What often confuses people is the difference between a risk and an issue. As defined in Webster's Collegiate Dictionary, risk is the "possibility of loss or injury." Risks differ from problems or issues because risks refer to anticipated problems, uncertainties, or potential for adverse outcome or loss in value, control, functionality, quality, or timely completion of a project. Problems and issues, however, are conditions or states of affairs that exist in a project at the present time. Risks can, in turn, become problems or issues if they are not addressed effectively. Most individuals associate the concept of risk with the potential for loss; risk can adversely affect project outcomes. Inadequate handling of risk can depreciate project outcomes and likely results in the failure of a solution to achieve its full potential. Although a risk presents the possibility of adverse project impact, when handled correctly, it also presents an opportunity for gain. As such, MSF broadly defines a project risk as any event or condition that can have a positive or negative impact on the outcome of a project. This wider concept of speculative risk is used by the financial industry where decisions regarding uncertainties can be associated with the potential for gain as well as loss, as opposed to the concept of pure risk used by the insurance industry where uncertainties are associated with potential future losses only. What does it mean to handle risk correctly? How should a team handle uncertainty and what might happen? Will valuable time be wasted on what might never be realized? MSF attempts to address these questions in its risk management approach. Managing Risks Throughout a ProjectEffective handling of risk increases the likelihood of success in a project by minimizing the potential for failure and maximizing the potential to use risk for gain. Effective handling of risk involves having a good approach (i.e., risk management process) and accomplished execution of that approach (i.e., risk management discipline). Managing risks throughout a project does not need to be hard or complicated. Risk management is a process of proactively identifying, analyzing, and addressing project risks. A goal of risk management is to maximize the positive impacts (opportunities) while minimizing the negative impacts (losses) associated with project risk. An effective policy of understanding and managing risks ensures that effective trade-offs are made between risk and opportunity. Before discussing the MSF Risk Management Process, it is necessary to explore elements of risk management and how the MSF foundational principles apply to risk management. MSF Risk Management DisciplineSo what does it mean to have risk management discipline? It means successfully handling and approaching risk on a few different levels, namely, these:
To be successful at handling risk, these characteristics of risk management need to be internalized and adapted to each project. For instance, what does it mean to handle risk proactively? It could mean anticipating problems rather than reacting to them. As part of anticipating problems, problem resolution plans are prepared before problems occur (most often for high-impact risks that are likely to occur). However, being proactive also could mean using preventative measures whenever possible to minimize and potentially avoid risks from being realized. The point being there is wide latitude for how to handle risks, and as such, a team needs to reach agreement and plan out what is appropriate for their given project constraints. The following section explores this topic further. Risk Management PlanningAt the beginning of a project, a team should develop and document how they plan to handle risk within the context of a project. Because risk management seems the least understood area, here are some questions to help you get started thinking about risk management:
Risk management planning activities should not be viewed in isolation from the standard project planning and scheduling activities, just as risk management tasks should not be viewed as being "in addition" to tasks team members perform to complete a project. Because risks are inherent throughout a project, resources should be allocated and scheduled to manage risks actively. The next section discusses this topic further. Integrating Risk Management in a Project Life CycleRisk management should be seamlessly integrated into the overall project life cycle. Risk assessment should begin at the beginning of a project as a project team and stakeholders begin to frame a project vision and begin setting constraints. With each constraint and assumption that is added to a project, additional risks will begin to emerge. A project team should begin risk identification activities as early in a project as possible. As a project continues, risk mitigation and contingency plans, discussed in detail later in this chapter, should be built directly into a project schedule and master plan. Progress of the risk plan should be monitored by the standard project management process. In general, risk identification and risk tracking are continuous activities. Supported by the open communications principle, team members should be constantly looking for risks to a project and surfacing them for a team to consider, as well as continuously tracking the progress against specific risk plans. Analyzing and reanalyzing risks as well as modifying risk management action plans are more likely to be intermittent activities for a team, sometimes proactively scheduled (perhaps around major checkpoints or weekly project status reviews), and sometimes as a result of a unscheduled project event (discovery of additional risks during