Risk planning should begin during the project selection phase. Project selection is the process of determining whether the company or organization should pursue a project. One criterion in the selection process is risk—risk in the schedule, budget, resources available, expertise required, and fit with the organization's strategic plan.
The major inputs to the risk planning step are:
The project charter
Organizational policies or guidelines
Contract documents (if the project results from an external customer; statement of work or other departmental project document if it is for an internal customer).
The work breakdown structure (WBS)
The project charter describes the project manager's limits of authority, the project priority, and the support requirements from various functional units in the organization. The project charter readily identifies many potential risk areas. For instance, if the project priority is four, then it is immediately apparent that the project can lose out if resources are tight. Other risks are not always so obvious. In fact, some risks may be so subtle that, if a project fails, they are never recognized. Consider, for example, this typical scenario in the IT environment: A project has the potential for propelling the organization into the next level of market competitiveness, if it is successful. Under this scenario, this type of project gets a great deal of senior-level scrutiny and guidance. It gets so much guidance, in fact, that senior management's good intentions hamper the project manager's efforts to the point of project failure. In other words, too much of even a good thing can interject risk into the project. Only a good project sponsor, charter, and mature senior management can prevent this kind of risk from occurring.
Along with the project charter, there are other company policies and guidelines to aid the project team. These policies and guidelines include templates, checklists, and guidance for identifying and planning risk contingencies.
Contractual documents, particularly those from external customers, contain information that can usually identify potential risk areas. This information has to be factored into the project planning. For instance, most contracts contain, at least, a high-level schedule. If a customer has a hard schedule completion date requirement, it may represent a potential risk to the seller, if resources are insufficient to meet the date.
The WBS is the most important tool for risk planning because it contains all the project tasks, and, consequently, a quick view of the potential risks. Since tasks drive the skill set and resource requirements, it will be apparent whether the project requires effort that falls outside the organization's capability—a critical risk that requires an alternative approach or a strategy to include teaming or outsourcing the work.
The network analysis provides insight into task interrelationships and potential risks associated with timing requirements and path convergence problems. Path convergence is the convergence of two or more network paths into a single node, as shown in Exhibit 7-2. In the exhibit, the convergence of paths from Tasks A, B, and C into Task D create greater uncertainties in starting the path out of D on time. If either of the durations for A, B, or C are in error, then the start time for D is affected. If all three are in error, then the start time of D is affected exponentially.
Exhibit 7-2: Path convergence in a network analysis.
The major output of the risk-planning step is the risk management plan. The risk plan is a part of the overall project management plan and is often provided as an attachment. Many customers, particularly public sector customers, require a risk management plan as a part of any proposal submitted on a competitive bid. Exhibit 7-3 is an outline of a sample risk management plan.
Exhibit 7-3: Risk management plan format.
Risk Management Plan
Project Name and Brief Scope Description
Risk Management Methodology
Roles and Responsibilities
Risk Measurement and Interpretation Methodology
Levels of Risk Response Responsibility
Risk Communication Plan
Risk Tracking and Documentation
Risk response plan
The risk management plan guides you in the process of managing the risks of a particular project. Therefore, it is imperative that a plan is developed for every project and that the plan clearly identifies how the project risks will be identified, responded to, tracked, and controlled. Let us look at the nine sections of the risk management plan.
Project Name and Brief Scope Description. This section provides the name of the project (and often the project manager's name) as well as a short description of the project's purpose.
Risk Management Methodology. This section provides a narrative about the tools or techniques used to identify the risks and how the risk response strategies will be determined. This section also contains the data sources from which the risk and risk strategies are developed, such as historical data from previous, similar projects.
Roles and Responsibilities. The roles and responsibilities of each project team member and other task contributors should be clearly defined in this section. If the responsibility to report, eliminate, or track a risk is not clearly assigned, a diligent team member can easily ignore an impending risk event. Of course, the project manager has ultimate responsibility for administering the risk plan and risk response strategies, but she can, and should, delegate responsibility for identifying risks and reporting triggers that presage a risk event.
Funding. Budgets for risk contingencies should be defined and guidance for their administration published at the start of the project. Many organizations assign the responsibility for the contingency, or reserve funding, pool to the project manager. However, funding for contingencies is strictly the responsibility of senior management in other organizations. This section of the risk management plan should clearly state how the contingency funding is to be administered.
Risk Measurement and Interpretation Methodology. The method or methods used to measure risk and interpret scores are defined in this section. Most companies have guidelines for applying a weighting factor and/or a score for each type of risk. Scoring methods are important in both the quantitative and qualitative analyses to reduce the effects of subjectively assigning a value to a risk. Scoring methods should be chosen in advance, and they should be applied consistently throughout all steps of the risk management process.
Levels of Risk Response Responsibility. This section defines who has responsibility for each risk response according to a predetermined threshold. That is, during a project life cycle, risk events of different levels of impact can occur. The project manager has discretionary authority to handle certain levels of risk, but he must elevate the decision to a higher senior management position or to a committee, if the impact of the risk exceeds a certain monetary level. In some instances, only the customer has the authority to implement certain risk response strategies because of the costs to the project in time and money. The effectiveness of a risk management plan is measured against how well any actual risk event is kept below the lowest risk threshold.
Risk Communication Plan. This section describes report formats and outlines who receives reports on risk events, responses implemented, and the effectiveness of the risk response strategies.
Risk Tracking and Documentation. This section describes the process for tracking the effectiveness of the risk response strategies and how they are documented and archived as lessons learned.
Appendixes. This section provides a vehicle for attaching any additional information or plans, depending on the needs of each individual project. The two most common appendixes are the risk table and the risk response plan.
The Risk Table. This is a table or matrix of all the identified risks in the project. Many project teams prefer that the table contains only those risks being managed at the moment and that it be revised as you deal with each risk.
The Risk Response Plan. This is a detailed plan explaining the response strategies for each of the identified risks in the risk table.