Risk Management is a very widely used term in today"s world of software engineering. Almost every project suffers from threats which can seriously affect its cost, schedule or quality in a negative way. According to an IBM study only 40% of projects meet schedule, budget and quality goals. Other analyses conclude that "between 65 and 85% of IT projects fail to meet their objectives, and also run significantly late or cost far more than planned."
In order to avoid critical deviations to project"s cost, schedules and quality it is important for every Project Manager and not only, to acknowledge that threats exist, that things could go wrong, and to be prepared to act either by reducing the probability of the potential threats or by reducing the loss if these will materialize.
A risk represents a potential problem, an uncertain event that, if it occurs, will have an effect on the project objectives.
The effect of the event could be either beneficial or damaging. When approaching Risk Management, which covers both positive and negative effects of an uncertain event, the Project Manager has to differentiate between Threats and Opportunities. In the current article we will be focusing only on risks that are threatening project objectives (have a negative impact on the project"s success goals).
Any risk involves three attributes which need to be quantified:
There are 4 types of risks:
If we go further on and put all these information together we dive in the Risk Management practices.
Risk Management activities are Project Manager"s accountability, everyone"s responsibility and should be performed in a proactive way. The objective of Risk Management is to give the Project Manager the necessary knowledge and instruments to be able to face any events that might have an impact on the project"s objectives. Many problems that arise in software development were first known as risks by someone in the project staff. Caught in time, risks can be avoided, negated or have their impacts reduced. Proactively managing risks implies determining a strategy that will prevent the risk from becoming a problem or will limit its impact if it does. The strategy to manage risks typically includes reducing the negative effect or probability of the threat, transferring the threat to another party, avoiding the threat or even accepting it.
During the Project Start-up phase and then continuously during the entire project"s lifecycle, risks need to be identified, analysed and furthermore adequate measures need to be planned, evaluated and implemented when it might be the case. In carrying out all of these steps the Project Manager is assisted by appropriate project stakeholders.
We start identifying risks with the acknowledgement of 3 categories of risks:
Many of the known and predictable risks may be identified in the start-up phase of the project, some of them even in the bid phase. There are a number of tools and ways to help the Project Manager efficiently perform this activity. A sample risk checklist or a questionnaire where the answer will reveal risks can be used. Software Engineering Institute (SEI) developed a software risk taxonomy and a taxonomy based questionnaire (TBQ) which provide a basis for identifying, organizing and studying various aspects of software risks.
However, risks exist and emerge throughout the entire lifecycle of a project; that"s why risks must be identified continuously, not only in the start-up phase. Risk identification needs to be part of the project"s routine. It is every team member"s professional and moral responsibility to report risks as soon as they are identified, even if they seem to have a low importance or sound weird.
Once identified, the risks should be captured and communicated or shared through a risk log or other tool that allows risks registration.
Once the risk has been identified, the Project Manager (or someone acting as risk manager for the project) will assess its probability, impact and proximity. In some cases this step might require an impact analysis which will consider all the objectives that might be affected by the possible occurrence of the risk. Ideally, the Project Manager should also determine the Risk value - the cost of the problem if the risk will occur. Risk value = probability x cost to the project if the risk occurs. In the absence of figures relative classification is still useful.
The Project Manager has to make sure that responsibility for all important risks is explicitly assigned to a Risk Owner. The risk owner is the person with the best profile to manage the specific risk during its lifecycle in the project, this may be someone who is not directly involved in the project, such as line manager, sales, infrastructure, etc.
Once the probability, impact and proximity for a risk have been assessed, the Project Manager will work with the relevant stakeholders to define and plan suitable measure(s) to manage the risk. The measures a Project Manager can consider when responding to a risk are:
When dealing with a set of related risks the Project Manager should consider the consequences of any action: eliminating or reducing a risk may introduce others.
The measures defined to respond to a risk bring additional costs to the project. Mitigations are effective when the gain obtained by mitigating the risk exceeds the potential loss that would be recorded if the risk was to materialize. When making this calculation, it is a good principle to consider the remaining risk, after mitigation.
Otherwise stated, Risk Management is about deciding how much time, money, effort you want to spend on solving a problem which might never occur. A wise practice in project management is to always consider a risk budget added to the project"s original budget.
The risk must be monitored and reviewed regularly to ascertain the validity of the planned response and, if necessary, to plan new measure(s). There are hundreds of risks which can be identified during a project lifecycle. It is impossible to track all of them on a regular basis. That"s why the recommendation is that only the top 10 risks (considering the priorities established) are monitored regularly. An Impact/Probability matrix can help Project Manager decide which risks need his attention.
To successfully implement a project, the Project Manager must identify and focus his attention on moderate and extreme risks.
The risks towards the top right corner (high impact/high probability) are of critical importance and the ones that the Project Manager must pay close attention to. It can also be the case that at one moment a moderate risk needs more attention because it"s likely to occur soon.
Low-probability / low-impact risks can often be ignored.
Because the project context can change, already planned responses for a risk might no longer be suitable, therefore corrections need to be done on the risk mitigation plans, sometimes even the risk needs to be re-analysed.
Identifying and managing risks is the very essence of business survival and growth. The practices of risk management are still not formalized in most of our Romanian IT companies and this becomes a risk by itself. Although Project Managers identify risks based on their former experience, lessons learnt or just a gut feeling, the risks are rarely properly managed or monitored. And when things can go wrong they will go wrong (if no action is taken). How many times did you hear the expression: "I knew this would happen" after something bad has happened? And this is just because a person in the team knew that something can go wrong but did not act to prevent it. Sharing is caring and sharing is acting. It is our own responsibility to share risks with the person who can do something about it. Each one of us has its own perspective, knowledge and understanding on what"s going on and sees things that others don"t or can"t. It is said that on average each one of us foresees about 5 risks per day, but usually forgets them soon after.
Considering your company context and the aspects presented in this article do you foresee any risk of not having managed risks? Or otherwise stated: "Given that there is no Risk Management process in place is there a risk of losing business? Or failing projects? Or losing people?"
It is a challenge for each of us to identify and react on these risks. Some can rise these risks others can do something about them. Yet, an effective risk management starts from the top with clarity about risk strategy and governance, with proper understanding and accountability at the board and executive levels.
At ISDC, we had understood the importance of Risk Management as a process, as a mind-set and as an attitude towards risks and we are continuously working on eliminating "the risk of not having risk" by:
In order to facilitate ISDC"s Risk Management process we developed our own Risk Manager tool - a web application that allows risk identification, tracking and analysis. The Probability / Impact matrix is a board presenting the risks and their proximity in a nice, visual way. Risk Manager can be accessed by any interested stakeholder based on previously granted permissions. Next step is to embed Business Intelligence and Analytics layer in order to have an efficient reporting, thorough analysis of data and dashboards displaying risks" key indicators.
All these have been and are successful due to our Continuous Improvement Program and to the valuable contribution of Peter Leeson (www.qpit.net). Peter has been inspiring us through his trainings, CMMI appraisals, consultancy and support.
We can conclude that risk management is an essential element of organizational success. The secret of successful projects is closely linked with the ability of taking risks, correctly managing them and communicating results. Also sharing the experience throughout the organization gives the future projects a library of best practices to call on.