Expert project managers manage risks. By making risks visible, thinking through how to control them and monitoring action plans, you can improve the success of your projects.
It is possible to manage risks casually and still be successful, but to do it right you should apply a simple five-step process:
Identify risks. Project-related risks fall into four categories representing various levels of risk and project manger control:
Management and user commitment (high risk/low-medium level of control): The most critical risk to manage is the commitment of managers and users to project success. Since this is not under your direct control you will have to work closely with them.
Requirement specification (low-medium risk/low-medium level of control): Projects sometimes fail because project managers don’t manage user expectations and forget to control scope-creep. You may be unsure about what you are to deliver because the users are not able to present a common, clear vision of what they expect from the application.
Schedule, staffing and personnel (high risk/high level of control): You will also encounter project execution risks including aggressive schedules, resources with the wrong skills, a shortage of skilled staff and personality problems. Although these risks are real they are usually under your direct control.
Technology and architecture (low-medium risk/high level of control): very few of the risks on your projects will involve technology unless you are building applications with new development languages or architectures.
Solutions to these risks are generally under your control. There should be few excuses if a project fails because of this kind of risk.
Quantify risks. After identifying risks, calculate the cost of leaving each unmanaged. You do not need to be precise when calculating costs. Instead, use rules of thumb. For example, if the average total cost of a resource is $100,000, it is easy to calculate the direct cost of a project delay. Indirect costs can be calculated in terms of lost opportunity or benefit.
Next, determine the probability of the entire cost of each risk being realized. Use a probability between zero and one rather than a ‘scientific’ method for determining probability. Reach consensus among the project and user management staff. Multiply the potential cost of the risk by its probability to determine the risk exposure.
Rank risks. You can rank risks by risk exposure. It is better to apply a degree of subjectivity based on the timing and type of each risk, as well as risk exposure. You need to give priority to short-term risks (for example, you don’t need to address implementation risks in detail while defining system requirements).
Develop action plans. Use a checklist of techniques for managing risk as guidance determining action plans. Adapt the generic suggestions to develop specific action plans for each risk. For example, to increase user commitment you can work with users to define a clear mission statement for the project. You can also ensure that mangers are continually informed and are managing the impact of change in their organizations, and that their staff is involved in defining requirements and setting priorities for functionality and implementation schedules.
You may want to integrate the work required by the risk management action plans into your task schedule to track them.
Manage action plans. Keep risks visible and monitor the status of each risk on an ongoing basis. Maintain a log that tracks each risk in terms of the following: ID/title/description; priority; risk dependencies; potential value of loss; probability of loss (zero to one); risk exposure; status; action plan; responsibilities; and due dates.
These steps for managing risk are quite simple. If you apply them consistently you can improve your chance of delivering a successful project.
Hughes is an employee of EDS Systemhouse Inc. in Toronto and was responsible for the development of SHL Transform, a knowledge-driven process management tool. He can be reached at [email protected].
