Risky business.Skating on thin ice Skating on Thin Ice was a short-lived Australian celebrity reality television programme broadcast on the Nine Network in 2005. Hosted by Jamie Durie, nine celebrities learnt to skate with the ultimate goal being to perform with Disney on Ice, with proceeds going toward , sky diving sky diving, sport of descending partly by parachute from an airplane or similar craft. Engaged in for both recreational and competitive purposes, sky diving involves three phases of activity: the free fall, the descent with open parachute, and the landing. without a reserve chute, flashing a full wallet See digital wallet. in a bad neighborhood, unprotected sex Unprotected sex refers to any act of sexual intercourse in which the participants use no form of barrier contraception. Sexually transmitted infections Specifically, unprotected sex , rooting for Dallas from the middle of the Redskins' cheering section--all of these have one thing in common: there are significant risks involved. It is the same with managing a project. But guess what, that's why they invented risk management. [ILLUSTRATION OMITTED] Risk management is a discipline for living with the possibility that future events may cause adverse effects. A good risk management process to identify and mitigate mit·i·gate v. To moderate in force or intensity. mit  i·ga tion n. the bad things that can happen is a necessity for program managers. It should be used to continuously assess what can go wrong in the project, determine which of the risks are most important, identify the potential effects or outcomes, and implement strategies to deal with them. Looking at any of the risky activities above, there are ways--some simple and some more complex--to avoid or mitigate the risks involved. PMs need to do the same with project risks. According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. Al Ware, senior risk manager at Space and Naval Warfare naval warfare Military operations conducted on, under, or over the sea and waged against other seagoing vessels or targets on land or in the air. The earliest naval attacks were raids by the armed men of a tribe or town using fishing boats or merchant ships. Systems Command, Charleston, S.C., "The process of managing risks within DoD is an accepted concept and has been a requirement for almost two decades. It is not a passing fad. It has been clearly documented as a key element of the top best business practices, especially among Fortune 500 businesses. Every few years the wording of the DoD directives requiring the management of risks has been made stronger and stronger until it is definitively mandatory." The Risk Management Program The Project Management Institute uses the systems approach in the Guide to the PMBOK PMBOK Project Management Body of Knowledge (Project Management Institute, Inc.) as a recommendation for implementing a risk management program. The approach covers six major areas: * Risk management planning * Risk identification * Risk assessment * Risk quantification quan·ti·fy tr.v. quan·ti·fied, quan·ti·fy·ing, quan·ti·fies 1. To determine or express the quantity of. 2. * Risk response planning * Risk monitoring and control. Let's take a brief look at these areas. The Plan Everything in DoD starts with a plan. The risk management plan presents the strategy and ground rules, defines the stakeholders Stakeholders All parties that have an interest, financial or otherwise, in a firm-stockholders, creditors, bondholders, employees, customers, management, the community, and the government. , sets the objectives of the program, defines the process and organizational structure  This article has no lead section.To comply with Wikipedia's lead section guidelines, one should be written. , and presents roles and responsibilities. It may also contain the template (1) A pre-designed document or data file formatted for common purposes such as a fax, invoice or business letter. If the document contains an automated process, such as a word processing macro or spreadsheet formula, then the programming is already written and embedded in the (s) for the documentation associated with the program. It is also helpful to create (or copy from others, if possible) the defined risk areas. Some common areas of risk are technical, financial, project management, and environmental. The plan should also present requirements for prioritizing and for closing the risks. There is probably a good example of a successful risk management plan somewhere in your organization. Find it and tailor it for your project. Many organizations have a central risk management group--a good idea, as this concentrates experience, knowledge, and a single process in one area. They can help you with your specific project needs and provide processes and good advice. The Identification Identification of all of your risks is extremely important. The initial identification can come from anywhere or anyone but usually comes from someone on the project team. The form used to submit risks may be based on whatever format is desired or standard in the organization, although a Microsoft[R] Word document is commonly used for submission, and a spreadsheet spreadsheet Computer software that allows the user to enter columns and rows of numbers in a ledgerlike format. Any cell of the ledger may contain either data or a formula that describes the value that should be inserted therein based on the values in other cells. is usually used for tracking. Initially, the PM (or risk manager) will go out to the team and others to request risk inputs. Don't worry if there are a large number. That's actually a good sign--it means people are taking it seriously. As time passes, new risks will be identified and added to the list while some old risks will drop off. Sometimes it requires a nudge nudge 1 tr.v. nudged, nudg·ing, nudg·es 1. To push against gently, especially in order to gain attention or give a signal. 