Before starting the process of risk identification, the first stage is to establish the strategy for approaching risk management before determining the risk management plan. Risk management planning is required to outline how the risks will be identified, analyzed, monitored, controlled and reviewed. The strategy being applied must be consistent with the priority, size and complexity of the project, as well as the organization's culture and normal working practices. A project would be unlikely to follow a high-risk strategy if the initiating organization usually adopts risk avoidance. The following list of points could be included within the risk management plan to match the strategy:
The formulation of the risk management plan and the definition of the risk process will be headed up by the project manager, but input to the plan should come from the project team, sponsor, stakeholders and experts as appropriate. If the project involves a customer, their thoughts and priorities on the planning process will also affect the project's approach to risk. Much of the planning work should be started as early as possible during the planning phase, because the detail from this process is required to complete the other activities such as identifying, analyzing and planning the risk responses. Without the overarching framework for risk management, the remaining planning work cannot be defined or quantified. Figure 11.1 shows the inputs, tools and techniques and the sole output for the risk planning process.
Figure 11.1. The risk management planning process
A key discipline in this process is to focus on how to manage risks, not what the risks are, although some experience of relevant risks is necessary to do this, of course. Identifying and managing particular risks comes in subsequent processes. Adapted from PMBOK Guide (p.242)
Risk management plan
The initial starting point for information relating to risk management could be gleaned from historical records, or lessons learned from previous projects. Other useful sources of information are the project charter, letters and papers produced before the approval of the project. The detail contained in these documents provides the background and context for the project, as well as conveying the organization's priorities and tolerance to risk. If the benefits of an early delivery mean that the balance of risk shifts towards 'risk-taking', the risk of fast-tracking the work could be accepted to achieved the required goal. A contingency plan to cater for delays should be prepared to support this more risky approach, but the proposed plan may require the provision of extra funding to provide greater resources to crash the project and maintain the early delivery date. Further project documentation that is key to the production of the risk management plan includes the scope statement and project management plan. Elements contained in the scope statement may mention aspects of the initial risk analysis conducted by the project sponsor.
The various plans included in the project management plan could provide useful inputs to the risk management plan from the WBS, network diagram, communications, staffing and procurement management plans, together with the time and cost estimates versus the project's budget. All of this information can be used to develop the risk management plan, which ultimately becomes part of the project management plan. The risk management plan will therefore define how risk management is to be structured and applied by including the following:
Building up a list of the risks on a project is the first hurdle in risk management. It is very hard to manage risks that have not been identified. It can be difficult to get started identifying risks, because the job can seem overwhelming after all, anything could happen, couldn't it? In fact, risks can be grouped under categories, the significance of which for an individual project is much easier to see. The idea of using a standard list of risk categories is to ensure all the usual areas of risk are covered. Many of the subject headings may not be applicable for your project, but at least each category has been considered. If a project manager failed to follow the company's standard list of risk categories, how embarrassing would it be if a risk from the list appeared on the log without a prescribed response? The benefit of using a standard list in the initial stage of risk identification is to make sure all the common areas, or sources of known risk, are identified and analyzed as appropriate for the project.
The risk categories can be arranged in a WBS-type framework to form a risk breakdown structure (RBS), with the risk categories replacing the major deliverables of the WBS. The type of risk categories and sub-categories considered to develop a RBS may consist of the following areas.
These are risks that apply across the project, rather than on specific activities. Examples include:
These are external sources that in some way may impact on the project. Some of these are beyond the control of the project manager, but all can be monitored and the project steered round them if they are identified in time. Examples include:
These are threats that could affect the organization as a whole, which in turn could impact on the project. Examples include:
These are the possible sources of threat or opportunity linked to project management issues that could cause an impact on the project. Examples include:
The list of risks is there to aid the thinking process, but these should not be the only risk areas to consider. There could be risks generated by a new technology concept, or types of risk not previously experienced by the organization. As a project manager, you must always look beyond the standard list and consider other possible causes of risk that could catch you out.
Top of Page