riskman

workbook solutions for IT management

Identifying, Assessing and ControllingRisks in Technology Projects

from RIGHT TRACK ASSOCIATES

The RiskManagement Planner

The Risk Management Planner is a tool for project planning and management. If you have anyquestions or comments about the information contained herein, please submit a feedback form atour web site, www.ittoolkit.com.

Copyright © 2002 Right Track Associates, Inc. All rights reserved. This publication is protectedby the copyright laws of the United States of America. No copying in any form is permitted. Itmay not be reproduced, distributed, stored in a retrieval system, or transmitted in any form or byany means, in part or in whole, without the express written permission of Right Track Associates,Inc.

Right Track Associates, Inc. disclaims all warranties, express or implied, including but not limited to any warranties of theaccuracy or completeness of the content of this guide, of its fitness for a particular purpose, of merchantability, or againstinfringement of third party rights. Right Track Associates, Inc. is not responsible or liable with respect to the use orreliance on this document or any information contained in this document under any contract, negligence, strict liability, orother legal or equitable theory (i) for any amounts in excess of the amount received by Right Track Associates, Inc. uponthe sale of this guide, or (ii) for any indirect, incidental, or consequential damages, including but not limited to loss ofprofits or income.

The Risk Management Plannerwritten by

E.G. EdmanRight Track Associates, Inc.

http://www.ittoolkit.com/

The Risk Management Planner IT Management Workbooks from Ttoolkit.com

Page #1 Copyright 2002 Right Track Associates, Inc.

INTRODUCTION

Risk management plays an important role in the project management process. The goalof effective risk management is fairly straightforward ….. to anticipate and analyze anyissues, circumstances and events that can threaten project success, and to respond tothose threats in such a way that they are either accepted, reduced or eliminated. Assuch, risk management is an essential part of the project management process.

The Risk Management Planner is a practical tool for risk management planning andexecution. This workbook takes a comprehensive look at the many strategic andprocedural issues involved in risk management. Using the information, and the toolsprovided, you will learn how to develop workable risk management practices for yourproject environment. To that end, this workbook is structured as follows:

Chapter One: Risk Management Strategies (jump to Chapter One)

This chapter discusses the strategic issues and elements of the risk managementprocess, showing you how to….

• Evaluate project characteristics as part of risk management planning.

• Identify and categorize specific types of risks to facilitate the assessmentprocess.

• Assign risk probabilities to determine the most likely risks.

• Assess risk impact to determine ramifications and consequences.

• Plan effective risk response and control strategies.

Chapter Two: Risk Management Mechanics (jump to Chapter Two)

This chapter discusses the mechanical elements of the risk management process,showing you how to implement tangible policies and procedures for managing risks.This section provides you with the nuts and bolts of risk management covering:

• Origination

• Roles and Responsibilities

• Review and Analysis

• Response Management

• Oversight

• Closure

WORKBOOK HELP

WORKBOOK HELP: This workbook uses many of the features and functionality available within Adobe Acrobat, making workbook usage easy and consistent. The exact features and functions available to you will vary depending upon whether you are using Adobe Acrobat 5.0, Adobe Acrobat Approval 5.0 or Acrobat Reader 5.0. This workbook includes the following productivity features: Fill-in the blank worksheets to be completed within Adobe Acrobat. Add your own comments, free text and highlighting to the worksheets. (with Acrobat 5.0 only) Bookmarks and text links to facilitate navigation. Cut and paste text to other applications. Selective printing (the entire workbook, including comments, specific pages or a range of pages).



Chapter Three: Risk Management Tools (jump to Chapter Three)

This chapter provides the worksheets, checklists and templates you need to plan riskmanagement procedures, and to implement your own chosen risk managementstrategies and practices.

• Appendix A: The Risk Management Procedures Worksheet

To be used for planning risk management procedures for all projects, specifictypes of projects, or any one individual project.

• Appendix B: The Risk Identification Worksheet

To be used for naming and evaluating project risks according to category,impact, probability, priority and target value.

• Appendix C: The Risk Assessment and Response Template

To be used for assessing risk details and planning response strategies.

• Appendix D: The Risk Status Worksheet

To be used for tracking risk status and response plan progress.

• Appendix E: The Risk Identification Reference Checklist

To be used as a reference guide for risk identification, providing a checklist ofcommon project risks sorted by category.

The goal of The Risk Management Planner is to provide the tools and informationnecessary to plan and implement effective risk management practices, suitably designedto meet varying needs and circumstances.

As you use this workbook, you will find links created throughout for quick navigationthrough the pages and tools as needed. The “Bookmarks” tab can also be used as asource of quick navigation.

To begin, jump to Chapter One: Risk Management Strategies.



CHAPTER ONE: RISK MANAGEMENT STRATEGIES

By their very nature, all projects involve risk. Projects are initiated to handle uniquecircumstances --- to produce products, services or strategies that cannot otherwise beproduced as part of normal business operations. By definition, there is risk in everyunique project initiative. But, this risk potential goes well beyond the project outcomeitself. Actual project completion can be constrained by any number of operationalfactors, including time, money and available resources. These constraints create abreeding ground for problems and failures, and as such, they must be treatedaccordingly …. as project risks.

As a project manager, it is your job to anticipate and control project risks before negativeconsequences are realized. This is the essence of risk management: to identify risks,assess potential impact, and to devise appropriate strategies for response and control.

Risk Management and the Project Cycle

The risk management process should be an ongoing effort, maintained throughout theproject management cycle. In order to deliver expected project results, you must be fullyaware of any potential risks that stand in the way of successful project completion. And,this need exists and evolves throughout the life of a project.

Risk Management at the Start of a Project:

As you begin to plan and structure any project, risks should be identified and assessedalong with all the other major project elements. At the start of a project, the goal of therisk management process is to identify likely risks, assess their impact and prepare anyappropriate responses. These goals must be incorporated into any documented projectplans, and all related tasks and activities.

