All projects have varying levels of risk, the more unknowns the more risk, Risk planning is the process of proactively preparing for risks, these proactive measures are part of the project scope, budget and schedule. One thing to keep in mind is the difference between a risk and an issue, a risk is something that can be identified and planned for an issue is something out of left field that needs to be dealt with for example lightning strikes the project sponsor, whereas a risk could be new legislation that may or may not be passed during the project.
We plan for risks early on because preparing for a risk will greatly decrease the cost of resolution if identified and prepared for vs taking the project by surprise. The greatest level of unknown is also at the start of the project, as the project moves through the execution phase more and more of the unknowns are identified and risks tend to decrease as the project approaches closing.
Risk Identification
Risk planning starts with identify risks, the whole project team should be involved in this process; risks can be: technological, economic, cultural, environmental, organizational, external, internal, business, resources, schedule, budget, profit, quality of deliverables, etc. the list goes on, what has to be established is the likely hood of a risk affecting the project, this can be done by:
- Review historical records of similar projects
- Use a checklist of common risks that can occur
- Brainstorm with the team what possible risks might occur
- Review the Project Scope (WBS and activities), schedule, and budget for any assumptions that could manifest themselves into risks
- Any risks identified outright when creating the project documents
When identifying risks it is important to not just identify the event but also the impact of the risk. It is easy to focus on the negative risks, but there could also be positive risks, that is events that might occur that could benefit the project; such positive risks should also be identified.
Risks should be captured in a document called a "Risk Register" or "Risk Log"
Not all risks have an equal chance of occurring and since there is far more risks in a project then can possibly be addressed it is imperative that the risks with the highest chance of occurring are the risks the project is prepared for.
Qualitative Risk Analysis
allows the prioritization of risks based on
- likely of occurring
- their impact
- ease of identifying their occurrence
The risk matrix is designed in such a fashion that it uses a heat map to establish the order that risks should be panned for
for example a risk that has a high impact and a medium probability falls into the top middle square which is red. whereas a risk that has a low probability and impact would fall into the bottom left square that has a risk of green.
the idea is that all red risks need to of high priority, usually all read and yellow risks have mitigation plans and green risks are reviewed to decide if they need a specific mitigation plan.
For a more sophisticated scale we can use the RPN or risk priority number, this number is generated
by multiplying the probability value by the impact value by the detraction value
Probability | Impact | Detection |
- Won't happen
- Not likely to happen
- May or may not happen
- Likely to happen
- Definitely will happen
|
- No Impact
- Not significant
- May or may not be significant
- Significant
- Severe
|
- Definite Detection
- Easy to detect
- May or may not be detected
- Difficult to detect
- Impossible to detect
|
with these scales in place and our rpn formula
rpn = probability * impact * detection
Risk | Impact | Probability | Detection | RPN |
Risk # 4 | 4 | 4 | 5 | 80 |
Risk # 2 | 3 | 4 | 2 | 48 |
Risk # 1 | 2 | 4 | 2 | 16 |
Risk # 3 | 1 | 2 | 3 | 6 |
Risks are ordered from highest RPN to lowest , there is no hard had fast rule as to how many risks should be planned for but between the top 1/3rd and 1/2 is a usual amount.