tracking and control). Learning is most often a scheduled event occurring around major checkpoints and certainly at the end of a project. Over the course of a project, the nature of risks being addressed should change as well. Early in a project, business-, scope-, requirement-, and design-related risks dominate. As time progresses, technical risks surrounding implementation become more prominent, and then transition to operational risks. It is helpful to use risk checklists or review risk classification lists at each track transition within a project life cycle to guide risk identification activity. Managing Risk Across a Portfolio of ProjectsNot all projects have equal priority and importance. As such, risks associated with those projects are also not equally weighted. When dealing with a portfolio of projects, be it within a program or an enterprise, there needs to be a means to assess and manage risk across that portfolio. For example, how much effort should be spent on a high risk on a low-priority project as opposed to medium risk on a critical project? There is no one answer because it is situational. However, a team needs to have a clear means to resolve this. Remember, a goal is to achieve maximum return on risk management efforts across a portfolio. But why should an organization spend extra effort managing risks across a portfolio? It seems like a lot of extra work. Yes but...many benefits at a portfolio level would not be realized unless portfolio-level management occurred. For instance, here are a few benefits:
Depending on the size of a portfolio, an organization might have resources dedicated, even if part-time, to work with project leads to manage risk across a portfolio. This dedicated team often is referred to as a Risk Review Board. Note that portfolio risk review complements risk assessments undertaken by each project team. A review team typically does not have enough project knowledge to help identify risks, nor does it likely have the time available to undertake risk mitigation actions. However, it can contribute to risk analysis and planning. Because a review team normally contains more experienced practitioners, its members often call on that experience to advise a project team on the significance of certain risks, helping a team to prioritize risks. These experienced people are good resources who can recommend mitigation and contingency strategies that they have seen used effectively in the past. Based on their experience, they are well suited to help spot trends across projects that might identify an underlying problem, triggering some root-cause analysis. The following are successful practices that have been applied in portfolio risk management:
Creating a Risk Management CultureAlthough few project delivery organizations argue against managing risks on their projects, many find it difficult to fully adopt the discipline associated with proactive risk management. What often happens is that a team initially assesses risk at the start of a project, but fails to continue to manage risks as a project proceeds. Two reasons are frequently put forward to explain this:
Often, a root cause for these beliefs is that managers themselves do not understand the value that risk management delivers to a project. As a result, they are reluctant to propose adequate resources necessary for risk management (and indeed other project management activities). Conversely, they might sacrifice these activities first if a project comes under pressure. It is therefore especially important to ensure that all stakeholders appreciate the importance of managing risks to establish a culture where risk management thrives. The following activities have been found to be effective in establishing risk management as a consistent discipline:
Foundational Principles Applied to Risk ManagementThe MSF Risk Management Discipline is founded on a belief that risk must be addressed proactively, part of a formal and systematic process that approaches risk management as a positive endeavor. This discipline is based on foundational principles, mindsets, and practices that are central to MSF. The following principles are especially important for effective project risk management. Foster Open CommunicationsMSF espouses an open approach toward discussing risks, within a team as well as with key stakeholders external to a team. All team members should be involved in risk identification and analysis. Team leads and management should support and encourage development of a no-blame culture to promote this behavior. Open, honest discussion of project risk leads to more accurate appraisal of project status and better-informed decision making both within a team and by executive management and sponsors. Work Toward a Shared VisionAll aspects of delivering a solution are fraught with risks. Part of having a shared vision is making sure everyone understands how to identify, classify, communicate, and manage those risks. That way, a team makes informed decisions throughout a life cycle. Also, a team can choose to avoid risk(s) by adjusting a shared vision. Empower Team MembersEmpowering team members involves a degree of trust and personal safety. That is, any team member can raise a risk in a constructive manner without fear of retribution or distaina blameless environment. Team members should be comfortable enough to know that raising a risk associated with their area is a sign of needed maturity. As such, the quantity of risks associated with various teams and individuals should not be used as assessment/evaluation criteria. Establish Clear Accountability, Shared ResponsibilityNo one person "owns" risk management within MSF. Everyone on a team is responsible for actively