Appendix B: Risk Identification Worksheet

Risk Management Midstream:

Once a project is underway, the risk management process remains in full swing, but italso takes on an additional dimension. As projects are executed, underlyingcircumstances and conditions may change, and project plans must be modifiedaccordingly. Any such project changes can give rise to new risks, and the riskidentification and assessment process must always be in play in order to deal with thisnew risk potential.

In addition, as the project proceeds, any risks identified at the start of the project must becontinually monitored. This oversight takes shape through a series of questionsdesigned to uncover any changes in risk status…

• Have any predicted risks come to fruition?• If so, was the impact as predicted?



• Has the planned risk response been effective?• How have any new project circumstances changed initial risk forecasts in

terms of probability and impact?• Are any changes required in the risk control plan as a result of these

changes?

Appendix C: Risk Assessment and Response Template

Risk Management at Project Closure:

Once a project is completed and closed, the overall effectiveness of the riskmanagement process should be reviewed and assessed. To that end, risk processevaluation should be included as part of any post-project review or audit. This riskprocess evaluation should examine the efficiency of the overall risk managementprocess, and the quality of the results….

• Were all risks properly identified, assessed and controlled?• Were any truly predictable events overlooked?• If so, how can the risk management process be improved in the future?

Appendix D: Risk Status Worksheet

What are project risks?

Project risks can be most simply defined as any event, circumstance or situation with thepotential to prevent, disrupt or diminish the successful completion of a chosen projectinitiative. And the key word here is potential – i.e. the likelihood that a negative eventcan and will occur.

Once a negative event takes place, or if it is a certainty from the start, it is a problem, nota risk. Risk events are potential problems, and risk management is designed to help youdeal with that unfortunate, but inevitable degree of uncertainty.

Risk is all about potential and probability – what can happen, how likely is it to happen,and what are the consequences if it does…..?

Any realistic risk assessment process begins with identification …. what can happen?Since all project risks share certain common characteristics, any structured approach torisk management should be designed to use those similarities to your advantage.

To save time and facilitate planning, risks can be initially viewed through a series ofstandard categories that can be readily defined and organized. The risk assessment



process provided in this workbook is based on the concept that project risks can beorganized into five common categories.

RISK CATEGORIES:

Providing a structured view of project risks to facilitate identification and analysis….

• Management Risks:

Risks that relate to the scope, structure and strategy of a given project. Theserisks go to the heart of the project process itself, as they pertain to overallproject organization, definition and management. Potential management riskscan include ill-advised project selections, a lack of management support, a lackof structured project management processes, insufficient requirements, or acursory definition of goals, scope and deliverables.

• Technology Risks:

Relate to the design and implementation of the technical elements of a project.These risks usually involve the project outcome itself, or the manner in which theoutcome is developed and/or implemented. Technical risks can include earlyadoption of new technology, an inappropriate reliance on older technology,version conflicts, platform incompatibilities, or software and hardware bugs.

• Resource Risks:

Relate to finances, product availability, project staffing, training and resourceallocation. No project can be completed successfully without the right mix ofresources, and the appropriate allocation of those resources. In project terms,resources include money, staff, and any products and tools necessary tomanage and complete a project. As such, resource risks can pose seriousthreats to successful, timely project completion. Resource risks can includeproduct delivery delays, insufficient funding, a lack of skilled resources, the lossof specific, key resources, or a lack of sufficiently skilled service providers.

THE FIVE CATEGORIES OF PROJECT RISK

• Management Risks• Technical Risks• Resource Risks• Organizational Risks• External Risks



• Organizational Risks:

Relate to internal company and organizational issues that can impede projectexecution and completion. Projects are completed by people, and it would beunwise and unrealistic to ignore the risks posed by internal politics, interpersonalrelationships and related power struggles. Organizational risks can includepower struggles and ownership conflicts, ineffective team dynamics, and projectteam personality conflicts.

• External Risks:

Risks that go beyond the direct control of the project team, caused by external,environmental, or industry factors. These risks can include changes to industryregulations, changes in economic conditions, the release of new technologies,or company mergers. Any risks of this nature can impact internal decisions andstrategies that may render any project inappropriate or ineffective. While theserisks can be difficult to predict, timing and industry circumstances can be usedas a measure of likelihood and impact. If circumstances are right, it is alwayswise to keep an open mind to the impact of mergers, reorganizations orrecessions as you make project plans and recommendations.

Appendix E: Risk Identification Reference Checklist

While these categories certainly are not all inclusive, they do establish a consistent basisfor risk identification and evaluation …... creating a specific point at which to start. Usingthese five categories as a foundation, we will now move on to our examination of the riskmanagement process.

THE RISK MANAGEMENT PROCESS:

Within this workbook, we lay out a practical process for risk management, based uponthe concepts and definitions expressed in the section above. In order to achieve desiredresults, this process addresses two key structural elements …strategy and mechanics.In the next chapter, we will examine the mechanics of the risk management process (i.e. the means by which the risk management process is executed). In this chapter, wewill look at strategy….

Risk Management Strategies:

Risk management strategies establish the basis and criteria upon which risks areidentified and assessed. Once realized, risks can threaten the success of any project,both in terms of process and outcome. To effectively manage risk, realistic guidelines foridentification and evaluation must be established and consistently enforced. And aboveall, these guidelines must be designed with sufficient flexibility to meet varying projectcircumstances, conditions and capabilities.



To that end, risk management strategies can be viewed as a series of five structuralcomponents:

Risk Management Strategy - Part One: Evaluating Project Characteristics

Risk management strategies begin with an assessment of individual projectcharacteristics. Obviously, as project circumstances vary, so will the need for riskmanagement. To be truly effective, risk management processes must be appropriate tothe needs and circumstances of the project at hand. Along these lines, it seems logicaland likely that larger, more complex projects will require more stringent risk managementprocedures than smaller, simpler projects.

