Risk Destroyers and Risk Makers

Demystifying Risk Management:
Risk Destroyers and Risk Makers
PMI Talent Triangle: Technical

Risk management is typically used in the context of negative “threat” risk, but it can also be a positive “opportunity” risk. When confronted with a threat risk, your job is to destroy that risk and prevent it from happening, make sure it doesn’t cause a problem for your project if it does happen, or minimize the impact to your project if it does happen. When confronted with "opportunity" risk, you should make it happen because the outcome for your project is improved if it does. In either case, the key to managing risk is to recognize what external factor plays a role in creating the risk and what the impact will be on your project if that external factor comes to pass.

This article clarifies the concept of risk by providing examples and tools for risk identification and analysis. It also provides some thoughts from experience on how to address and track risk and introduces you to the powerful, advanced concept of Schedule Risk Analysis (SRA). SRA is a innovative tool for evaluating your likelihood of finishing on time and on budget and identifying the project activities that are the largest source of risk.

Risk is the idea that things in this world happen outside of our control, but they still affect our lives. In Project Management, risk is the idea that something might happen that will affect your project. Preparing for these eventualities is the ultimate goal of risk management. The first sentence of this paragraph captures the two fundamental pillars of risk, probability and impact. What is the probability that the thing outside your control will happen, and what is the impact to you if it does?

To start with, let’s consider risks we face in our daily lives. Implementing new technology can be very risky. I don’t know about you, but I get a knot in my stomach any time I update the software on my laptop or phone. You never know if the results will be seamless or a nightmare from which it takes days to recover. This is a risk! Another risk some of us face regularly is getting to events on time with a spouse/partner. Whether or not my wife is ready on time is completely outside my control. I used to try to manage this risk by reminding and “encouraging” her to get ready on time. Now I just accept the risk, and we get there when we get there. In terms of sole source suppliers, have you ever waited on a utility service call? You are completely at their mercy. There are no options to have anyone else do it. You can’t speed them up, and you can’t negotiate the price. These are threat risks to both your pocketbook and your schedule! And try scheduling a family reunion in April. You had better consider the risk of bad weather. Have you ever invested in the stock market or in a retirement fund, or developed a personal financial plan? These are daily opportunity and threat risks for all of us.

I recently ran across an excellent illustration of technology risk when I was reading about Secretary of Defense James Mattis’ “new” pentagon in Federal Times. Mattis’ predecessor, Ash Carter, placed an emphasis on future capabilities and innovation to ensure we would have superior capabilities for the next five years or more. Mattis, on the other hand, is focused on improving the lethality and survivability of today’s fighting force in the next year or two. (It’s an excellent article you should read if you have a few minutes.) But the perspective that caught my eye is that Mattis has deliberately set up TWO undersecretaries for acquisition: one for research and engineering (R&E) to ensure we have a superior future force; and the other for acquisition and sustainment (A&S), to make sure today’s fighters get the right things quickly. In short, the R&E group is responsible for creating disruptive opportunity risk, and the A&S group is responsible for mitigating threat risk.

The concept of opportunity risk is ubiquitous in our society, although usually not recognized for what it is. We call it “research and development” (R&D) and “business development” (BD), among other things. Both are about looking at potential opportunity, and shaping and creating an environment that encourages those opportunities to come to pass and maximizes the benefit to our company if they do. When I’ve been in positions to manage these activities, I like to bring a risk perspective to the table. Of course, you can’t neglect traditional planning for BD and R&D; those planning approaches have been developed for a reason. But laying a risk blanket on top of the processes often results in a fresh perspective and improved opportunities.

Another article on risk that caught my eye recently, regarding supply chain risk was published by 9to5Mac, about Apple’s supplier of Apple watches. When Apple introduced the Apple Watch series 2, the same company that was making series 1, Quanta, started making series 2. When the supply of series 2 watches became steady, Apple gave the manufacturing job for the older series 1 to a new company, Compal Electronics. This was a brilliant move! By creating two suppliers, Apple addresses the threat risk of a supply chain interruption of Apple watches in the event the Quanta Corporation has production problems. It also addresses the threat risk of higher prices by introducing manufacturing competition. And finally, it creates opportunity risk by bringing in a new manufacturing team, potentially with new ideas for innovation.

