Management of risks
In Deadline, Tom DeMarco writes that to manage a project, it’s enough to manage its risks. Indeed, the entire work of the PMA can be reduced to one thing - the fight against risks that can prevent the project from being completed on time, into the budget and with the required level of quality. If, for some reason, there are no risks in the project, then there is no PMA work subject.
But projects without risks probably do not exist in nature and one way or another have to work with them. You can read about how to do this in the PMBOK , on Wikipedia and on thematic resources. This article is more practice than theory. Its goal is to show with examples an inexpensive and effective approach to managing project risks.
')
PMBOK recommends managing risks in 4 steps:
Plan them:
We will repeat the whole cycle at intervals of two weeks, this should be enough. The plan is ready, it remains to describe the steps in detail.
The purpose of this stage is to identify a number of unknown risks of the project. We believe that there are infinitely many potential problems around us, so we will set the task quantitatively. At the beginning of the project, it is good to identify 50–100 risks, in the future - 20–30 pieces each.
At the entrance: the project plan, the current list of risks (if any);
Process:
At the exit: an updated list of risks in the "cause-risk-effect" format.
Example:
Obviously, it is expensive and ineffective to fight all risks at once. The purpose of this stage is to identify the most important of them. For each risk, we estimate its probability and consequences on a ten-point scale. Multiplying them, we get the importance. We will also designate a certain Limit of Importance (for example, 50) in order to understand what risks are critical and then work only with them.
At the entrance: a list of risks;
Process:
At the exit: a list of critical risks;
Example:
In fact, at this stage the project is managed. For each risk from the list of critical, you need to come up with a strategy that will protect our project from it. Three strategies are used in total:
Transfer. We transfer responsibility for the consequences of risk to a third party (customer, partner company, insurance company, and so on). It makes sense to apply this strategy if we ourselves cannot influence the risk and there is someone to shift this responsibility.
Accept. We take responsibility for the consequences of risk on ourselves, but do nothing, leave everything as it is. It makes sense to use this approach only when we can do nothing with risk, and it is unreasonably expensive to make a transfer to a third party.
Mitigate We deal with risk, taking responsibility for it. It’s good to have a few plans for dealing with risk. The main, in order to suppress the risk, and waste, in case the risk nevertheless happened and affects the project:
At the entrance: a list of critical risks;
Process:
At the exit: a list of critical risks with a strategy and a plan for each risk, an updated project plan;
Example:
It is a process rather than a stage. His goal is to keep the list of risks and project plan up to date.
At the entrance: a planned list of risks, a project plan, daily team reports;
Process:
At the exit: an updated list of risks, an updated project plan;
Example:
For a project with a team of 15 people, the cost of risk management will be 50-60 man-hours per month. In this case, about 50 new risks will be identified, of which, on average, the 10 most important ones will be planned and suppressed. Assuming that the critical risk takes away at least 40 man-hours from the project, we get from 400 man-hours of savings every month.
The process described in this article can and should be improved. You can complicate it for complex large projects, you can simplify and spend on working with risks 2 hours per month. Anyway, it is much cheaper to work with risks somehow than not to work with them at all.
But projects without risks probably do not exist in nature and one way or another have to work with them. You can read about how to do this in the PMBOK , on Wikipedia and on thematic resources. This article is more practice than theory. Its goal is to show with examples an inexpensive and effective approach to managing project risks.
')
Risk management plan
PMBOK recommends managing risks in 4 steps:
- Identification. Identify risks that may interfere with the objectives of the project.
- Analysis. Determine which of the identified risks are the most dangerous.
- Planning. Plan the most dangerous risks.
- Monitoring and control. Keep the project plan and risk list up to date.
Plan them:
| what | Who | When | how |
|---|---|---|---|
| Risk identification | PM + project team | Tuesday 14–00 | Rally. 1 hour |
| Risk assessment | PM + leads | Tuesday 15–00 | Rally. 1 hour |
| Risk planning | PM + PM of other projects | Tuesday 16–00 | Rally. 2 hours |
| Monitoring and control | PM | Daily 13–00 | Activity. 30 min |
We will repeat the whole cycle at intervals of two weeks, this should be enough. The plan is ready, it remains to describe the steps in detail.