2. to get people to identify and submit risks. They worry that risks reflect badly on them individually or on the project. The Assessment Risk assessment means evaluating the risk. The assessment begins with an analysis, whose depth will vary with the project. Assessment is tied closely with risk quantification, which is based on the results of the analysis. A combination of the probability and impact (which together define the severity) will determine whether the risk can essentially be ignored or will require close monitoring. The simplest type of quantification is a risk matrix with axes axes [L., Gr.] plural of axis. The straight lines which intersect at right angles and on which graphs are drawn. Usually the horizontal axis is the x-axis and the vertical one the y-axis. Called also axes of reference. being probability and impact. Using general rating categories (high, medium, and low) along each axis will give results that could range from low/low (essentially ignore) to high/high (you'd better watch this one closely or you may be out of a job). The higher the severity, the more monitoring or action it needs and the higher priority it should be given. Also, the higher the priority, the more detailed the analysis that is required. The Quantification There are many detailed and complex methods of quantifying or ranking risks. One good analysis of these can be found in Preparing for the Project Management Professional (PMP See point-to-multipoint and portable media player. PMP - Portable Media Player ) Certification Exam, 2nd Edition, by Michael W. Newell. There are a number of other good sources. The Response The result of the assessment also serves as the basis for determining the response strategy. Sometimes--as they used to say in the math books--the strategy "should be intuitively obvious to the most casual observer" (a hated phrase by students because frequently it wasn't very obvious). There are several different approaches using up to 16 strategy elements/choices, but these four are considered the basic strategies for most users: * Elimination/Avoidance. Ridding your project of the risk completely is cost-prohibitive or very difficult, if not impossible. And if you could eliminate or avoid it, it wouldn't be a risk any more and could be closed. * Transfer. Shift the risk to someone else or into an area where consequences are more tolerable tol·er·a·ble adj. 1. Capable of being tolerated; endurable. 2. Fairly good; passable. See Synonyms at average. tol . Sometimes this can be done by contracting out the source of the risk, especially by using a fixed price contract. However, after transferring the risk, you may be dependent on someone else and may not have insight into what is happening. The final result could be a bad surprise. * Acceptance/Monitoring. For risks with a low ranking or priority, this is an acceptable method. It is also a possibility when the cost of mitigation MITIGATION. To make less rigorous or penal. 2. Crimes are frequently committed under circumstances which are not justifiable nor excusable, yet they show that the offender has been greatly tempted; as, for example, when a starving man steals bread to satisfy is too high to be acceptable. Then the risk should be monitored until the severity (probability and impact) becomes unacceptable. * Reduction/Mitigation. Determine a strategy that will reduce the severity of the risk to an acceptable level. The strategy might be a different (lower-risk) technology, more testing, a change in personnel, or any of a hundred other mitigation strategies. Einstein reputedly re·put·ed adj. Generally supposed to be such. See Synonyms at supposed. re·put ed·ly adv.Adv. 1. said "It is not possible to solve a problem using the same thinking that created it." David Hilson, in Innovative Risk Management, says risk management requires fresh thinking, namely in the development of effective risk responses. Hilson also says that "just identifying risks is not enough, and if appropriate action is not taken, then risk exposure will remain unchanged. However deciding what is 'appropriate' for each risk demands a degree of innovation, being prepared to consider and implement actions which were previously not thought necessary." In other words Adv. 1. in other words - otherwise stated; "in other words, we are broke" put differently , you may have to be creative to mitigate your risks. Creativity is one of the things that PMs are paid for. The Risk Management Organization Since risks can affect any or all areas of a program, one accepted idea is to have the risk management control at the highest level of the organization practicable practicable adj. when something can be done or performed. . This can save resources or provide economies of scale for solutions. While the higher-level the control, the wider the reach, there is also less direct contact or oversight
Oversight may refer to:
