A simple and effective risk management process consists of the following four steps:
Identifying the risk;
Assessing the risk's magnitude;
Determining the response to the risk;
Planning for the addressing of, and reporting on, the risk if encountered.
There is no widely accepted standard method to identify risks. Experience on other, similar projects or products is a valuable tool in risk identification. Brainstorming, what-if questioning, and the like can sometimes lead to the discovery of risk potential. An important technique is to look for the worst possible situations that might occur and try to determine their likelihood. In addition, asking how could the product or project fail will frequently uncover unexpected threats.
Once a risk or risk potential, however remote it may seem, is identified, it should be recorded and passed on to risk assessment.
Risk assessment includes making the following determinations:
The cost potential of the risk's occurrence;
The probability of the risk occurring;
The risk exposure;
The cost to respond to the risk.
Some costs can be computed or estimated directly. The costs of damaged equipment, overpayment of invoices, untimely submission of invoices or payments, and the penalties for budget or schedule overruns are generally predictable to a degree. Other costs such as lost customers or customer confidence or the cost of the loss of human life cannot be well determined. To the greatest extent possible, each identified risk should be assigned a cost potential.
As in the determination of cost potential, some risk probabilities can be determined easily. Historical records of tornado frequency are available for many areas. Testing history or previous operational experience can lead to the likelihood that a given risk might occur. Some risks may just be assigned a value based on one's gut feel. In any event, a probability will be stated for each identified risk.
Risk exposure is the product of the cost potential and the probability of the risk. The exposure for each risk will be calculated and used in risk management planning to assign priorities and response methods to them. In some cases, such as the loss of human life, the cost may be deemed infinite and an infinite exposure value assigned.
This task is similar to the cost and schedule estimation for the project itself. An estimate of the cost—and its impact on the budget and schedule—to respond to each identified risk will be calculated.
Once the risk exposure is calculated, a response to that risk must be determined. Based on the exposure, and the estimated cost to respond, each risk will be assigned one of the following response types:
Elimination;
Avoidance;
Mitigation;
Acceptance.
Elimination of the risk is called for when the exposure is unacceptably high or when the cost of elimination is not prohibitive. In the case of risk to human life, every effort is expended to eliminate the risk. In the case of low or negligible cost to respond, the risk is usually eliminated as well. For example, if potholes in the road pose significant risk to automobiles and their drivers, the risk elimination would be to fill the potholes.
As the term suggests, avoidance means taking alternative steps so that the risk probability is reduced to zero or almost zero. In the pothole example, closing the street would be an example of avoidance.
Mitigation is the reduction of the exposure to the risk. This can be accomplished by reducing the probability of the risk occurring, reducing the cost of experiencing the risk, or both.
Again, using the pothole example, the probability of risk could be lowered by installing a barrier around the pothole. Installing warning signs about the danger of potholes in the street and advising motorists to seek an alternative route could reduce the penalty, as well as the cost of a potential lawsuit filed by a driver who hits the pothole.
In the case of an extremely unlikely occurrence, or very low estimated cost of occurrence, the decision might be to ignore the risk and live with the threat. This decision might also be reached if the cost of elimination, avoidance, or mitigation is unacceptably large. In the pothole case, the decision might be to ignore tiny potholes.
The final step in the risk management process is the generation of a specific risk management plan for the project. In this plan, all identified risks and the company's planned responses should those risks be encountered are spelled out. The required reporting concerning the risk management process and provisions for its improvement are also discussed in the plan.
Appendix L presents a sample risk management plan from IEEE Standard 1540-2001.