Ongoing Risk Management Process

During the Envisioning Phase, the team began identifying and managing risks using the five-step process shown in Figure 6.12. As part of the Vision Approved Milestone, the Master Risk Assessment Document was prepared. This document was fairly high-level, because in the Envisioning Phase, the details of the project had not yet been worked out.

Figure 6.12 Five steps of risk management

One deliverable for the Planning Phase is a revised version of the Master Risk Assessment Document. At this point in the project, the team is ready to work through the risk management process again, adding necessary details to the plan and perhaps changing some of the original assessments. As the team moves through the project, it will continue to loop through the risk management process, retiring some risks, controlling others, and even identifying new ones. In fact, when the revised Master Risk Assessment Document is complete, it's a good idea to include a risk management section in each subsequent meeting agenda. Doing so ensures that the team will continue to use the five steps shown in Figure 6.12 to manage risk.

When creating the original risk document in the Envisioning Phase, the team identified as many risks as possible. As part of its analysis, the team calculated each risk's exposure rating by multiplying the risk's probability by its impact. The team also developed preliminary plans to address the Top Ten risks, based on that analysis. For each plan, the team considered five key areas:

• Research Do we know enough about the risk?
• Acceptance Can we live with its consequences?
• Avoidance Can we avoid the risk?
• Mitigation Can we reduce the probability or impact?
• Contingency What can we do of the risk is realized?

The team then developed subplans either to mitigate the risk or to create contingency trigger values and strategies if the risk occurred.

The problem with the risk management approach of some project teams is that they create a risk management plan and then believe that their work is done. In fact, the risk tracking and risk control steps are just as critical to risk management as the risk action planning step, and are the key steps during the Planning Phase of a project.

After creating the Master Risk Assessment Document, the team should begin tracking the status of the various risks and progress as far as controlling each risk is concerned. For each risk, the team should ask:

• Have we done anything to mitigate the risk?
• Has the risk changed due to forces outside our control?
• As a result of either our efforts or outside forces, has there been a change in either the probability or the impact of the risk?
• If anything has changed, what is the corresponding change in the risk's exposure rating and therefore in its priority?
• Have any of the contingency triggers been "pulled"?
• Based on the above, what should be our response?

The risk tracking step leads to the risk control step, in which the project team reacts to the tracked changes. This reaction may include new mitigation plans, activation of contingency plans, re-analysis of the risk, or retirement of the risk if the risk has occurred or been resolved.

Risk management is an ongoing, dynamic process. Practicing risk management throughout the project is a vital part of the MSF approach to project management.