The following are some roles and responsibilities in the RM program for a typical organization. Names and specific responsibilities may vary, but this provides an outline of an RM organization within a program. In some cases, positions and responsibilities can be combined. * Program Manager -- has overall responsibility for the program and projects, including RM. * Risk Management Manager/Director -- responsible for the risk management program; usually chairs the Risk Management Committee/Board. * Risk Management Committee or Board -- drawing members are from all levels and parts of the organization, provides overall guidance to risk management activities. This includes periodic reviews of all (or at least the most significant) risks, validation See validate. validation - The stage in the software life-cycle at the end of the development process where software is evaluated to ensure that it complies with the requirements. of risk information, assignment/approval of risk ownership, reviews of risk response strategies and status, and approval for adding or closing risks. * Risk Manager -- maintains the RMP RMP right mentoposterior (position of the fetus). and risk database, ensures information is up to date for the Risk Management Committee/Board, and provides administrative support to the Committee/Board, requests input/updates from risk owners. * Risk Owner -- PM, functional integrated project team lead, or task manager over the area containing the risk; responsible for some or all of the analysis, and developing response strategies; also responsible for monitoring the risk and providing updates to the risk data base. * Risk Action Managers/Team Members -- assigned by the PM or task manager and responsible for specific actions under the response strategy. Processes While processes will be different among organizations, there are some activities that should take place in almost every risk management program. The first of these is the risk database. This is a living document, updated periodically (read as "frequently"), and cannot be just "shelfware." In the submission and tracking of risks, the following information is suggested as input. * Name -- use an individual and easily understood name for each risk. * Identification number -- each risk should have an individual number for easy tracking; this is usually assigned by the Board/Committee or the risk manager. * Description -- a write-up with enough information to adequately and accurately describe the risk (this sounds simple, but can be very difficult). * Date -- the date that the risk is presented to the Board/Committee or accepted as a risk. * Person responsible for managing -- usually assigned by the PM or risk manager and can be the person who identified the risk (although that has a tendency to cut down identified risks if people think that they will be responsible). * Probability of occurrence -- usually general categories like high, medium, and low, or a specific estimated probability from 0 to 1. * Impact -- what happens if the threat comes true? How will it impact the project? If the impact is a dollar cost, it should be estimated and revised as necessary. The impact should have a rating, either general or numerical numerical expressed in numbers, i.e. Arabic numerals of 0 to 9 inclusive. numerical nomenclature a numerical code is used to indicate the words, or other alphabetical signals, intended. . Many organizations use numerical values from 1 to 5, with 1 being minimal impact and 5 being maximum impact--a "showstopper showstopper - A hardware or (especially) software bug that makes an implementation effectively unusable; one that absolutely has to be fixed before development can go on. Opposite in connotation from its original theatrical use, which refers to something stunningly *good*. ." * Severity -- this can also be general categories or a specific numerical value. * Mitigation strategies -- how the project will avoid, reduce, or mitigate the risk. This should include cost, milestones, and a timeline. Ware says that "severity is also referred to as the risk Exposure Value. The exposure of the risk is the first indicator on the severity and is a significant tool in aiding the RM team in prioritizing risks. The exposure is automatically calculated in some risk databases (e.g., Risk Radar (available from SPMN SPMN Software Program Managers Network SPMN Soil Potentially Mineralizable Nitrogen ))." As mentioned earlier, risks can be identified and submitted by anyone. Once submitted, they should remain in draft status until the Committee/Board approves them for entry. Once the risks are approved, it may require significant analysis work or modeling to determine the impact to cost, schedule, or performance. For these major risks, some type of a repeatable analysis or modeling process is needed. The Committee/Board should meet periodically. The frequency might be anywhere from weekly to quarterly, depending on the number and level of the risks. For most DoD programs, monthly is probably about right. In preparation for the meeting, the owners of all risks will update the status. At the meetings, there should be a review and approval/disapproval of draft risks for inclusion in the database, the status of the highest priority risks (the "Top 20" is a good guide), and any risks that can be closed. On many projects, the risk status is also briefed during IPRs using some sort of a stoplight chart (red, yellow, green). The risk database should be available for view by everyone in the program. A caveat here is that sometimes a risk, even a very low-level risk, can make people start worrying about their jobs. This is especially true with funding risks Funding risk The risk associated with the impact on a project's cash flow from higher funding costs or lack of availability of funds. See: interest rate risk. . However, that issue is offset by the fact that when people know about risks, they can work to resolve or lower them. The risk manager should also hold periodic reviews with risk owners. In some cases, this is also a part of the Committee/Board meeting. However, a separate meeting is recommended so that there can be detailed discussion of the status, milestones, etc. Closure Closing a risk is a happy time for all. It is done when the risk is no longer a risk (duh!). The risk could have been overcome by events, resolved, or completely transferred. The