Defining Risk Management – Part 8: Risk Response Finale

In this Part 8 of a nine-part series on Risk Management, we conclude the discussion of Risk Response. Here we go into detail on where money usually allocated for the different strategies of avoidance, acceptance, transfer, and mitigation. The following information, for the most part, is from an excerpt of the book “The Project Management Question and Answer Book.”

Risk Strategies and Money Allocation

Perhaps it would be a good idea to review how the money is allocated for different risk strategies. Risk avoidance is frequently going to cost some money. The money that we spend to redesign the project so that the risk is eliminated is money that will have to be spent regardless of the probability of the risk. The additional work of doing the redesign and adding more expensive parts will be part of the operating budget. No money needs to be put into the risk reserves if the risk is completely eliminated. If the risk has already been allocated funding in the contingency budget, the increase in the operating budget can be taken from the contingency budget.

Risk acceptance will have money put into the contingency budget if the risk has been identified. If the risk is an unknown risk and has not been identified, the money for it will be roughly estimated and become part of the management reserve. If the risk does happen, the money is taken from the contingency budget or the management reserve and moved into the operating budget when the plan for dealing with the risk is put into place.

Risk mitigation will have money put into the contingency budget to handle the risk if it occurs. There will also have to be money put into the operating budget to take care of the cost of the mitigating activities that are being taken for this risk. The mitigation of the risk will reduce either the probability or the impact of the risk, and the contingency budget should therefore be reduced.

Risk transfer requires money to be put into the operating budget to pay for the additional cost of either subcontracting the risk or buying insurance for it. The money to do the work for the activity affected, not including the risk cost, was put into the operating budget when the task was created. The cost of the transfer, either the additional cost that the supplier will receive or the cost of the insurance premium, must be added to the operating budget. This money can be taken from the contingency budget.

The operating budget of the project, sometimes called the performance budget, is the amount of money needed to do the things that are planned for in the project. This includes all of the work to produce all of the deliverables that were planned for in the project. It is not the total project budget; it includes funding only for the things that are planned for. Subject to limitations in the project policy, this money can be spent freely by the persons responsible for the tasks of the project as long as the expenditures are following the project plan.

The contingency reserve is the money to do the things that may or may not have to be done but that have been identified. This is where the funding for risks that actually take place comes from. When a risk takes place, the project manager authorizes money to be taken from the contingency budget and placed into the operating budget. Generally the project manager must approve money transferred from contingency reserves to operating budgets. In larger projects a subproject manager may approve these funds. The transfer of funds must include any appropriate changes to scope or schedule.

The management reserve is money that is set aside for the risks that have not been identified, the so-called unknown risks. This transfer is made when a risk occurs that has not been identified and money must be spent to solve the effects of the risk. The use of these funds usually has to be approved by a manager one level above the project manager.

In the final excerpt on Defining Risk Management (Part 9), we’ll discuss Risk Control.

Defining Risk Management – Part 7: Risk Response Continued

This is part seven in what is now a nine-part series on Risk Management. I apologize for the extreme length of the series, but to properly dive into risk response required three-parts for just this portion.

In this article, we will continue with risk response strategies by looking at risk transfer, risk avoidance, and risk mitigation. Again, this information comes primarily from the book entitled “The Project Management Question and Answer Book.”

Transfer. The transfer strategy in managing risk is to give responsibility for the risk to someone outside the project. The risk does not go away; the responsibility of the risk is simply given to someone else. This can be done a number of ways. One way is to negotiate the refusal of a project deliverable that has a high risk of causing problems and have that risk contracted to another project. The stakeholder simply agrees that the deliverable is not required as part of the project and finds another project that is willing to do it.

Risks can also be transferred to a contractor working for the project. If this is done with a firm fixed price contract, the vendor will be obligated to deliver the agreed product for a fixed price. In this situation the vendor is responsible for any risks that occur while trying to complete the contract. While this may seem like a good solution to risk management problems, the vendors were not born yesterday afternoon. The vendor’s risk strategy may be to increase the selling price to compensate for the risk if it occurs. Of course, if the risk does not occur the vendor will make extra money. If you try to transfer the risk in this way, it may be that you will find that you are paying for the impact of the risk whether it happens or not.

