In my previous blog post, I discussed the basics of risk management. Once you are clear with that concept, we can move on to the project risk management plan.
Risk management is a process of identifying risk, planning responses to those risks, and monitoring them throughout the project life cycle.
On the other hand, a risk management plan is a document which documents the detailed plan to identify risks, analyze the risks, developing responses, and how to manage the responses. It describes how the risk management activities will be carried out in the project.
Steps in a risk management plan are as follows:
- Plan Risk Management
- Identify Risks
- Analyze Risks
- Planning the Responses
- Monitor and Control the Risks
Plan Risk Management
In the plan risk management process, you define how you’re going to conduct the various risk management activities.
You define how you’re going to identify the risks, and once they are identified, how they will be categorized.
In this process, you will lay down the formula which will determine the criteria to identify which risks are high, medium or low.
In this process, you start collecting risks by using the techniques defined in your risk management plan. Some techniques extensively used in the process of identifying risk are as follows:
- Documents review
- Information Gathering Techniques; e.g. Brainstorming, Delphi, etc.
- Other techniques
Documents review involves a review of historical records of old projects, and lessons learned etc. Review of these documents provides you with many risks.
Information gathering techniques such as brainstorming and Delphi give you the chance to interact with various stakeholders to collect the risks.
In brainstorming sessions, you ask experts to list as many risks as they can.
The Delphi technique is a fantastic technique to receive responses from the experts who do not feel comfortable in expressing their opinion publicly.
In Delphi technique, you circulate a questionnaire to experts anonymously and ask for their responses. Once you get the responses, you compile them and send the responses again to the experts for their review. You repeat this procedure until you get your job done.
Interview usually happens one to one. In the interview technique, you approach some very busy and important stakeholders with one of your team members. You ask some pre-selected questions during your conversation. The team member records all these conversations.
You might use some other techniques defined in your risk management plan to gather some more risks.
Analyze the Risks
Once all risks are identified and noted in the risk register, you will start analyzing them. You will analyse them using qualitatively and/or quantitatively risks analysis process, as set in the risk management plan.
The qualitative risk analysis process is performed on almost all projects, while the quantitative risk analysis process is optional. The quantitative risk analysis process is most likely to perform on complex, critical, and important projects.
In the qualitative risk analysis process, you determine the probability and impact of each risk, and then you prioritize the risks.
After completing the qualitative risk analysis review, you move on to the quantitative risk analysis review.
In the quantitative risk analysis process, you numerically analyze the risks and their effect on the project objective.
Expected Monitory Value Method (e.g. Decision Tree Method) is a widely-used method for the Quantitative Risk Analysis Process. Here you numerically calculate the Expected Monitory Value (EMV) of each choice, and then select the best option.
Expected Monitory Value Analysis helps you determine the contingency reserve.
Monte Carlo simulation is another technique in the quantitative risk analysis process that gives you the probabilities of completing the project in different scenarios.
Monte Carlo simulation can be performed with either cost risk analysis or with schedule risk analysis, or with any other project objective.
Monte Carlo simulation gives you a graphical representation of the project objective vs its chance of being completed. For example, if you run the Monte Carlo simulation for schedule risk analysis, it may give you the information that there is an 80% chance your project will be completed within 24 months, and a 90% chance that your project will be completed within 26 months.
Expected Monitory Value method helps you calculate the contingency reserve, which you can use when any identified risk occurs. However, there is another kind of reserve, known as management reserve, usually set by the management as some percentage of the project cost; e.g. 5% of the total cost of the project.
This management reserve will be utilized when an unidentified risk occurs. You cannot use this fund on your own, you will have to take management approval to use this fund.
Planning Risk Responses
You have identified and analyzed risks, now you have to make a plan to manage these risks. This process is called Plan Risk Responses.
Risks can be divided into two categories: positive risks and negative risks. Positive risks are known as opportunities, and negative risks are known as threats.
The main objective of risk response planning is to lessen or avoid the probability of happening negative risks or their effects, and increase the chance of positive risks happening or their impact.
Strategies for dealing with negative risks are different than the strategies used for positive risks.
Strategies used to deal with negative risks are as follows:
- Mitigate: In mitigation, you try to reduce the chance of the risk occurring, or its impact.
- Avoid: In avoid risk response strategy, you take measures to completely eliminate the threat or its effect. For example, changing the project management plan.
- Transfer: Here, you transfer the risk to a third party; e.g. insurance.
- Accept: Here, you acknowledge the risk and document it, but do not take any action to mitigate it or its effect.
- Enhance: Here, you only try to increase the chance of happening of an opportunity or its impact.
- Exploit: In this strategy, not only do you try to increase the probability of risks, but you also do everything to make sure that opportunity is realized.
- Share: If you are not capable of realizing the opportunity on your own, or due to some other reason, you cannot go alone, you ask someone to join you to share the opportunity.
- Accept: Here, you acknowledge the opportunity and document it, but do not take any action to realize it.
Accept is a kind of strategy that can be used with both type of risks; i.e. positive risk and negative risks.
Once you determine the strategy for each risk, you will update it in the risk register.
Monitor and Control Risks
You have identified risks, analyzed them, and made a plan to manage them. Now that your project has started, you have to keep looking for these risks and control them when they occur.
During this process, you will continuously watch for risk occurrences and manage them as per the plan, and record the outcome into the risk register.
The risk management plan is a subsidiary plan of the project management plan. To develop a sound risk management plan, your first step should be to collect as many risks as possible. You can do that with various information gathering techniques. The next important thing is to note that the Quantitative Risk Analysis process is not required for all projects. It is needed when the project is large and complex.
This was a brief summary of project risk management planning.
Let me know if you have anything to add or need some discussion.
Kindly note that the way you calculate the reserve for the cost, you also have to calculate the reserve for the schedule. Here, contingency reserve may be known as time reserve or buffers. These reserves are included in the schedule baseline. However, management time reserve is not a part of the schedule base line but a part of the overall time duration of the project.