If you applied a rigid risk management process to each and every project, regardless ofindividual needs and circumstances, you may be wasting valuable time and resourceson an inappropriate and ineffective effort.

Know your project …..

When you take the time to consider individual project characteristics, you will be in abetter position to tailor your overall risk management process to suit the needs of theproject at hand. This will likely lead to better results and improved productivity.

As you look to apply risk management processes to any given project, you will need toconsider the following questions…..

• Is risk management necessary for this particular project?

• What benefits can be realized from risk management for this particular project?

• If risk management is necessary, should all policies and procedures be followed,or should procedures be resized to suit the needs of the project, available time,and available resources?

• Should more attention be paid to specific areas of risk than to others?

See the “Questions to Consider” Summary

RISK MANAGEMENT STRATEGIES…..

• Evaluating project characteristics• Naming specific risks• Assigning probabilities• Assessing impact targets and values• Planning response and control activities



To answer these questions, you can look to six defining project characteristics, specifiedbelow. Table 1: Project Evaluation Criteria for Risk Assessment, lays out these sixelements:

TABLE 1:Project Evaluation Criteria for Risk Assessment

Visibility What is project visibility?

The extent to which the project is visible to companymanagement, thus creating a smaller margin of error. Riskmanagement takes on a more urgent tone in a highly visibleproject.

Value What is project value?

The ultimate value of the project to the organization in termsof business or technical objectives. Highly valuable projectswill most likely require a greater attention to risk detail.

Experience What is project experience?

The level of experience that the project team has had withthis particular type of project. Under the certain conditions,an inexperienced project team may be a risk in and of itself.

Size andComplexity

What is project size and complexity?

The overall size and complexity of a project in terms ofduration, number of tasks, and degree of difficulty andcomplexity. The time, expense and complexity of largeprojects can present increased opportunities for risks.

ProjectCircumstances

What are project circumstances?

The generic organizational and political conditions underwhich the project is taking place …. i.e. stressful orsupportive, reactive or proactive, positive or negative? Astressful, negative work environment can render a projectmore susceptible to the influence of risks.

Risk Threshold What is risk threshold?

The degree to which risks can be withstood within a givenproject …. i.e. will a certain level of risk cause the project tobe cancelled, or will you forge ahead no matter what? Aproject manager must evaluate the extent to which risks canbe absorbed, and the extent to which risks can reasonably bemanaged.



As you examine individual projects from these perspectives, the need for flexible riskmanagement practices should become even more apparent. For example, contrastthese two projects…..

While the differences between these projects may lie on the extremes, the illustration isintended to make a simple point …. one process may not fit all. A highly visible,complex project, portrayed as “Project A”, will likely require a higher level of riskmanagement than its smaller, less complex counterpart, as portrayed by “Project B”.

Risk management processes should be applied in appropriate proportion to the needs ofthe project, as follows:

Step One: Carefully consider your standard risk management processes todetermine how they can be best applied to the project at hand.

Step Two: Carefully consider the benefits to be realized from any riskmanagement efforts, weighed against the value of the project, your availableresources, and other projects pending. In most project environments, difficultchoices have to be made, and you may find that time is better spent on othermatters, rather than on extensive, perhaps unwarranted, risk management.

Step Three: Modify risk management activities to suit the project at hand with afocus on specific types of risks and corresponding activities.

Step Four: Document your project evaluation findings and related riskmanagement decisions to ensure a proper audit trail, and to use as futurereference for similar projects.

Risk Management Strategy – Part Two: Naming the Risks

After examining critical project characteristics, likely risks must be identified andcategorized.

Depending upon the nature, complexity and duration of your project, risks will vary bytype, impact and degree. As previously discussed, to facilitate identification andassessment, the risk management process provided herein relies on the use of “risk

Project A:

High Visibility High Value Inexperienced Project Team Long and Complex Stressful Conditions Low Risk Threshold

Project B:

Low Visibility Moderate Value Experienced Project Team Short and Simple Positive Environment Moderate Risk Threshold



categories”. These categories provided a structured view of potential risks, organizedaccording to type, source and underlying cause .....

• Management Risks (project definition, structure and process)• Technology Risks (project outcome or design processes)• Resource Risks (people, money and equipment)• Organizational Risks (internal organizational and operational conditions)• External Risks (circumstances outside the direct control of the project team or

its customers)

With the use of these structured categories, individual risks can be more readilyidentified and specifically named. In all, risk identification can be a time consuming andchallenging process, relying heavily on common sense, communication, observation,and past experience.

Common sense identification of project risks begins with a simple question ….. what cango wrong? Based on specific project circumstances, logic and deductive reasoning canbe applied to expose the most apparent types of risks. Consider these examples….

• If you are planning a project that relies heavily on the timely delivery of specific,limited availability products, any delay in delivery would present a risk.

• If you are planning a project that relies heavily on one individual with a specificset of unique skills, that reliance would present a risk.

• If you are planning a project that relies heavily on new, relatively untestedtechnologies, that technology would present a risk.

Going beyond logic and common sense, communication and observation can also be avaluable source of risk information. In all likelihood, as you plan your project, teammembers, stakeholders, and customers will raise a multitude of issues and concerns,either through words or deeds. Under the right set of circumstances, these concernsand behavior patterns can easily translate into any number of project risks. Forexample, communication, observation and insight can reveal:

• Internal power struggles for project ownership and authority that can inhibiteffective cooperation and supporting activities.

• A resistance to change on the part of end-users that can interfere with effectiverequirements definition, or critical training activities.

• A lack of appropriate and effective management support that can threatenfunding, or preclude effective, timely conflict resolution.

Aside from common sense and behavioral insights, the most useful source of riskinformation may very well be past project experience. To begin with, past projects are abarometer of likely project risks …. if it happened once before under similarcircumstances, it may very well happen again. In addition, past project experience maybe the best statistical basis upon which “unique” risks can be identified. For example,until you have attempted a technology migration project, or an office relocation project,



you may never be able to fully appreciate the unique series of risks presented. Onlyexperience can uncover the truly unique risks…. those born out of certain projects, incertain environments, and under certain conditions.

