Risk management is an ongoing process that should be implemented as part of the initial planning activities for our projects, product, and processes. Risk management must also be an ongoing part of managing those projects, product, and processes. The purpose of risk management is to identify and analyze potential problems (risks) before they turn into actual problems so that we can:
- Avoid risks that are too large
- Plan and implement proactive risk mitigation actions as necessary to minimize either minimze the probability that the risk turns into an actual problem or minimize the impact of the problem if it occurs
- Decide which risks are small enough and the associated opportunity good enough to just accept the risk
The basics steps in the Risk Management Process, as illustrated in the figure below, include identify potential risks, analyzing those risks, planning how to mitigate those risks if necessary, implementing planned containment actions, tracking our risks and implementing planned contingency actions if necessary. The Risk Management Process is designed to be a continuous feedback loop where additional information, including risk status, are utilized to refine the risk list, risk analysis and risk plans.
IDENTIFY THE RISKS
The first step in the Risk Management Process is to identify potential risks to the success of the project, product or process. The output of this step is a list of identified risks. Risk identification requires a fear-free environment where risks can be identified and discussed openly. We should be as thorough as possible on the first round of risk identification but not obsessive. It’s probably impossible to identify all of the risks on the initial pass through the risk management process. We may not have enough information yet. There may be technical requirements yet to elicit, staffing issues yet to decide, design decisions yet to be made, commitment decisions yet to be made, and so on. The risk identification step will need to be revisited repeatedly over time as more information is obtained from execution, tracking, and control activities.
ANALYZE THE RISKS
The second step in the Risk Management Process is to analyze each identified risk. The output of this step is a list of risks that has been prioritized by their level of threat to success. During the risk analysis step, each risk is assessed to determine its context, estimated probability of turning into a problem, estimated loss if the problem occurs, and time frame. The associated opportunity must also be analyzed to determine if the risk is even worth taking.
PLAN RISK MITIGATION
During the planning step, the appropriate risk-handling techniques are selected and alternative risk-handling actions are evaluated. Whatever handling options are selected, the associated actions should be planned in advance to proactively manage the risks rather than waiting for problems and reacting in a firefighting mode. The resulting risk management plans should then be incorporated into the project, product or process plans with assigned budget, staff and other resources.
CONTAINMENT & CONTINGENCY PLANNING
During the containment action step, the assigned individuals implement the risk containment plans.
If risk triggers are activated, analysis is performed and contingency actions are implemented as appropriate. Note that with some luck and good risk-handling plans, many of a contingency plans may never be implemented. Contingency plans are only implemented if we determine that a risk is turning into an actual problem.
TRACK THE RISKS
As a result of the track to risks step:
- Additional information may be obtained that indicates that further analysis is required or adjustments to the risk management plans are required.
- New risks may be opened and added to the risk list.
- Existing risks may be closed and removed from the risk list because they are no longer a threat to project success or because they have turned into problems.
- Triggers may indicate that risks are turning into problems and that analysis should be performed to determine if contingency plans should be implemented.
AN EXAMPLE
Let’s use the crossing the street analogy to examine the risk management process. First we identify the risk: we want to cross the street and know there is a possibility of traffic. We analyze the risk. What is the probability of being hit by the car? How much is it going to hurt if we are hit? How important is it that we cross this street at this time? We look both ways, we see the on-coming car, and we judge its rate of speed. We form a plan to reduce the risk and decide to wait until the car has passed. We implement the plan and wait. We track the situation by watching the car and we see it pull into a driveway. We change our plan and proceed across the street. We step onto the curb across the street and stop thinking about crossing the street (that is, we close the risk).
LESSONS LEARNED
The risk management process is not something we do once and forget about. It is an ongoing, proactive approach to identify, analyze, plan for, take action against and track our risks.
WHAT’S NEXT?
In future blogs, I will talk about each of the steps in the risk management process in more detail and discuss tools and techniques that can be useful in implementing each step.
Bio:
Linda Westfall is the president of Westfall Team, Inc. which provides software engineering, quality, and project management training and consulting services. She has more than 35 years of experience in real time software engineering, quality, project management and metrics.
Linda is the author of The Certified Software Quality Engineer Handbook from ASQ Quality Press. She is a past chair of the ASQ Software Division and has served as the Division’s Program Chair, Certification Chair and Marketing Chair, and on the ASQ National Certification Board. Linda is an ASQ Fellow and has a PE in Software Engineering from the state of Texas. Linda is also a Grand Master of the Pyrotechnic Guild International.