Risk management planning

Before starting the process of risk identification, the first stage is to establish the strategy for approaching risk management before determining the risk management plan. Risk management planning is required to outline how the risks will be identified, analyzed, monitored, controlled and reviewed. The strategy being applied must be consistent with the priority, size and complexity of the project, as well as the organization's culture and normal working practices. A project would be unlikely to follow a high-risk strategy if the initiating organization usually adopts risk avoidance. The following list of points could be included within the risk management plan to match the strategy:

• How the risks will be identified, analyzed and assessed.

• How the risks will be defined within the context of their impact and probability.

• How risks will be allocated and controlled, decisions taken and actions implemented.

• How actions implemented will be monitored and evaluated.

• How stakeholders will be involved and informed about the process of risk management.

Key Idea Risk management planning should take place as early as is practical because it outlines the processes and their importance for risk identification and analysis.

The formulation of the risk management plan and the definition of the risk process will be headed up by the project manager, but input to the plan should come from the project team, sponsor, stakeholders and experts as appropriate. If the project involves a customer, their thoughts and priorities on the planning process will also affect the project's approach to risk. Much of the planning work should be started as early as possible during the planning phase, because the detail from this process is required to complete the other activities such as identifying, analyzing and planning the risk responses. Without the overarching framework for risk management, the remaining planning work cannot be defined or quantified. Figure 11.1 shows the inputs, tools and techniques and the sole output for the risk planning process.

Risk management plan

The initial starting point for information relating to risk management could be gleaned from historical records, or lessons learned from previous projects. Other useful sources of information are the project charter, letters and papers produced before the approval of the project. The detail contained in these documents provides the background and context for the project, as well as conveying the organization's priorities and tolerance to risk. If the benefits of an early delivery mean that the balance of risk shifts towards 'risk-taking', the risk of fast-tracking the work could be accepted to achieved the required goal. A contingency plan to cater for delays should be prepared to support this more risky approach, but the proposed plan may require the provision of extra funding to provide greater resources to crash the project and maintain the early delivery date. Further project documentation that is key to the production of the risk management plan includes the scope statement and project management plan. Elements contained in the scope statement may mention aspects of the initial risk analysis conducted by the project sponsor.

The various plans included in the project management plan could provide useful inputs to the risk management plan from the WBS, network diagram, communications, staffing and procurement management plans, together with the time and cost estimates versus the project's budget. All of this information can be used to develop the risk management plan, which ultimately becomes part of the project management plan. The risk management plan will therefore define how risk management is to be structured and applied by including the following:

• Methodology how risk management will be performed, taking into account the project's priority, size and complexity.

• Roles and responsibilities people are given specific roles with regard to risk, together with the allocation of certain responsibilities linked to the task.

• Budgeting costs associated with the provision of risk management and contingency planning are included within the cost baseline.

• Risk categories a list of common risk categories used to assist the identification and analysis of risks experienced by the organization, or from other similar projects. The aim is to get a consistent and coherent approach to risk identification.

• Definitions of probability and impact a declared standard for probability and impact is defined so the level of application is similar for all involved.

• Stakeholder tolerances from project initiation onwards, the level of risk tolerance must be stated and regularly revised.

• Reporting formats content and layout of the risk management report are defined, together with its distribution.

• Tracking how the risk activities are recorded and audited.

Risk categories

Building up a list of the risks on a project is the first hurdle in risk management. It is very hard to manage risks that have not been identified. It can be difficult to get started identifying risks, because the job can seem overwhelming after all, anything could happen, couldn't it? In fact, risks can be grouped under categories, the significance of which for an individual project is much easier to see. The idea of using a standard list of risk categories is to ensure all the usual areas of risk are covered. Many of the subject headings may not be applicable for your project, but at least each category has been considered. If a project manager failed to follow the company's standard list of risk categories, how embarrassing would it be if a risk from the list appeared on the log without a prescribed response? The benefit of using a standard list in the initial stage of risk identification is to make sure all the common areas, or sources of known risk, are identified and analyzed as appropriate for the project.

PMI says Risk category 'Risk Category is a group of potential risks. Risk causes may be grouped into categories such as technical, external, organizational, environmental, or project management.' PMBOK Guide (p.373)

The risk categories can be arranged in a WBS-type framework to form a risk breakdown structure (RBS), with the risk categories replacing the major deliverables of the WBS. The type of risk categories and sub-categories considered to develop a RBS may consist of the following areas.

Technical

These are risks that apply across the project, rather than on specific activities. Examples include:

• Uncertainty about user requirements.

• Technology failure the possibility that the technology will not work as anticipated.

• Technology advance a new technical concept may provide benefits to the project.

• Lack of relevant experience that has successfully executed similar projects.

• Degree of innovation required and consequent uncertainty over whether the chosen approach will work.

• Security and confidentiality.

• Output quality risk the possibility that the project output fails to meet expectations. This includes many technical risks, but also risks such as the usage cost of the project output being too high, or the performance being too low, or the quality being too variable.

External

These are external sources that in some way may impact on the project. Some of these are beyond the control of the project manager, but all can be monitored and the project steered round them if they are identified in time. Examples include:

• User acceptance risk.

• Failure of a sub-contractor to deliver satisfactorily.

• Changes in market conditions that may change the commercial attractiveness of the project.

• Constraints on business activities for legal, regulatory, or environmental reasons

• Possibility that the market was misjudged the project might meet all its targets, but customers might not buy.

• Public opinion of the firm's brand, which may limit or enhance the range of activities that the firm wishes to be seen to undertake.

Organizational

These are threats that could affect the organization as a whole, which in turn could impact on the project. Examples include:

• Emerging project investment opportunities may reduce the priority allocated to the project.

• Change in financial status reduces the availability of funding for the project.

• Competition from other projects competes for limited funding and resources.

• Mismatch between the skills required and the workers available in the company.

Project management

These are the possible sources of threat or opportunity linked to project management issues that could cause an impact on the project. Examples include:

• Adjustment to the level of management support and advocacy.

• Lack of project management knowledge.

• Change of focus towards project management.

• Timescale risk the possibility that the output may appear after the project deadline.

• Project cost risk the possibility that the funding required to complete the project exceeds that originally planned.

• Missing tasks or hidden dependencies in the plan.

• Resistance to change.

• Cultural issues.

• Personality clashes within the team.

The list of risks is there to aid the thinking process, but these should not be the only risk areas to consider. There could be risks generated by a new technology concept, or types of risk not previously experienced by the organization. As a project manager, you must always look beyond the standard list and consider other possible causes of risk that could catch you out.