There is no simple formula for risk identification, but with the use of common sense,logic, insight, and past experience, you will uncover the vast majority of risks you arelikely to encounter.

Appendix E: Risk Identification Reference Checklist

Risk Management Strategy – Part Three: Assigning Probabilities

Once project characteristics have been identified, and risks have been named,probability must be addressed. It makes little sense to expend valuable time andprecious resources in an effort to assess and control improbable risks. Riskmanagement efforts should be realistic and well placed.

As such, risk management should apply to risk events that are more than justpossibilities …. to warrant further time and attention, risks must be probabilities ….i.e.….they must be realistic and likely to happen. With this perspective, you can focusattention on appropriate risk priorities, allocating valuable time and resources to riskevents and circumstances that can threaten project success in a realistic and tangibleway.

Absent a crystal ball, risk probability assessment is largely a product of common senseand experience.

• What problems have you experienced in the past in similar projects?

• Could any of those problems have been predicted …. i.e. did they appear asrisks before they became problems?

• Could any of those problems be repeated in this project?

• Based on prior project circumstances, compared to current project conditions,how likely is it that similar risks will occur?




The answers to these questions will help you to assess risk probability. If, as youcomplete this analysis, you find that past project experience is indeed prologue, you canuse that knowledge and experience to apply a sliding scale of risk probability, rangingfrom low to high…..

Used in conjunction with project characteristics and named risks, you can use probabilityas a means of pinpointing risks for further analysis and action. But, risk probability offersonly a partial picture for analysis. At this point, you may be able to exclude risks that arehighly unlikely, but in order to fully assess risks and plan further actions, you must beable to evaluate risk impact …. i.e. if this risk were to occur, what would be the likelyconsequences? This brings us to the next step in the risk management process,evaluating impact targets and values.

Risk Management Strategy – Part Four: Assessing Impact Targets and Values

The assessment of impact targets and values is all about consequences …. how and towhat degree will a given risk affect any given project? Again, consequences are toughto predict, but prior experience can once again be a valuable indicator….

As you examine individual risks in the light of past projects, you will need to address thefollowing key questions…..

• Can this risk affect the quality and usefulness of planned project deliverables?

• Can this risk increase project costs and expenses?

• Can this risk delay or otherwise interfere with timely project completion?

• Can this risk impede the project planning and management process?

• Can this risk affect the stability of the overall project work environment?


As these questions show, risks can impact a given project in any number of ways. Forplanning purposes, risk impact can be most simply measured in terms of risk targets.Within this workbook, we have identified five distinct risk target categories as follows:

Low ………………….. Medium ……………………….. HighHighly unlikely …………..50 – 50 Chance ……………....Highly Likely



Risk Target Categories:

Quality: to threaten the quality of the project result

Costs: to threaten project budgets and funding availability

Schedules: to threaten timely project completion

Management Processes: to threaten the effectiveness of the project process

Project Environment: to threaten the stability of your project environment, its teamand overall working conditions

Once you can identify likely targets for any given risk, you will need to determine theextent of the impact. At this point, one defining question must be addressed: if this riskoccurs, will the consequences be serious enough to warrant further action? To answerthis question, you must be able to quantify the impact. To that end, risk impact can begraded along a scale similar to that used to grade risk probability:

In practical application, these ratings are largely subjective, applied on the basis ofexperience, common sense and the specifics of the project at hand. As you look at riskimpact, a few practical guidelines can be applied to help you determine whether the“low”, “medium” or “high” label is warranted. Consider the illustrations offered below:

Considering an impact on quality:Can this risk cause a degradation in the quality of project outcome serious enough sothat the result will be different than what is needed and expected?

Yes = a moderately serious to very serious impact No = a low impact

Considering an impact to cost:Can this risk cause an increase in project costs to the degree that additional funds maynot be approved, or the project cannot be completed?


Low ………………….. Moderate …………………….. HighNot serious …………..Moderately serious ……………....Very Serious



Considering an impact to schedules:Can this risk cause a schedule delay that cannot be absorbed, and as such, will threatenthe successful completion of the project as currently planned?


Considering an impact on management processes:If this risk occurs, will standard management processes be abandoned or modified to theextent where consistency, quality, or other projects are threatened?


Considering an impact on the project environment:Can this risk cause problems in the project environment, creating stress, burnout andother internal conflicts such that overall project success is threatened?


Putting It All Together….

To complete the assessment picture, the analysis of risk probability, impact and targetvalues should be combined into one comprehensive perspective … forming a riskthreshold.

Risk threshold is the level of risk that can be withstood within any given project, used asa measure of “priority” for risk control and response planning. As you can see from thediscussion to this point, risk management is a complicated process, filled with manyvariables and nuances. And, above all, it all takes time. Depending on the particularproject, you may or may not have the time to devote to full-scale risk management. As aresult, you may need to focus specific risk management activities on those risks of thehighest probability and greatest impact. With the use of risk thresholds, you can setuseful guidelines to ensure that the most critical risks receive the most effort andattention.

Determining Risk Priorities and Thresholds….

Table 3: Risk Management Thresholds, provides a matrix for assessing risk priorities.This matrix is based on the premise that risk priorities are best determined through acareful balancing of impact and probability, with impact getting first consideration. Underthis process, risks with a “moderate” impact, and “high” probability (Code: MH) areassigned a higher priority score than risks designated as “SL” (serious impact, lowprobability).



Considering the time constraints under which most projects are undertaken, limited timemay be available for risk management and related activities. While you may want toprepare for all risks, realities prevail, and choices have to be made as to how time andresources are best spent. In this instance, it may be wise to focus on risks with a moremoderate impact, but a higher probability of occurrence, rather than risks with moreserious impact potential, but a much lower probability of occurrence.