participating in a risk management process. Individual team members take ownership of action items specifically addressing project risk within a project schedule and plans. Each holds personal responsibility for completing and reporting on these tasks in the same way that he or she does for other action items related to completion of a project. Activities might span all areas of a project during all tracks of a project and risk management process cycles. These activities include risk identification within areas of personal expertise or responsibility and extends to include risk analysis, risk planning, and execution of risk control tasks during a project. Within the MSF Team Model, a Project Management functional area of the Program Management Advocacy Group holds final accountability for organizing a team in risk management activities and ensuring that risk management activities are incorporated into standard project management processes for a project. Deliver Incremental ValueIncremental delivery of value typically enables a reduction of risk. More frequent and smaller deliveries enable a team to react and respond quickly to risks. By decomposing a solution into incremental deliveries, a team and stakeholders reduce risk on many fronts. They reduce risks associated with technology because they continually are building and refining a deployed solution. They reduce risks that a solution will not meet stakeholders' needs and expectations. They reduce risks that what is being delivered does not provide value to stakeholders. They reduce risks associated with team member skills readiness because incremental builds of a solution can be used to hone and assess team member skills. Stay Agile, Expect and Adapt to Change
Prospect of change is one of the main sources of uncertainty facing a project team. Risk management activities should not be limited to any one portion of a project life cycle. All too often, teams start out a project with the good intention of applying risk management principles, but fail to continue the effort all the way through project completion under pressures of a tight schedule. Agility demands that a team continuously assess and proactively manage risks throughout all tracks of a project life cycle because continuous change in all aspects of a project means that project risks are continuously changing as well. A proactive approach enables a team to embrace change and turn it into an opportunity to prevent change from becoming a disruptive, negative force. Invest in QualityInvesting in quality typically translates into reduced risk and better management of risk. Managing risks effectively usually means a team has more time to focus on their efforts rather than spending time reacting to realized risks (i.e., issues). How many times have you been on a project that has had to "drop everything" to deal with an issue that could have been prevented? Most likely too many times! Learn from All ExperiencesMSF assumes that keeping focus on continuous improvement through learning leads to greater success. Knowledge captured from one project decreases uncertainty surrounding decision making with inadequate information when it becomes available for others to draw upon in the next project. MSF emphasizes the importance of organizational or enterprise-level learning from project outcomes by incorporating a step into a risk management process. Focusing directly on capturing project outcome experiences encourages team-level learning (from each other) through fostering open communications among all team members. Partner with CustomersAs discussed, risks are not necessarily caused by the failings of a team. Rather, risks are usually generated when a team takes calculated steps to accelerate solution delivery. This type of risk, if handled correctly, typically means a windfall for customers. As such, partnering with customers to gauge how much risk should be assumed is essential to the success of a project. MSF Risk Management FundamentalsIn this section, important concepts about risk and risk management central to understanding the MSF Risk Management Discipline are discussed. Risk Is Inherent in Any Project or ProcessAlthough different projects might have more or fewer risks than others do, no project is completely free of risk. Projects are initiated so an organization is able to achieve a goal that delivers value in support of an organization's purpose. Uncertainties always surround a project and the environment that can affect the success of achieving this goal. By always keeping in mind that risk is inherent and everywhere, MSF practitioners seek ways to continuously make the right trade-off decisions between risk and opportunity and do not become too focused on minimizing risk to the exclusion of all else. Proactive Risk Management Is Most EffectiveMSF adopts a proactive approach to identifying, analyzing, and addressing risk by focusing on the following:
