To understand risk management, let us first understand what is a risk and what is not a risk?
Consider the following statement, "I run a risk of collision when I drive on a crowded street as my brake pads are completely worn-out". Is it a risk? No, it is not. In fact the collision is certain, unless of course you are driving on an absolutely empty freeway - which you are not in this case! It is a problem and needs a fix.
Now consider the following statement, "I need to attend a critical negotiation meeting at customer location at 11:00 hours sharp. It takes 25 minutes to reach under normal traffic conditions. I can start for that meeting only at 10:30 hours due to an important assignment. I run a risk of reaching late and lose on initial negotiation advantage". Is this a risk? Yes, it is. The element of uncertainty makes it a risk. And you can possibly explore mitigation strategies like going on a motorcycle rather then using a car. At this stage, it is also important to recall the exact meaning of word mitigate, "to moderate or lessen a quality or condition in force or intensity".
Risk has two key elements - a) an uncertainty and b) an impact in terms of potential loss (if it happens).
Risk management is a continuous process. Risk management process involves following key steps:
- Identify risks
- Assess each risk
- Rank all risks according to their severity
- Plan for risk mitigation and contingency on the basis of outcome of step 3
- Monitor each risk
- Control deviations (if any) from risk mitigation plan
Risk identification is carried out at the beginning of every project. Subsequently, it is revisited during each project review on an ongoing basis for all residual risks and new risks. The identification of risk is highly project specific. In general, any project has three key dimensions viz. cost, specifications, and time; and risks can be discovered in these contexts. Each risk must be clearly documented in a "condition (i.e. uncertainty)" - "consequence (i.e. impact)" format. In our previous example, "condition" is the occurrence of heavy traffic and "consequence" is losing the initial negotiation advantage.
It is always a good idea to create a risk classification or taxonomy. Each risk must be classified according to the taxonomy. Once this data acquires critical mass, it helps in developing better risk management strategies.
Risk assessment involves determining the uncertainty, the impact, and the first risk indicator. The uncertainty is the probability of occurrence of the risk. This probability can be determined either qualitatively or quantitatively. For qualitative measure, it is recommended to use 4 categories (to avoid middle point bias) such as 1-low, 2-medium, 3-high, and 4-very high. The quantitative measure is a normal probability scale measure from 0 to 1. The impact can be determined in terms of its severity, preferably a value from 1 (lowest) to 4 (highest). The first risk indicator is earliest condition or event that signals risk turning in to a problem.
After successful risk assessment, ranking is a relatively simple task. Sorting the product of the probability of every risk and its corresponding impact generates the risk ranking. This now becomes an important input for risk mitigation planning. The risk ranking determines the extent of risk planning focus.
At this step, a mitigation approach is developed for each risk, to either avoid or reduce the impact of risk. The responsibility to implement the mitigation strategy is assigned to a team member along with a target date. The actual execution of the mitigation plan is called risk resolution. In addition, a contingency plan is also developed to handle the situation when a risk turns in to a problem.
It involves regular tracking of risk resolution process and first risk indicator. The deviations in the risk resolution process are recorded. Occurrence of first risk indicator may trigger activation of contingency plan.
At this step, strategy to reduce deviation in the risk resolution process is developed and implemented.
All the above six steps are carried out on an ongoing basis for a project so that all risks stay managed during its life cycle.
Minimum Risk Documentation Format
The following table outlines a minimum documentation format to record each project risk:
comments powered by Disqus
We hope the conversations that take place on “discover6sigma.org” will be constructive in context of the topic. To ensure the quality of the discussion stays in check, our moderators will review all the comments and may edit them for clarity and relevance. The comments that are posted using fowl language, promotional phrases and are not relevant in the said context, may be deleted as per moderators discretion. By posting a comment here, you agree to give “discover6sigma.org” the rights to use the contents of your comments anywhere.