last--completely transferred--can only be closed if it no longer is a risk to the project. The closed risk needs to stay in the database with all of the appropriate information and dates, but in a closed status. According to Ware, technically speaking, a risk is also closed when it has transitioned into a problem, and the PM needs to invoke To activate a program, routine, function or process. planned contingency actions. There are two schools of thought on the proper use of the contingency plan A plan involving suitable backups, immediate actions and longer term measures for responding to computer emergencies such as attacks or accidental disasters. Contingency plans are part of business resumption planning. : Use the contingency plan as a backup mitigation plan in case the initial actions do not successfully mitigate the risk down to a more manageable level; or use the contingency plan for what the team will do when you-know-what has hit the fan. The final process should be the completion of a lessons-learned report, or a white paper, or entry into a lessons learned database. In the report, there should be both specific lessons learned and general lessons learned that might apply to other areas. Most organizations have some kind of a standard format. No amount of teaching and no RM tool will enable a team to successfully protect a project if that team does not have the right "cultural attitude" toward risk management. In Project Risk Management, Bruce T Barkley says, "A risk management culture can be defined as the 'prevailing standard for how risk is handled.' An organization with a strong risk management culture has policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental ... to go through disciplined risk planning, identification, assessment, and risk response project phasing. A mature organization does not treat risk management as a separate process, but rather 'embeds' the risk process into the whole project planning project planning - project management and control process." Risk management is one of the most important areas of project management. If you don't identify, assess, and respond to risks, your project could go down the tube and take you with it. Einstein defined insanity insanity, mental disorder of such severity as to render its victim incapable of managing his affairs or of conforming to social standards. Today, the term insanity is used chiefly in criminal law, to denote mental aberrations or defects that may relieve a person from as "doing the same thing over and over again and expecting different results." In other words, no lessons learned. As the Chinese proverb proverb, short statement of wisdom or advice that has passed into general use. More homely than aphorisms, proverbs generally refer to common experience and are often expressed in metaphor, alliteration, or rhyme, e.g. says, "If we don't change direction we're likely to end up where we're headed." And if you don't do good risk management, you are headed down the road to failure. Risk management helps identify when you are heading in a potentially wrong direction and helps you change direction so that you don't end up "where [you were] headed." The author welcomes comments and questions. Contact him at wayne.turk@sussconsulting.com or rwturk@aol.com. Turk is a consultant with Suss Consulting. He is a retired Air Force lieutenant colonel and defense contractor Noun 1. defense contractor - a contractor concerned with the development and manufacture of systems of defense armed forces, armed services, military, military machine, war machine - the military forces of a nation; "their military is the largest in the region"; . He has supported information technology projects, policy development, and strategic planning Strategic planning is an organization's process of defining its strategy, or direction, and making decisions on allocating its resources to pursue this strategy, including its capital and people. projects for DoD, other federal agencies, and non-profit organizations A non-profit organization (abbreviated "NPO", also "non-profit" or "not-for-profit") is a legally constituted organization whose primary objective is to support or to actively engage in activities of public or private interest without any commercial or monetary profit purposes. . He is a frequent contributor to Defense AT & L. RELATED ARTICLE: 15 Bad Reasons for Not Using Risk Management * We have no risks. * Identifying and making risks public will kill the program. * We deal with problems as they arise. * My customer/boss/whoever doesn't want to hear that he/she is the source of risk. * You can't predict what will happen a year from now. * No one on the staff knows how to do risk management. * We plan to start implementing risk management next year. * There is nothing in it for me. * Our job is to develop megawidgets, not fill out bureaucratic bu·reau·crat n. 1. An official of a bureaucracy. 2. An official who is rigidly devoted to the details of administrative procedure. bu forms and go to stupid meetings. * If I gave a realistic risk assessment, no one would listen. * That method/process/tool/software/hardware is not a risk. X said so. * This project is too small to do risk management. * We can't identify risks based on government (or industry) metrics metrics Managed care A popular term for standards by which the quality of a product, service, or outcome of a particular form of Pt management is evaluated. See TQM. because our project/process is different. * Things are going smoothly. We're on schedule and under budget. * We don't have time. Based on excerpts from The Little Book of Bad Excuses, Software Program Managers Network, June 1998. |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion