Develop a Risk Management Plan to Ensure Project Success

Developing an effective risk management plan is an important part of any project, but unfortunately, it is often viewed as something that can be dealt with after the fact. Things happen, and without good planning, even the smallest things can lead to danger. There are different types and different uses of risk management, including calculating creditworthiness, determining the warranty period of a product, and calculating insurance rates. In this article, we focus primarily on risk management for adverse events.

Understand How Risk Management Works

Risk is the effect (positive or negative) of an event or series of events that occurs under one or several circumstances. It is usually calculated from the likelihood of something turning into an accident, and the impact it would have (visible risk = likelihood of factor X). Different factors should be identified to enable risk analysis, including:

  • Event: What will happen?
  • Likelihood: How likely is it to happen?
  • Impact: How bad would the outcome be if it occurred?
  • Mitigation: How can you reduce the likelihood (by how much)?
  • Contingency: How can you reduce the impact (by how much)?
  • If you define all of the above, the result is something called exposure. This is an unavoidable amount of risk. Exposure is also considered a threat, likelihood, or severity, but they refer to the same thing. It is used to decide whether to take planned action.
  • There is usually a simple cost vs. benefit formula. You can use these elements to decide whether the risk of making a change is high or the risk of not making a change is high.
  • Assumption risks. If you decide to proceed (sometimes without a choice, such as changes in federal mandates), then your exposure becomes the assumed risk. In some environments, risk is assumed to be reduced to a dollar value, which can be used to calculate profit on the end product.

Identify Your Product

In this article, we assume that you are responsible for a computer system that provides critical (not life-threatening) information to a large population. The main computer this system relies on is old and needs to be replaced. Your task is to develop a risk management plan for replacement. This can be a simple model. Risks and impacts are ranked on three levels: high, medium, and low (this is especially common in project management).

Get What’s Possible from Somewhere Else

Brainstorm risks. Find a few people familiar with the project and ask about possible scenarios, how to prevent them from happening, and what to do if they happen. Take “lots” of notes! You can use the results of this important section multiple times in the following steps. Try to stay open to ideas. Thinking “outside the box” is good, but you also need to control this aspect. You need to keep your focus on the goal.

Determine the Consequences of Each Risk

From the brainstorming section, you gathered information about what would happen if the risk occurred. In that section, analyze the results for each risk. Be as precise as possible with each one. “The project is delayed” is not as good as “the project will be delayed by 13 days.” If there’s a monetary value, mark it; just saying “over budget” is too broad.

Delete Irrelevant Things

If you’re managing something like a car dealership’s computer system, threats like nuclear war, a pandemic, or an asteroid impact can derail the project, but there’s not much you can do to reduce the damage. You may want to keep them in mind, but don’t factor these things into your risk planning.

List All Identifiable Risk Factors

You don’t need to list them in order. Just list them one by one.

Assignment Possibilities.

For each risk factor on the list, determine how likely it actuallyis, whether it is high, medium, or low.

If you absolutely need to use numbers, set the probabilities between 0.00 and 1.00. 0.01 to 0.33 = low level, 0.34 to 0.66 = medium level, 0.67 to 1.00 = high level.

  • If the probability of something happening is zero, you can take it off the list. There’s no reason to think about things that won’t happen (like a T. rex eating a computer).

Distributive Impact

Typically, impacts are categorized into medium, medium, and low levels based on pre-established guidelines. If you must use numbers, assign the impact on a scale of 0.00-1.00 as follows: 0.01 to 0.33 = low level, 0.34 to 0.66 = medium level, 0.67 to 1.00 = high level.

  • If something has zero impact, it shouldn’t be on the list. There is no reason to think about irrelevant, impossible things (my dog ate his dinner).

Determine Risk for Factors

You can usually do this using tables if you have used low, medium, and high to express likelihood and impact. The first table is the most useful. If you are using numeric values, you should consider a slightly more complex ratio system, somewhat similar to the second table. It’s important to remember that there is no universal formula for combining likelihood and impact; it will vary based on the person and project. Here’s just one example (albeit a real-life one):

  • “Be flexible in your analysis.” Sometimes it’s OK to reverse low, medium, high, and numerical levels. You can use a form similar to the one below.

“Rank the risks.” Rank the risks you have identified from highest to lowest.

Calculate Total Risk

Here’s a set of numbers to help you. In Table 6, you have 7 risk types: High, High, Moderate, Medium, Moderate, Low, and Low. This can be converted to 0.8, 0.8, 0.5, 0.5, 0.5, 0.2 and 0.2. As can be seen from Table 5, the average overall risk is 0.5 and the risk is medium.

Develop Reduction Strategies

Mitigation strategies are designed to reduce the likelihood of a risk occurring. Typically you only need to do this for high and medium risk factors. You may want to reduce low-risk items but emphasize other things first. For example, if one of your risks is that a critical part is delayed in distribution, you need to reduce this risk by placing orders earlier.

Develop Contingency Plans

Contingency plans are designed to reduce the impact of risks. Again, you generally only need to do high-impact and medium-impact emergencies. For example, if a critical part doesn’t arrive in time, you may need to use older, existing parts while waiting for new parts to arrive.

Analyze the Effectiveness of Your Strategy

To what extent have you reduced the likelihood and impact? Evaluate your contingency and mitigation strategies and reallocate the effective proportions of risk.

Calculate Your Effective Risk

Now your seven risks become Medium, Medium, Medium, Low, Low, Low, and Low, which can be translated as 0.5, 0.5, 0.5, 0.2, 0.2, 0.2, and 0.2. This brings the average risk to 0.329. Looking at Table 5, we can see that the overall risk has been classified as low risk. “The original risk was medium (0.5). After risk management, your exposure became low risk (0.329). This means you achieved a 34.2% reduction through reduction and contingencies.

Manage Your Risk

Now that you know what the risk is, you need to decide how to detect it when it arises so you know when and whether to take contingency measures. This can be achieved by identifying risk cues. Do this for high and medium risks. Then, as the project progresses, you can determine whether risk factors are becoming an issue. If you don’t know the clues, risks are likely to creep up and impact the project, even if you take good contingency measures.

Tips

  • Don’t assume you can identify all risks. The nature of risk is uncertainty.
  • Don’t let politics interfere with your evaluation. This happens often. People don’t believe that things they control can get out of control and will often challenge their risk level. “Oh, that’s not going to happen” could be true, but it could also just be someone’s big talk.
  • Consider what would happen if two or three things went wrong at the same time. The likelihood is low, but the impact is huge. Every catastrophe has multiple failures.
  • Don’t ignore low-risk projects entirely, but don’t spend too much time focusing on them. Use the low, medium, and high levels to determine how much effort you need to put into managing each risk.
  • Don’t make it too complicated. Risk management is an important part of the project but it cannot overshadow what needs to be done. If you don’t care about this, you may start focusing on irrelevant risks and overload the project with useless information.