Probably the most common method of transfer is to buy insurance. With insurance you give a relatively small amount of money to an insurance company. This amount of money, called a premium, is usually much smaller than the cost of the risk. If the risk happens, the insurance company pays to have the risk resolved. If the risk does not take place, the insurance company keeps the premium.

It is interesting to note that you can insure against only your own or your company’s loss. Buying insurance on someone else’s life or property, for example, is not allowed in most places unless that person or property represents a loss to you. If this were not true, there would probably be people hanging around hospitals buying policies on people who looked really sick.

Risk Avoidance. This strategy is used to make the risk cease to be a possibility. Avoidance is a little different from the other strategies we have discussed. In risk avoidance, we completely eliminate the possibility of the risk.

The simplest way to avoid a risk is to remove it from the project deliverables. If the sponsor of the project agrees to allow a risk-filled deliverable to be removed from the project, the risk is removed along with the deliverable. Of course the price the sponsor is paying for the project will probably be reduced to compensate for the reduction in scope. In avoiding risk in this way, we should remember that profits are often related to the risks we take to complete projects that have risks.

Another way to avoid risks is to design around them. This strategy involves changing the design of the product so that the risk cannot occur.

Suppose we have a project to design and manufacture a new kind of barbecue grill. During testing we discover that the screws that hold the bottom of the grill where the ashes collect rust and deteriorate quickly. A failure of the ash collecting bottom could result in hot charcoal being dumped onto a wooden deck and causing a fire. We decide that this is an unacceptable risk and that our strategy is to avoid the risk.

One way to avoid the risk is to not build and sell the barbecue grill at all and abandon the project. We decide that this is an unnecessarily conservative strategy. Another way is to change the material that the screws are made from. Instead of plain steel screws we decide to redesign and use stainless steel screws. The stainless steel screws will not rust, and the potential problem will be eliminated. This completely eliminates the rusting problem of the screws and avoids the risk of a screw failure causing a fire.

Mitigation. When we discussed risk tolerance, we said that risks that were above the risk tolerance maximum were not acceptable risks and that something had to be done about them. Mitigation is a strategy where some work is done on unacceptable risks to reduce either their probability or their impact to a point where their severity falls below the maximum risk tolerance level.

Using the risk mitigation strategy involves taking some money out of the contingency budget that was the expected value of the risk before mitigation. Some of this money is put into the project’s operating budget to carry out the mitigation strategy. Since the probability or impact will be reduced, the expected value of the risk will be reduced as well, and the contingency budget should be reduced accordingly.

In the final upcoming article on risk response will will look at all four response strategies again in terms of what each means to allocating dollars to your projects.

Defining Risk Management – Part 6: Risk Response

What started as a five-part series became a seven-part series and now with the potential length of the Risk Response article – if published in full here – looks it may become an eight or nine-part series. Risk response strategies include acceptance, avoidance, transfer, and mitigation. In this article and the next couple of articles, we’ll look at each of these deeper.

The following is a modified excerpt from the book “The Project Management Question and Answer Book” which has a great section on Risk Management.

What are Risk Response Strategies?

Risk response strategies are the approaches we can make to dealing with the risks we have identified and quantified. In the section on risk quantification we discussed evaluating the risk in terms of its impact and probability in such a way that we would be able to rank risks in their order of importance. This is what we called severity, the combination of impact and probability.

Risk response strategy is really based on risk tolerance, which has been discussed. Risk tolerance in terms of severity is the point above which a risk is not acceptable and below which the risk is acceptable.

Several strategies are available for dealing with risks. These are avoidance, acceptance, transfer, and mitigation.

There are many reasons for selecting one risk strategy over another, and all of these factors must be considered. Cost and schedule are the most likely reasons for a given risk to have a high severity. Other factors may affect our choice of risk strategy. For example, if a schedule risk is identified for a task in the project, and if this task has many other tasks depending on it, its severity may be calculated as being lower than is apparent, and the severity should be adjusted even though the schedule impact due to the disruption may be difficult to judge. The strategy should be appropriate for the risk it is intended for.

