Risk management process

Previous page
Table of content
Next page

9.2 Risk management process

A simple and effective risk management process consists of the following four steps:

  1. Identifying the risk;

  2. Assessing the risk's magnitude;

  3. Determining the response to the risk;

  4. Planning for the addressing of, and reporting on, the risk if encountered.

9.2.1 Risk identification

There is no widely accepted standard method to identify risks. Experience on other, similar projects or products is a valuable tool in risk identification. Brainstorming, what-if questioning, and the like can sometimes lead to the discovery of risk potential. An important technique is to look for the worst possible situations that might occur and try to determine their likelihood. In addition, asking how could the product or project fail will frequently uncover unexpected threats.

Once a risk or risk potential, however remote it may seem, is identified, it should be recorded and passed on to risk assessment.

9.2.2 Risk assessment

Risk assessment includes making the following determinations:

  1. The cost potential of the risk's occurrence;

  2. The probability of the risk occurring;

  3. The risk exposure;

  4. The cost to respond to the risk.

9.2.2.1 Cost-potential determination

Some costs can be computed or estimated directly. The costs of damaged equipment, overpayment of invoices, untimely submission of invoices or payments, and the penalties for budget or schedule overruns are generally predictable to a degree. Other costs such as lost customers or customer confidence or the cost of the loss of human life cannot be well determined. To the greatest extent possible, each identified risk should be assigned a cost potential.

9.2.2.2 Occurrence-probability determination

As in the determination of cost potential, some risk probabilities can be determined easily. Historical records of tornado frequency are available for many areas. Testing history or previous operational experience can lead to the likelihood that a given risk might occur. Some risks may just be assigned a value based on one's gut feel. In any event, a probability will be stated for each identified risk.

9.2.2.3 Risk-exposure determination

Risk exposure is the product of the cost potential and the probability of the risk. The exposure for each risk will be calculated and used in risk management planning to assign priorities and response methods to them. In some cases, such as the loss of human life, the cost may be deemed infinite and an infinite exposure value assigned.

9.2.2.4 Response-cost determination

This task is similar to the cost and schedule estimation for the project itself. An estimate of the cost—and its impact on the budget and schedule—to respond to each identified risk will be calculated.

9.2.3 Risk response

Once the risk exposure is calculated, a response to that risk must be determined. Based on the exposure, and the estimated cost to respond, each risk will be assigned one of the following response types:

  • Elimination;

  • Avoidance;

  • Mitigation;

  • Acceptance.

9.2.3.1 Elimination

Elimination of the risk is called for when the exposure is unacceptably high or when the cost of elimination is not prohibitive. In the case of risk to human life, every effort is expended to eliminate the risk. In the case of low or negligible cost to respond, the risk is usually eliminated as well. For example, if potholes in the road pose significant risk to automobiles and their drivers, the risk elimination would be to fill the potholes.

9.2.3.2 Avoidance

As the term suggests, avoidance means taking alternative steps so that the risk probability is reduced to zero or almost zero. In the pothole example, closing the street would be an example of avoidance.

9.2.3.3 Mitigation

Mitigation is the reduction of the exposure to the risk. This can be accomplished by reducing the probability of the risk occurring, reducing the cost of experiencing the risk, or both.

Again, using the pothole example, the probability of risk could be lowered by installing a barrier around the pothole. Installing warning signs about the danger of potholes in the street and advising motorists to seek an alternative route could reduce the penalty, as well as the cost of a potential lawsuit filed by a driver who hits the pothole.

9.2.3.4 Acceptance

In the case of an extremely unlikely occurrence, or very low estimated cost of occurrence, the decision might be to ignore the risk and live with the threat. This decision might also be reached if the cost of elimination, avoidance, or mitigation is unacceptably large. In the pothole case, the decision might be to ignore tiny potholes.

9.2.4 Planning and reporting

The final step in the risk management process is the generation of a specific risk management plan for the project. In this plan, all identified risks and the company's planned responses should those risks be encountered are spelled out. The required reporting concerning the risk management process and provisions for its improvement are also discussed in the plan.

Appendix L presents a sample risk management plan from IEEE Standard 1540-2001.


Previous page
Table of content
Next page
Practical Guide to Software Quality Management
Practical Guide to Software Quality Management (Artech House Computing Library)
ISBN: 1580535275
EAN: 2147483647
Year: 2002
Pages: 137
Authors: John W. Horch
BUY ON AMAZON
Absolute Beginner[ap]s Guide to Project Management
Inside Network Security Assessment: Guarding Your IT Infrastructure
Java for RPG Programmers, 2nd Edition
Systematic Software Testing (Artech House Computer Library)
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
PMP Practice Questions Exam Cram 2
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy