Geekly Articles each Day
📜 ⬆️ ⬇️

Risk Management: Problem Prevention vs. risk register management

Strange but true


These and many similar observations were made by me in the course of implementing a quality management system and auditing processes in an IT company. In particular, project management processes. As with any innovation, the introduction of work rules should be accompanied by a rationale for why this is needed. For this, in addition to the skills of persuasion, knowledge of the theory and practical examples, both negative and positive, is necessary. My conclusions about the secrets of effective Risk Management are based on them.

Risks, risk sources, risk categories

An analysis of the causes of inefficiency or lack of risk management in projects shows that people do not correctly identify risks and formulate a response plan.
Here are examples of typical risks that I mostly met in project risk registers (generalized formulations):

Gentlemen, these are the facts! To combat these facts, there are standards for quality management (ISO), project management methodologies (such as SCRUM), frameworks for organizing work (PMBOK, CMMI), etc. They contain the experience of generations of managers and varying degrees of project success. They say that it is necessary to stipulate commitments of the parties before signing the contract, to take care of the human independence of the process, to create work artifacts (documentation and data obtained as a result of monitoring), etc. Consider business continuity issues in advance. But this is too “bureaucratic” and “inconsistent”, in the opinion of many managers (especially “managed” programmers, no offense will be said). We prefer to reinvent the wheel on every single project, to put out fires, in general, to be a hero. Such “risks” should be prevented at the preliminary planning stage of the project, preferably before signing the contract.

During the project, such unresolved problems become sources of risk. Regarding sources: typical sources of risks, documented in the risk registers that I observed - “Client”, “Team”, “environment”, etc. No one thinks about the fact that the source of a potential problem is not a generalized concept, but a certain situation is often negative)!
“Client”, “Team”, “environment” are the categories through which we look at the situation on a project and can find negative facts or situations that raise doubts about the achievement of project goals.
A certain negative situation (most often this deviation from the contract, from the work standards, caused by both an error and a conscious decision) may entail deviations from the desired (and planned) work results, that is, the goals of the project. This is already a project risk!

Risk assessment

The implications (Impact) of this risk are determined by how large the deviation from the project objectives will be, and by how large the deviations we can allow for this goal.
It's time to give an example. Would it be more useful instead of typical
" Source ": Team
" Risk ": A person can get sick
" Impact :" will not do in time
have the following information:
" Source ": A person (A) performing tasks on a critical path has a pregnant wife who must give birth to the person performing the tasks (A) (this is a fact)
“ Risk ": the above fact may result in the absence of a person (A) more than 3 working days (risk)
" Impact :" may deviate from the schedule by 20%.
Deviation from the schedule by 20% can be a trifle for one project (where 20% is 4 business hours and the time difference with the client is 8 hours in our favor), but the real tragedy for another project (where 20% is 2 days and the client has presentation with important stakeholders for a predetermined number). Considering all such realities, the seriousness of the risk is estimated (for example, from 1 to 9, as in our company).
')
When we have decided on the consequences of risk, it is necessary to think about its probability (Probability). The probability of a risk that a person may suddenly be absent from work is quite high, since there are several people on the project. Each of them may have several reasons for missing. But the absence of a well-defined person in a certain period may not be a problem, and the absence of another in the same period will be a tragedy. Here is another argument against generalized problems and in favor of specific risks.

The severity of risk - in the classics - is determined by the product of the consequences for the probability. First of all, the task of the manager to work with the most serious risks. Everyone understands this. They also know the basic risk response strategies. Problems begin when you need to think about risk response plans.

Risk response plans

Here are some typical examples of a risk response plan that I meet:

Can we say how much risk will be reduced when applying these plans? That is, how effective are our actions on risk management: how much will the probability decrease? How much damage will be reduced?

A risk response plan is an action that should completely or partially remove a potential problem, but not a statement of the intention to prevent it.
Actions also have their value (impact on the achievement of project objectives: for example, man-hours).
Only in the case when there are 2 or more alternative scenarios, with an indication of their cost for the project (for example, one is reactive, that is, after the risk is triggered, and the second is preventive, if the risk response plan is included in the project plan initially and performed), then we can decide what to do from this. Or provide an opportunity for management or the client to make a decision. Only in this case we manage (or take part in the management) of the project, justifying the title of the Project Manager. By the way, this is a good way to earn respect in the eyes of the client, which leads to a decrease in pressure on his part.

For example, in a risk with a person (A), the answer might be:
" Make it possible to complete the task by another person: a daily rally on knowledge sharing with a second person (1 hour per day for the main actor and 1 hour per day for a backup)".
The cost of the risk response = 10 man-hours per week, which is recalculated to the schedule will be N% backlog.
We compare with the possible deviation, if the risk happens, we take into account the probability of risk, and we go with this all to the one who makes the decision. A possible result would be a reduction in the scope of work or the acceptance by the client of one of the deviations.

Number of Risks

One of the interesting questions is how much risk there can be on a project?
The logical answer is as much as you like, and the less organized the system and the less planned the project, the larger.
More specifically, the question should be: “How many risks do we need to control (document, monitor changes)”.
In practice, there are cases:
The number of risks that need to be monitored should be as it is possible for those responsible for monitoring and responding to risks to digest. Those. You can write down (and sometimes you need to) all identified risks, while planning response actions is only for those whose influence on the goals of the project is really significant.
At the same time, if you have 10 risks this week and 10 were last, but these are likely to be at least partially other risks: the situation has changed, new circumstances have appeared, the old ones have disappeared. But the sources of these risks may be the same.

That is, the whole thing in the correct identification of risk. Correctly formulated risk will allow assessing its impact on the objectives of the project and, therefore, selecting the most relevant and serious risks. Of course, if the project objectives are also formulated correctly. But that's another topic.

Total

Source: https://habr.com/ru/post/128370/

More articles:


All Articles