly
manage, there must be a plan of
attack, and this is where risk response
comes in.
Formulating A Response for
Risk
Risk Response is a strategy taken to
manage a potential or manifested risk.
The strategy contains the approach and
specific actions, as well as whether that
response is going to be planned
(occurring prior to the risk manifesting),
or contingent (occurring once the risk
has manifested). Refer to the Risk
Response Model on page 3.
A Model for Risk Response on Projects cont’d
There are four different types of risk
responses. For every risk you will
want to decide which type of risk
response to utilize. The four types of
risk response are:
· Mitigation – Mitigation is reducing
the probability of occurrence or impact
of a risk, before it happens, to below
an acceptable threshold. Mitigation
may also include contingency, in the
event the risk still happens.
Mitigation requires action, resulting in
some level of planned response prior
to the risk manifesting and/or
contingent after the risk manifests.
· Acceptance – Acceptance is
deciding not to change the project
management plan to deal with a risk.
This may be due to having no other
appropriate response strategy.
Acceptance is a passive response.
Acceptance entails no action on your
part, but also does nothing to change
the risk exposure.
· Avoidance – Avoidance is
eliminating the risk, or protecting the
project objectives from its impact (i.e.
If the risk were to occur, it would not
impact the project). Avoidance
requires more action, but provides the
biggest benefits in reduction of risk
exposure—your risk is eliminated or
you have completely shielded your
project from any impact.
· Transference – Transference is
shifting the threat of impact and
ownership of response to a third party,
through a contractual agreement
between the two parties. Liability for
the costs of a risk is transferred to the
other party. In other words, your risk
is eliminated and the risk now rests
with the third party.
Examples:
Again, using our original example of
the risk of delay in receiving the
cutting edge Sun SPOT technology
necessary for the project to deliver its
solution, here is how the various risk
responses would play out.
Acceptance: Assume there is only one
vendor, Sun Microsystems, to provide
this technology. We have a long
standing relationship with this vendor
and they have always delivered to us
on time. In this scenario, we could do
nothing, relying solely on our strong
relationship with the vendor. This is
not the best strategy, but a possible
one.
Mitigation: With this type of response,
we could have a planned course of
action as well as a contingency
response. Our planned course of
action, which would occur before any
delay manifested itself, is to keep in
regular contact with Sun to assess
their progress—ensuring our need is
always kept current in their mind, as
well as guaranteeing the earliest
possible detection of a potential
delay. Our contingent course of
action, should we still end up with a
delay, could be to invoke a plan B,
which segments out the delivery of the
solution. In this case, rather than
delivering the total solution all at
once, we would instead deliver
solution components not dependent
on that technology earlier, and
schedule the other dependent
solution components later in the
delivery cycle.
Page 2
Avoidance: With this strategy, there
could be a couple of approaches. One
is to recognize early on that if this risk
is very likely to occur, then an
alternative approach to the underlying
architecture/technology design needs
to be developed—one that avoids the
use of this specific technology. An
alternative avoidance approach is to
shield your project from the impact of
a delay by specifically negotiating
early on in the project that the delivery
of the total solution, in terms of time
frame, will be promised once we have
an actual delivery date of the
technology.
Transference: To transfer this risk, we
could outsource the responsibility for:
· ordering the Sun SPOT technology
· managing the relationship with Sun
· receiving/installing the new
technology
· integrating and deploying the total
solution
And then what? - Ongoing
Monitoring and Control:
Once you have successfully defined
your risk response, you monitor the
environment and invoke the response
plans as necessary to control the risk
and/or impact. Risk Management is an
ongoing effort throughout the life of
your project. New risks may materialize
and existing risks which have been
realized and responded to, or whose
probability has been eliminated, may be
closed out.
So now that you have your risks under
control, you can get back to delivering
what you promised!
1-800-600-7785 • www.itx.net
A Model for Risk Response on Projects cont’d Page 3