TABLE 3:RISK PRIORITY MATRIX

Related Worksheet Tools:The Risk Identification WorksheetThe Risk Assessment & ResponseTemplate

Impact Probability Code Priority ScoreSerious High SH 1Serious Medium SM 2Moderate High MH 3Moderate Medium MM 4Serious Low SL 5Moderate Low ML 6Low High LH 7Low Medium LM 9Low Low LL 10

As you look to apply these strategies, always keep an eye on flexibility and individualcircumstances. Priorities can and do change within any project, and it is important tomodify policies and procedures as needed to best suit individual circumstances andrequirements. As such, it is important establish risk thresholds that are well suited to theneeds of the project at hand.

Risk Management Strategy – Part Five: Response and Control Planning

Once risks have been fully identified and analyzed, response strategies must beselected and planned.

Once again it is important to note that there is no one best approach to risk responseand control, and that individual response strategies will vary based on projectrequirements and the nature of the risks identified. But, specific response strategies canstill be boiled down to three primary possibilities….

1. You can decide to move on with the project without taking any further actions tocontrol or respond to one or more risks. This is known as risk acceptance.

2. You can take action to eliminate one or more risks in entirety. This is known as riskavoidance.

3. You can take action to minimize the probability and impact of potential risks. This isknown as risk mitigation.



The following chart, Table Four: Risk Response Matrix illustrates the theoreticaldistinctions between these three risk response alternatives:

TABLE 4:RISK RESPONSE MATRIX

Related Planning Worksheets:Risk Assessment & Response Template

Acceptance Avoidance Mitigation

The BasisResults of the riskidentification andassessment process.

Results of the riskidentification andassessment process

Results of the riskidentification andassessment process

The StrategyTo proceed with theproject without anyfurther action to controlrisks.

To avoid risk throughsubstantial projectchanges, or in theabsence of otheralternatives, projectcancellation.

To minimize risk potentialand impact throughcarefully craftedmanagement proceduresand strategies.

TheReasoning

As a strategy, riskacceptance is notmeant to imply “riskignorance”. Thedecision to accept risksis based on the premisethat further risk actionwill either be non-productive, too time-consuming or too costly.In essence, when youdecide to accept projectrisk, you have decidedto “take the chance”.

In risk avoidance, thegoal is to eliminate therisk in entirety, largelybecause risks are toogreat, and the costs ofrisk mitigation wouldexceed expected projectbenefits. To avoid risks,you may need to cancelthe project or enactsubstantial planningchanges so thatassociated risks areeliminated.

Risk mitigation is based onthe premise that projectbenefits outweigh the costsof risk mitigation. Theproject is the imperative,and you must go ahead –despite the obstacles.Therefore, the goal ofeffective mitigation is tominimize risk probabilityand impact, and to beprepared with alternativeactions should risk potentialbe realized.

Once again, there are no hard and fast rules as to when and how to apply these basicrisk control strategies. However, there are certain practical realities to consider….

Under most circumstances, the decision to accept risks is probably too extreme, exceptfor the simplest projects, where risk control offers little or no benefit. Most of us cannotafford to just accept risks without some further planning and analysis ….. just in case.

Avoidance can also be an extreme measure, particularly when project cancellation is thechosen solution. Under the right set of circumstances, projects may very well bemanagement directives, and despite any obvious technical or logistical risks, “the showmust go on”. Under these circumstances, project cancellation is probably not an option.However, it is important to remember that cancellation (or postponement) is not thesame as failure (or risk aversion), and sometimes project risks are just too great towarrant continuation. This is probably the most compelling argument for riskassessment … if a project is to be cancelled or postponed due to excessive risk, youmust be in a position to make that case, and justify your recommendations. Only aneffective, realistic risk assessment can provide you with sufficient information to makethat case.



In all likelihood, the most common risk control action is mitigation. In essence, mitigationis a combination of acceptance and avoidance. There are two levels of risk mitigation -proactive mitigation, to prevent risks, and responsive mitigation, to respond when and ifrisk events occur. Depending on individual risks and project circumstances, these levelsof mitigation can be deployed in any number of ways…. you may decide to alter projectplans and schedules, or to take other specific actions to minimize the chance that a riskwill occur. In addition, you can also develop contingency plans that will be enacted onlyif the risk actually occurs .... "i.e. if this happens, I will do that, but until then, I will stickwith the original plan".

Risk Response – Practical Applications

The selection and application of specific response and control strategies will varyaccording to project circumstances, time, and available resources. When faced with theselection and development of risk response and control strategies, several key questionsmust be addressed….

• What is your goal?• Which response offers the best chance of meeting that goal?• Which response is possible – i.e. what actions are realistic in terms of time,

resources, skills and costs?• Who must be involved in developing, selecting and approving risk response

decisions?

And, once preliminary response decisions are made, additional questions must beaddressed if mitigation is the chosen alternative….

For proactive mitigation…..

• Is proactive mitigation possible and worthwhile?• If so, what steps can be taken to prevent the risk from occurring?• Who is responsible for activating and implementing the prevention plan?• How will the prevention plan be integrated into ongoing project activities in terms

of planning, execution, oversight and communication?• What are the costs associated with the prevention plan?• What resources will be required to execute the prevention plan?• How will project schedules and deliverables be affected?

For responsive mitigation…..

• Is responsive mitigation possible and worthwhile?• If so, what event criteria will be used to trigger the response?• Who is responsible for activating and implementing the response plan?• How will the response plan be integrated into ongoing project activities in terms

of planning, execution, oversight and communication?• What are the costs associated with the response plan?• What resources will be required to execute the response plan?



• How will project schedules and deliverables be affected?• Is a response test plan required to ensure that the planned response is

effective?


And, from a practical perspective, each chosen response strategy carries with it adifferent set of implementation steps…..

Acceptance:

Step 1: Document the results of the risk assessment process.

Step 2: Recommend acceptance of risks.

Step 3: Continue with projects as planned unless and until circumstances change to warrant reconsideration of risk acceptance.