In addition to threat and opportunity risk, tolerance of risk is an important factor. The nature of a business plays a role in its risk tolerance. Manufacturing and mature product environments tend to be very risk averse. They want to keep their production lines running and their products trouble free. Government project environments are also risk averse. On the government side, they are risk averse because they want to spend tax payer dollars wisely. On the Government contractor side, they are risk averse because they only make a profit when they get paid for what they do. Technology companies are risk tolerant because only by investing in innovation can they get a competitive edge. Academia tends to aggressively pursue risk, with the winners getting the best students, the best funding, and the most publications. Nonprofit environments are a different animal altogether. In the nonprofit world, the biggest risks are funding and getting volunteers and low-paid workers to be committed and productive. Fund raising and motivational techniques are among the biggest tools in the nonprofit risk management toolbox.

The most difficult, but most important, concept for newcomers to grasp is the basic idea of what a risk is. It is very common for risk to be identified as “weather” or “quality” or “funding” and so on. Without better definition of the risks these words refer to, it is nearly impossible for a newcomer to a project to understand what a Project Manager (PM) or team was thinking when they captured these risks. To solve this problem, we have adopted the use of the “if…then…” statement to clearly identify what it is that might happen (If…) and how it will impact our project if we don’t prepare for it (then…). This makes it easy to estimate the probability of the “if” portion of the risk statement should it come true, and to estimate the impact on the project if the “then” portion of the risk statement is realized. These evaluations help us prioritize risks so that we can focus on the worst (or best) risks first. Since we usually manage negative risk on projects, I will focus on worst-case scenarios.

The process begins by evaluating all parts of the project plan, including scope, schedule, and budget, talking to stakeholders, referring to checklists and more. When we identify a risk, we decide if it is worth paying attention to and we figure out how best to prevent or prepare for it. Best practices dictate that we should develop plans to reduce both the probability that the bad thing will come to pass, and to reduce the impact on our project if it does. Most managers develop plans to address probability or impact. But it is usually possible, and more effective, to develop plans to address both.

A risk management plan often is not used. There are many reasons for this, including embedded institutional practices making them unnecessary, or feeling overwhelmed after looking at the risk planning process in the PMBOK. I highly recommend a very simple project management plan for your team. It should include a brief introduction to what risk is (for newcomers), tools, templates, and process outlines for conducting risk management on your project, and a clear definition of rolls, responsibilities and authority of individuals on the team.

Schedule Risk Analysis (SRA) is a fast-growing tool for project risk management. This powerful numerical technique allows you to determine with confidence the likelihood of your project finishing on time and on budget. It also points out which schedule activities pose the highest schedule and budget risks to the plan. Aside from the computer tool that performs the risk analysis calculations, the only additional information a project manager needs for SRA is three-point estimates for schedule activity durations (optimistic, pessimistic, most likely). If you can get good three-point estimates from team members responsible for each activity, SRA is an indispensable tool for project management.

At 7-Step Project Manager, we provide project management training and professional services based on the concepts introduced in this article. We provide recommendations for tools based on ease of use and affordability as well as instructional guidance on how to use the tools. Our training programs have been developed for audiences ranging from beginners to advanced, and are built around tools and templates we have successfully used in the real world. When you complete one of our training programs, you will have the tools and skills necessary to use them to be a highly effective risk manager in your workplace. Our professional services range from helping you set up a risk management process for your work environment to performing risk identification, analysis, response, tracking, and closure on projects you are managing. Please contact us if you would be interested in a free one-hour overview of 7-Step Project Manager risk management tools and techniques for your organization.

Dr. Bill Carswell, PMP
Director of Programs
www.7stepPM.com 

Please use the comments feedback area below to share your thoughts. What are some opportunity or threat risks you have faced? What are your keys to successfully managing risk? 7stepPM readers want to know!

After you have spent 15 minutes reading this blog and participating in the discussion forum below, don’t forget to fill out the Pennies for PDUs form to get your certificate of PDU credit.


Comments

  1. 7stepPMJuly 27, 2017 at 12:39 PM

    I just got access to a great Risk tool, RiskyProject. Anyone have any experience with that?

    ReplyDelete

Post a Comment