Risk identification
The purpose of this stage is to identify a number of unknown risks of the project. We believe that there are infinitely many potential problems around us, so we will set the task quantitatively. At the beginning of the project, it is good to identify 50–100 risks, in the future - 20–30 pieces each.
At the entrance: the project plan, the current list of risks (if any);
Process:
- PM gathers a rally with the whole team, reports on its purpose, duration and agenda;
- PM reports on the status of the project, the main current risks and problems, answers questions;
- Rally participants voice potential risks. All ideas are accepted without exception, without discussion and comments;
- The PM records the results in a cause-risk-effect format. As soon as the goal is reached, or the time is up, the rally ends;
At the exit: an updated list of risks in the "cause-risk-effect" format.
Example:
Risk analysis
Obviously, it is expensive and ineffective to fight all risks at once. The purpose of this stage is to identify the most important of them. For each risk, we estimate its probability and consequences on a ten-point scale. Multiplying them, we get the importance. We will also designate a certain Limit of Importance (for example, 50) in order to understand what risks are critical and then work only with them.
At the entrance: a list of risks;
Process:
- PM gathers rally with team leads, reports on its purpose, duration and agenda;
- The PM announces the risk, the rally participants evaluate its likelihood and consequences;
- The PM records the assessments as soon as the rally goal is reached, or the time is up, the rally ends;
- PM considers the importance of risks as Probability * Consequences, sorts the list in descending order of Importance;
- PM denotes risks that exceed the Importance limit in the list;
At the exit: a list of critical risks;
Example:
Risk planning
In fact, at this stage the project is managed. For each risk from the list of critical, you need to come up with a strategy that will protect our project from it. Three strategies are used in total:
Transfer. We transfer responsibility for the consequences of risk to a third party (customer, partner company, insurance company, and so on). It makes sense to apply this strategy if we ourselves cannot influence the risk and there is someone to shift this responsibility.
Accept. We take responsibility for the consequences of risk on ourselves, but do nothing, leave everything as it is. It makes sense to use this approach only when we can do nothing with risk, and it is unreasonably expensive to make a transfer to a third party.
Mitigate We deal with risk, taking responsibility for it. It’s good to have a few plans for dealing with risk. The main, in order to suppress the risk, and waste, in case the risk nevertheless happened and affects the project:
- The basic plan must be implemented immediately before the risk has occurred. It must lower either the probability or the consequences of the risk. Here we will be helped by the recording of risks in the "cause-risk-effect" format. To reduce the likelihood of risk, you need to deal with its cause. To overcome the consequences, you need to protect the subject of its impact.
- A waste plan is implemented if the measures to combat the risk did not bring results, the risk happened and became a problem.
At the entrance: a list of critical risks;
Process:
- PM gathers rally with the leaders of other projects, reports on its purpose, duration and agenda;
- The PM announces the risk, the rally participants determine the strategy of working with it, the main plan and the backup plan (for Mitigate);
- The PM writes plans on the risk sheet, as soon as the rally's goal is reached, or the time has elapsed, the rally is over;
- The PM updates the project plan by adding basic risk plans;
At the exit: a list of critical risks with a strategy and a plan for each risk, an updated project plan;
Example:
Monitoring and control
It is a process rather than a stage. His goal is to keep the list of risks and project plan up to date.
At the entrance: a planned list of risks, a project plan, daily team reports;
Process:
- PM performs the audit of the list of risks, updates the estimates, updates the outdated plans;
- PM identifies the risks that have occurred, decides on the implementation of waste plans, updates the project plan;
At the exit: an updated list of risks, an updated project plan;
Example:
Total
For a project with a team of 15 people, the cost of risk management will be 50-60 man-hours per month. In this case, about 50 new risks will be identified, of which, on average, the 10 most important ones will be planned and suppressed. Assuming that the critical risk takes away at least 40 man-hours from the project, we get from 400 man-hours of savings every month.
The process described in this article can and should be improved. You can complicate it for complex large projects, you can simplify and spend on working with risks 2 hours per month. Anyway, it is much cheaper to work with risks somehow than not to work with them at all.
Source: https://habr.com/ru/post/73571/
All Articles