Avoidance:


Step 2: Recommend risk avoidance and pursue one of the following options….

• Cancel or postpone the project if needed.• Outsource the project as a means of avoiding internal risks.• Enact substantive project changes to one or all the following - project

requirements, scope, deliverables, budgets and resources so that one or morerisks are fully eliminated or avoided.

Mitigation:


Step 2: Identify risk prevention and impact reduction alternatives which can include:

• modifications to project deliverables to minimize risk potential• modifications to project schedules• reallocations of resource assignments, roles and responsibilities• additional training for project staff• the acquisition of critical products and services earlier than needed



Step 3: Develop risk contingency plans:

Risk control activities that will be enacted only if the risk occurs….

• modify deliverables in response to risk occurrence• modify project plans, tasks and schedules to respond to risk occurrence• add additional resources to project teams• purchase additional equipment• reallocate resources and/or equipment from other projects• authorize overtime and additional work hours to compensate for risk

occurrences• postpone or cancel other projects so that resources can focus on the project

at hand• authorize additional expenditures in order to deal with risk occurrences

At the end of the day, your chosen risk control strategies will come down to needs andcapabilities …. how important is the project, and how far can you go in your efforts tocontrol risks? As you go through this important analytical process, you will need toconsider the following types of questions……

• What are the costs associated with each risk control activity? You will need toidentify all costs associated with risk avoidance and mitigation, which caninclude equipment, overtime or additional resources. You will need to knowwhether these risk control measures are affordable, within budget, and aboveall, do they make sense in consideration of other business objectives?

• Do you have sufficient resources and skills to respond to risks? You will need toidentify resource requirements for risk avoidance and mitigation activities interms of staff, skills and available time. Risk control requirements can changethe nature and direction of any project, taking it outside the skill boundaries ofyour internal staff. You may have the expertise to create risk mitigation plans,but do you have the skills and the time necessary to execute those plans?

• What impact will risk contingency plans, once invoked, have upon your staff, andyour ability to complete other work? As previously discussed, risk control plansand activities can change a project, and those changes can be substantial. Asyou develop your risk control strategies, you will need to consider correspondingproject changes, and the impact those changes can have upon your overallworkload of projects and ongoing operational activities. In a multi-projectenvironment, any change in one project can cascade down to other projects,even if they are seemingly unrelated. For that reason, when planning projectrisk control strategies, you must consider both the project, and your overall workenvironment.

Keeping these issues and strategies in mind, we are now ready to put theory into action,with a review of risk management mechanics….. the procedures by which riskmanagement strategies are implemented.



CHAPTER TWO: RISK MANAGEMENT MECHANICS

Having examined the strategic elements of the risk management process, we can nowturn to the mechanics …. the actual implementation of risk management strategiesthrough tangible procedures and steps….

Step by Step to Risk Management….

In order to ensure that risks are properly and consistently evaluated, risk managementstrategies should be backed up by sound, structured steps for execution andimplementation.

To that end, this workbook lays out the essential procedures and steps involved in riskmanagement mechanics. We begin by examining the primary elements involved,structured into a five-category workflow…..

Risk Management Mechanics – Part One: Origination

Risk origination procedures establish the mechanics by which risks are initially identifiedand raised for further analysis and consideration. As previously discussed, riskmanagement takes place throughout the entire life of a project …. from start to finish.Therefore, risks can be identified and raised at any time. In order to ensure that properattention is paid to each and every risk possibility, procedures should be established toallow for ready identification at any point in a project.

To that end, risk origination procedures should provide structured formats and methodsby which risks are raised and communicated. Such methods and formats can rangefrom the simple to the technically complex, and may involve the use of paper forms orelectronic databases. But, whether paper or electronic, the methods and formats bywhich risks are first raised should provide for the entry certain basic information….

Preliminary risk data – what is the nature of the risk and potential impact on theproject?

The name of the individual raising the risk The date the risk was raised A target response date – when must this risk be analyzed and addressed?

RISK MANAGEMENT PROCEDURAL FLOW:

1. Origination2. Assignment3. Execution4. Oversight5. Closure



This risk origination process should also include a mechanism for risk receipt andacknowledgement. Once the risk origination form is submitted or the database entry ismade, its existence should be acknowledged in some formal manner. Once again,specifics will vary based methods and tools used, but, acknowledgement proceduresshould include some sort of tangible “receipt”, confirming that a risk was raised. This“receipt” can be a written communication, the assignment of an id number, or an entryinto a risk assessment queue.

Methods and formats for initial risk identification will vary based on the project at hand,the size and structure of your project team, and internal technical capabilities. However,whether you submit risks on paper, or whether you use database systems to record risksas they are raised, origination procedures should ensure that once risks are raised, theycan be heard, and that timely, appropriate action can be taken.

Risk Management Mechanics Part Two: Assignment

Risk assignment procedures establish the mechanics by which risks are assigned toappropriate staff members for further analysis and action. Risk assignment proceduresshould address the following:

• Risk review assignments …. i.e. how are risk assignments to be made withinyour organization and for any given project? Depending on specific needs andorganizational circumstances, risks may be assigned to individuals, to theproject team as a whole, or to a specific team of individuals created to handlerisk reviews (i.e. a Risk Review Team). Whatever structure is chosen, thatdecision should be made at the start of the project.

• Roles and responsibilities within risk review process. No matter how risksare assigned, intended roles and responsibilities should be clearly defined. Thisestablishes clear expectations for the project team, and lays a proper foundationfor effective risk review. While the actual allocation of roles and responsibilitiesmay vary, there are certain defining elements that should be part of anyspecification of roles and responsibilities:

Risk Originator: the individual or team who first identifies a risk, and enterssaid risk into the established origination process.

Risk Analyst: the individual or team responsible for analyzing risksaccording to established risk management criteria and strategies.Responsibilities of the risk analyst(s) can include risk categorization,probability and impact value assessments, and the recommendation ofresponse and control strategies.