Effective risk management is not achieved by simply reacting to problems. A team should work to identify risks in advance and to develop strategies and plans to manage them. Plans should be developed to correct problems if they occur. Anticipating potential problems and having well-formed plans in place ahead of time shortens the response time in a crisis and can limit or even reverse the damage caused by an occurrence of a problem. Defining characteristics of proactive risk management are risk mitigation and risk impact reduction. Mitigation can occur at the level of a specific risk and target the underlying immediate cause, or it can be achieved by intervention at a root-cause level (or anywhere in the intervening causal chain). Mitigation measures are best undertaken in the early stages of a project when a team still has the ability to intervene in time to affect project outcome. Identification and correction of root causes has high value for the enterprise because corrective measures can have far-reaching positive effects well beyond the scope of an individual project. For example, absence of coding standards or machine naming conventions can clearly result in adverse consequences within a single development or deployment project and thus be a source of increased project risk. However, creation of standards and guidelines can have a positive effect on all projects performed within an enterprise when these standards and guidelines are implemented across an entire organization. Treat Risk Identification as PositiveEffective risk management depends on correct and comprehensive understanding of risks facing a project team. As the variety of challenges and the magnitude of potential losses become evident, identifying and managing risks can become a discouraging activity for a team. Some team members might even take the view that to identify risks is actually to look for reasons to undermine the success of a project. In contrast, MSF adopts the perspective that the very process of risk identification enables a team to manage risks more effectively by bringing them out into the open, and thereby increases the prospects for success by a team. Open, documented discussion of risk frees team members to concentrate on their work by providing explicit clarification of roles, responsibilities, and plans for preventative activities and corrective measures for problems. A team (and especially team leaders) should always regard risk identification in a positive way to ensure contribution of as much information as possible about the risks they face. A negative perception of risk causes team members to feel reluctant to communicate risks. The environment should be such that individuals identifying risks do so without fear of retribution for honest, constructive expression of tentative or controversial views. Examples of negative risk environments are easy to find. For example, in some environments reporting new risks is viewed as a form of complaining. In this setting, a person reporting a risk is viewed as a troublemaker, and reaction to a risk is directed at a person rather than at the risk itself. People generally become wary of freely communicating risks under these circumstances and then begin to selectively present the risk information they decide to share to avoid confrontation with team members. Teams that create a positive risk management environment by actively rewarding team members who surface risks are more successful at identifying and addressing risks earlier than those teams operating in a negative risk environment. There also should be a reward for team members who propose ways to address these risks. To achieve a goal of maximizing positive gains for a project, a team must be willing to take risks. This requires viewing risks and uncertainty as means to create the right opportunity for a team to achieve success.
Continuous AssessmentMany people misperceive risk management as, at best, a necessary but boring task to be carried out at the beginning of a project or only at the introduction of a new process. However, actively managing risk can provide team members with the confidence to be able to take risks. Continuing changes in project and operating environments require project teams to reassess the status of known risks regularly and to reevaluate or update plans to prevent or respond to problems associated with these risks. Projects teams should also be constantly looking for the emergence of new project risks. Risk management activities should be integrated into an overall project life cycle in such a way as to provide appropriate updating of risk control plans and activities without creating a separate reporting and tracking infrastructure. Maintain Open CommunicationsAlthough risks are generally known by some team members, this information is often poorly communicated. Often, it is easy to communicate information about risks down an organizational hierarchy, but difficult to pass information about risks up the hierarchy. At every level, people want to know about project risks but are wary of communicating this information upward. Restricted information flow regarding risks is a potent contributor to project risk because it forces decision to be made about those risks with even less information. Managers and key influencers need to encourage and exhibit open communications about risk and ensure that risks and risk plans are well understood by everyone. Specify, Then ManageRisk management is concerned with decision making in the face of uncertainty. Generic statements of risk leave much of the uncertainty in place and encourage different interpretations of a risk. Clear statements of risk aid a team in the following:
MSF advocates that risk management planning be undertaken with attention to specific information to minimize execution errors in a risk plan that render preventative efforts ineffective or interfere with recovery and corrective efforts. Don't Judge a Situation Simply by the Number of RisksAlthough team members and key stakeholders often perceive risk items as negative, it is important not to judge a project or operational process simply on the number of communicated risks. Risk, after all, is the possibility, not the certainty, of a loss or suboptimal outcome. As explained in the next section, the MSF Risk Management Process advocates the use of a structured risk identification and analysis process to provide decision makers with information on the presence of risks and the importance of those risks as well. |