The following four strategies comprise the strategies that are normally used for risk:

Acceptance. Acceptance of a risk means that the severity of the risk is low enough that we will do nothing about the risk unless it occurs. Using the acceptance strategy means that the severity of the risk is lower than our risk tolerance level. If this were not the case, it would not make sense to accept the risk. Once the risk occurs, we will fix the problem and move on. The risk is acceptable because the severity of the risk is lower than our risk tolerance. Accepting a risk does not mean that we will not do something about the risk when and if it occurs; it means that we will do something about it only if it occurs. Many of the project risks will fall into this category. It is the category where the many insignificant risks are put. Many of these risks cost less to fix when they occur than it would cost to investigate and plan for them.

There are two kinds of acceptance, active and passive. Acceptance is active when a risk is identified as being acceptable but we decide to make a plan for what to do when and if the risk occurs. It is much more effective to have a plan in place when these types of risk occur rather than trying to deal with the risk when there is little time and lots of hysterics. There is also another risk involved: the wrong thing can be done to solve the problem because its solution was not clearly thought out under pressure in the heat of the moment.

Acceptance is passive when nothing at all is done to plan for the risk occurrence. Many of the identified risks in the project will be passively accepted. These risks are simply too small to be of concern. The cost of developing a plan and documenting it can be higher than the cost of dealing with the risk without preparation.

An example of risk acceptance is the risk that off-the-shelf software that was purchased for the project will be defective. There is a probability of 2 percent that this will occur. That is, that the CD the software is delivered on will not work and will have to be replaced with a new CD. This causes a delay of five days to a task that has twenty-five days of free float. Passive acceptance will probably be used in dealing with this risk. It is probably not worth the effort to anticipate the problem and do something about it. It is simpler to wait and see if something is wrong with the CD and take corrective action. Of course, it would be foolish to receive the CD and not test it until it was needed.

In the next article, we’ll look the risk strategies of transfer, avoidance, and mitigation.

Risk Management: Analyzing Threats to Your Project

Another section from Gary Heerkens’ brief case book entitled “Project Management,” was utilized for much of the material for this article. This section deals with how the project manager and team goes about analyzing risks and managing “high-threat” potential problems during the engagement.

Having analyzed the possible risks to the best of your ability, at this point, you and your project team have identified a substantial list of potential problems. You’ve tried to quantify the extent of these problems and their potential effects on your project. The big picture, though, is that you simply don’t have the resources to deal with every one of these potential problems.

So how do you narrow the list to a manageable size? How do you identify the problems that threaten you the most and therefore demand your attention? There are a number of methods for shortening the list. Should you even shorten the list? That depends on the project and how you want to manage the risks and how you’ve agreed to manage the risks with the customer. If your list is quite extensive, then, yes….it should likely be shortened…but how?

Analyzing the Biggest Threats to Your Project

One of the most common and straightforward methods consists of making subjective judgments about two characteristics of potential problems—probability and impact. These terms mean exactly what you would expect. Probability is the likelihood that the potential problem will occur. Impact is the seriousness or severity of the potential problem in terms of the effect on your project.

Once the probability and seriousness have been identified, determining the high-threat problems becomes a simple issue of ranking based on the two factors.

Taking on the potential high-threat problems will obviously consume resources so it is still critical to determine a threshold at which you will take on the risk or threat and below that threshold you’ll just have to leave it on the list and monitor it as the engagement progresses without taking active mitigation action unless it becomes necessary.

Responding to High-Threat Problems

There are a number of ways to address the high-threat problems you identify. Let’s examine all of the options for dealing with risk and potential problems:

Avoidance. In avoidance, you choose a course of action that eliminates your exposure to the threat. This often means that you’re now pursuing a completely different course from what you’d originally planned. The space shuttle program provides an excellent study in avoidance. Many flights are carefully planned and then, because of marginal weather conditions, scrubbed. Delaying the takeoff of a space shuttle mission because of a weather threat is a perfect example of risk avoidance.

Transfer. The most widely quoted example of risk transfer is something we’re all very familiar with—insurance. Risk transfer does not “treat” the risk; it simply makes another party responsible for the consequences of the risk.