Risk Manager: the individual or team responsible for overall riskmanagement and oversight. Responsibilities of the risk manager caninclude response strategy approval, and the related oversight of riskmanagement activities, including the success of control strategies and



changes in the status of risk probabilities.

The Project Team: once project risks are identified, analyzed andcontrolling strategies are determined, those strategies must be incorporatedinto the existing project plan, and executed as part of the overall project. Inall likelihood, the project team will be responsible for carrying out thosechanges.

These various roles and responsibilities can be assigned in any number of ways. In asmall project environment, one individual may wear many hats. In a large projectenvironment, there may be separate teams and individuals assigned specifically to dealwith project risks. In fact, risk management may be handled by groups or individualsoutside of the project structure itself … as can occur in a project audit situation. Nomatter how your project team is structured and sized, risk management roles andresponsibilities should address ….

Who can originate risks? Who will be responsible for risk review and analysis? Who will be responsible for developing and selecting risk response and control

strategies? Who will be responsible for approving risk assessments and related response and

control strategies? Who will execute risk response and control plans? Who will monitor risk status and the progress of any risk management activities? Who will approve risk closure? Who will be responsible for reviewing the success of the risk management process?


Risk Management Mechanics Part Three: Execution

Risk management execution procedures determine the actual steps involved in the riskreview process, establishing the sequence of events and flow of information as risks areidentified and evaluated. For planning purposes, these execution steps can be brokendown into seven elements, as follows:

1. The risk is raised and initially identified.2. The risk is assigned and prioritized for further action.3. The risk is reviewed according to established criteria (category, probability, impact

and target values).4. Risk response strategies are devised (acceptance, avoidance or mitigation)5. Risk response strategies are approved.6. Risk response strategies are implemented as needed.7. Risk management activities as listed above are documented.

These steps form the heart of the risk review process in terms of tangible execution.



Risk Management Mechanics Part Four: Oversight

As previously noted, the risk management process is an ongoing effort that livesthroughout the entire project cycle. This is not mean to imply that every element of therisk management process will be executed in all circumstances. If risks fail tomaterialize, you may never have to take any further action for control and mitigation.However, that does not mean that you can avoid risk oversight. Effective riskmanagement oversight has two unique dimensions – status measurement and progressmeasurement.

Status measurement:

Whether or not risks ever materialize, risks still have to measured and monitored for anyapparent change in status. In the initial risk assessment process taking place at the startof a project, potential risks are identified and evaluated. At that point in time, it mayappear that certain risks are unlikely, or that their impact will be insignificant. However,as the project ensues, circumstances may change, and risks once thought to be unlikelyand insignificant, can suddenly become very likely, and quite dangerous. For thisreason, potential risks must be continually monitored as a project progresses. You cannever tell when risk conditions will change or when new risks will arise, and to preventunpleasant surprises, periodic risk reviews should be undertaken as often as practicaland whenever needed. At the very least, monthly risk review sessions should be builtinto your overall project management process.

Progress Measurement:

Risk oversight procedures must also be designed to monitor the timing and completionof all scheduled risk identification, evaluation and control activities. There are twoprimary elements to risk progress measurement, detailed as follows:

1. Management of the risk review schedule, which can include organization andprioritization of the risk review queue. Progress must be readily measured to ensurethat risks are reviewed on a timely basis, and to maintain a realistic risk reviewschedule suited to project circumstances, overall project status, and externalresource demands.

2. Management of individual risk activities, to include the status of all tasks anddecisions necessary to manage individual risk events….

• Have risk review assignments been completed as needed?• Have response and recovery action plans been completed as needed?• Have risk response plans been properly communicated so that the project team

can act upon them?• Are mitigation activities working?

And, above all, the risk management oversight process must provide the authority, abilityand the obligation to act if risk management results are not as expected, and as neededto ensure successful project completion.



Risk Management Mechanics Part Five: Closure

The final element of risk management process is closure …. the point at which risks aresufficiently resolved so that no further action is warranted. This is not meant to implythat closure only arrives through resolution or elimination. Risk management closureprocedures can be applied at several points in the project cycle ….

Risk closure is appropriate when …..

• A risk is raised and no further analysis is warranted.

• A risk is realized, and response actions are completed so that the risk no longerexists.

• The time or circumstances under which a risk can occur expires.

• The project is cancelled or completed.

Risk closure procedures involve several basic steps:

1. Risk status is assessed to determine if a risk is “open” (meaning that further analysisor action may be required) or “closed” (no further action or analysis is required).

2. Risk status is documented. This documentation should address all elements andresults of the risk management process as pertaining to the risks at hand. Thisshould include the completion of all forms, and documented evidence of the waysand means by which specific risks were evaluated, as well as the results of the riskresponse and control activities.

3. Lessons learned are analyzed and recorded. Every project should conclude with apost project review, to include a comprehensive Lessons Learned Analysis. Anyeffective Lessons Learned Analysis should include an examination of the riskprocess itself, as well as an evaluation of risk management processes as acontributing factor to overall project success or failure….

Lessons Learned and the Risk Management Process

• Were all risks properly identified, assessed and controlled?• Were any truly predictable events missed?• How can risk management processes be improved in the future?



Lessons Learned in Light of the Overall Project

• Overall, was the project a success?• If the project was a success, did risk management play any part in that success?• If the project was not a success, could improved risk management have made a

difference?

SUMMARY:

As this workbook has shown, project risk management is a combination of strategies,tactics, policies and procedures. The ultimate goal of risk management is to createrealistic processes for resolving project risks, so that time is well spent, and projectresults are appropriately protected. Above all, risk management strategies and practicesmust be well suited to the projects encountered, and to individual organizational needsand capabilities. To create your own plan for project risk management, you will likelyface several key steps and decisions. These steps and decisions have all beenspecified and examined in the previous pages, and for quick reference, are quicklysummarized as follows:

⇒ Part 1: Steps⇒ Part 2: Questions to Consider⇒ Part 3: Risk Review Process Flowchart

PART 1 - THE STEPS:

Step One: To develop and determine the criteria you will use to evaluate risk:

Project Characteristics Risk Categories and Types Risk Probabilities Risk Targets and Impact Response and Control Strategies

Step Two: To develop and determine the approaches taken to control risk:

Acceptance Avoidance Mitigation

Step Three: To develop and determine the means by which assessment and responsestrategies are applied within the real world project environment.

