How to Manage Project Risks (and II)AUTHOR: Francisco Sáez
"If you don't manage risks, you remain at their mercy."
In the first part of this article we saw how important it is to consider the risks that may affect a project, where to find them and how to identify them.
In this second part we will see how to document, analyze and develop a response, so you can tackle the project with greater confidence.
Document the risks
Once you have identified the project risks, you should generate a small risk register, a document where you state each identified risk, its chances and potential impact on the result of the project.
This document will be alive throughout the entire project. New risks may appear and existing risks may be removed. You can also change estimations on probabilities or impact of any risk, which may involve a strategy update.
State each risk in a very specific way, explaining the impact it can have and the cause that could trigger it.
How to analyze risks
Analyzing risks means basically assessing probability and impact to them. These values may be something like High-Medium-Low or a number from 1 to 5, for example.
Assigning probabilities is entirely subjective and is based on your experience (or your team’s) in this kind of projects. While this is usually sufficient for most projects, you will need a much more objective approach if it is a critical and complex project.
Similarly, you can assign an impact value to each risk. In this case it is useful to indicate which areas of the project will be more affected (scope, cost, time, quality).
Assign a high value to any risk that affects the critical path of the project (in addition to the schedule, they usually affect the budget.) Requirements that are ambiguous or incomplete may also have a high impact, as well as components which have not been fully tested or are unstable.
Do not underestimate the risks that may influence the level of satisfaction of customers, users, team members, etc. A dissatisfied customer can completely sink a project.
There are multiple risk analysis tools. The Probability-Impact Matrix is simple and provides a good visual representation of the project risks:
Place each risk in the corresponding quadrant.
Prepare a response
The last step is to decide how to respond to a risk that, in the end, manifests as real. According to the above matrix, you should care a lot about the risks that fall in quadrants described with the letter A, and you can almost ignore the ones falling in the C quadrants. Those risks in B quadrants should will be individually evaluated.
There are four basic strategies:
- Avoid the risk. It means making a change to the project that gets rid of the risk. If, for example, you are planning a wedding in a garden and there is a good chance for rain that day, you could decide that the feast will happen inside the restaurant and the risk will be eliminated.
- Mitigate the risk. It means reducing the probability of occurrence, the impact, or both of them—ideally, to an acceptable level. If you are using a new technology you do not know, doing a training course on that technology will decrease the chances the project will be adversely affected.
- Transfer the risk. It means you transfer the responsibility for handling the risk to other person or entity. It is what you do when you hire a contractor to reform the bathroom of your home. The risk still exists, but is in the hands of people who are supposed to be more capable, and you do not have to manage it.
- Accept the risk. It means you don’t manage the risk and assume its consequences in case the event takes place. This is what is usually done with risks that have low probability and low impact.
Note that sometimes these risk strategies generate secondary risks that should be planned as well.
Finally, planning a project with a reserve for budget and schedule (either a fixed amount or a percentage of the project) for any possible mishap is always a good practice to manage risks.