Assumption. This means that you are aware of the risk, but choose to take no action on it. You’re agreeing to accept its consequences or to simply deal with them if it happens. That’s essentially how you’re treating threats that fall below the threat rating described above. Assumption is also a valid strategy in situations where the consequences of the risk are less costly and/or less traumatic than the effort required to prevent it.

Prevention. Prevention refers to action taken to reduce the probability of occurrence of a potential problem. Ordinarily, it will be your first course of action in dealing with high-threat problems. Prevention begins with identifying the root causes of potential problems. Determining root cause may allow you to identify preventive measures that could reduce the probability that a given problem will occur. Be sure to revise the project plan to incorporate any preventive actions that you intend to take, so that they’re not overlooked or forgotten.

Mitigation of Impact. This strategy aims at reducing the negative effects of a problem. You’re taking measures to lessen the impact. For example, installing air bags in automobiles does nothing to reduce the probability of accidents, but it may significantly reduce the effects. It’s important to note that mitigation tactics may be viewed as a waste of time, money, and effort, if the potential problem does not occur.

Contingency Planning. Contingency plans are specific actions that are to be taken when a potential problem occurs. Although they’re intended to deal with problems only after they’ve occurred, contingency plans should be developed in advance. This helps ensure a coordinated, effective, and timely response. Also, some plans may require backup resources that need to be arranged for in advance. Contingency planning should be done only for the high-threat problems that remain after you’ve taken preventive measures.

Managing Issues and Risks on a Project

The concept of tracking issues and risks on a project is rudamentory. It’s fundamental. It’s critical. It’s necessary to the life and success of the project and it’s an absolute must when you’re trying to ensure the long-term satisifaction of your customer. And it’s also something that we often easily overlook – or at least we don’t do a very good job at it.

Defined

An issue is a function associated with the project that may impede the continuation, impact the cost or manpower or otherwise adversely affect the project. An issue is something real, something that has been encountered and must be dealt with.

A risk is a potential issue that needs mitigation strategy to avoid impacting a project’s success potential. A risk is an uncertainty with some degree of likeliness to happen.

Managing Issues and Risks

So what’s more critical to manage….Issues or Risks? The answer is BOTH. It doesn’t really matter too much HOW you manage issues and risks, just that you manage them. It really doesn’t matter if you separate them out either – just so you DO actually manage them. Issues and risks are not something the project manager makes note of and then tucks them away somewhere on a sheet of paper.

Remember, if we don’t learn from our mistakes, we are destined to repeat them. How true! And if we don’t document issues and their impacts to the project as well as risks and their potential impacts to the project and likeliness to happen, then both types of these project ‘bumps in the road’ are going to hit us and they are going to catch us completely off guard.

Make Everyone Aware

So how do we manage issues and risks on a project? There are probably 100 different ways and every good PMO should have a template and process for managing issues and risks. The key is to document them, bring them to the customer’s attention and to the attention of everyone on your team and make a discussion of the issues and risks an on-going topic on your weekly status call. Make it a recurring piece of your weekly status report. Make sure that it is in front of every critical participant and decision-maker for the project every week. An issue that slips through the cracks can’t be dealt with and a risk that is ignored can not be prepared for and mitigated.

The Customer’s Role

The customer is often your best friend when attempting to resolve issues and mitigate risks. Remember, this is their project, too. They actually want nothing more than for you and your team to be very successful and they’ll often do whatever is necessary to help achieve that success. It is financially in their best interests to see that happen. So, be sure that they are always aware of issues and risks as they arise and make them an active player in issue resolution and risk mitigation. It’s rarely beneficial to hide issues or bad news from the customer and they’ll never truly understand the value and hard work required of the project manager if they think your job is too easy.

Summary

A repeatable, formalized process for managing issues and risks is critical. More critical than how you separate and differentiate between the two. On most projects, they are a combined list for me. It’s as simple as documenting them in detail on a spreadsheet – but the key is always to have them in front of every key person on both teams, assign followup to the right key people and review status every week (or more often when necessary) on the weekly status calls and status reports.