Origination Assignment Execution Oversight Closure



PART TWO: QUESTIONS TO CONSIDER:

The following section summarizes the key “questions to consider” as you go through therisk management planning and evaluation process:

Project Evaluation Questions:

• Is risk management necessary for this particular project?

• What benefits can be realized from risk management for this particular project?

• If risk management is necessary, should all policies and procedures be followed,or should procedures be resized to suit the needs of the project, available time,and available resources?

• Should more attention be paid to specific areas of risk than to others?

Risk Probability Questions:

• What problems have you experienced in the past in similar projects?

• Could any of those problems have been predicted …. i.e. did they appear asrisks before they became problems?

• Could any of those problems be repeated in this project?

• Based on prior project circumstances, compared to current project conditions,how likely is it that similar risks will occur?

Risk Impact Questions:

• Can this risk affect the quality and usefulness of planned project deliverables?

• Can this risk increase project costs and expenses?

• Can this risk delay or otherwise interfere with timely project completion?

• Can this risk impede the project planning and management process?

• Can this risk affect the stability of the overall project work environment?

Risk Response Planning Questions:

• What is your goal?



• Which response offers the best chance of meeting that goal?

• Which response is possible – i.e. what actions are realistic in terms of time,resources, skills and costs?

• Who must be involved in developing, selecting and approving risk responsedecisions?

For proactive mitigation…..

• Is proactive mitigation possible and worthwhile?

• If so, what steps can be taken to prevent the risk from occurring?

• Who is responsible for activating and implementing the prevention plan?

• How will the prevention plan be integrated into ongoing project activities in termsof planning, execution, oversight and communication?

• What are the costs associated with the prevention plan?

• What resources will be required to execute the prevention plan?

• How will project schedules and deliverables be affected?

For responsive mitigation…..

• Is responsive mitigation possible and worthwhile?

• If so, what event criteria will be used to trigger the response?

• Who is responsible for activating and implementing the response plan?

• How will the response plan be integrated into ongoing project activities in termsof planning, execution, oversight and communication?

• What are the costs associated with the response plan?

• What resources will be required to execute the response plan?

• How will project schedules and deliverables be affected?

• Is a response test plan required to ensure that the planned response iseffective?

Roles & Responsibilities Questions:

• Who can originate risks?



• Who will be responsible for risk review and analysis?

• Who will be responsible for developing and selecting risk response and controlstrategies?

• Who will be responsible for approving risk assessments and related responseand control strategies?

• Who will execute risk response and control plans?

• Who will monitor risk status and the progress of any risk management activities?

• Who will approve risk closure?

• Who will be responsible for reviewing the success of the risk managementprocess?

Risk Oversight Questions:

• Have risk review assignments been completed as needed?

• Have response and recovery action plans been completed as needed?

• Have risk response plans been properly communicated so that the project teamcan act upon them?

• Are mitigation activities working?

Lessons Learned Questions:

Risk Management Lessons Learned:

• Were all risks properly identified, assessed and controlled?

• Were any truly predictable events missed?

• How can risk management processes be improved in the future?

Lessons Learned in Light of the Overall Project

• Overall, was the project a success?

• If the project was a success, did risk management play any part in that success?

• If the project was not a success, could improved risk management have made adifference?



PART 3: RISK REVIEW FLOWCHART

ORIGINATION:Risks are raised andinitially identified

ASSIGNMENT:The risk is assignedas needed for furtheranalysis.

EXECUTION:Risk is reviewed andanalyzed.

Is further action required?

YES NO CLOSURERisk is closedand fullydocumented.

EXECUTION:Risk response created

EXECUTION:Risk response implemented

OVERSIGHT:Risk response monitored

Risk Closed?

NO YES

Notes: Thisoverall processwill be ongoinguntil all risks areresolved or theproject is closedor cancelled.

risks arereviewed foradditional factsand furtheraction untilclosure ispossible….



CHAPTER THREE: TOOLS FOR RISK MANAGEMENT

Relying on the concepts, strategies and steps provided in the previous chapters, thissection provides specific tools to be used as you plan and implement your riskmanagement program.

This attached series of five interactive worksheets, checklists and templates aredesigned to help you plan risk management procedures, and implement relatedstrategies and tasks.

Appendix A: The Risk Management Procedures Worksheet

Purpose: To be used for planning risk management procedures for all projects,specific types of projects, or any one individual project.

Timing: This worksheet can be used at the start of a project, or at any pointwhen risk management procedures require revision or further development.

Preparation: To complete this worksheet, you will need to consider yourtechnical alternatives and formats for risk communication, staff roles andresponsibilities, the sequence of events in risk process execution, and requiredsteps and criteria for risk management oversight and closure.

Appendix B: The Risk Identification Worksheet

Purpose: To be used for naming and evaluating project risks according tocategory, impact, probability, priority and target value.

Timing: This worksheet can be used at the start of a project, or at any pointwhen risks are best viewed from a global “project” perspective.

Preparation: To complete this worksheet, you will need to consider the types ofrisks you may encounter, and be prepared to analyze and assess those risksaccording to impact, probability, priority and target value. This worksheet isdivided into five sections according to the five established categories of projectrisks.

Appendix C: The Risk Assessment and Response Template

Purpose: To be used for assessing risk details and planning responsestrategies.

Timing: This template can be used at any point when risks are best viewedindividually and in detail in terms of identification, analysis and response.



Preparation: To complete this worksheet, you will need to consider the types ofrisks you may encounter in a given project, and be prepared to analyze andassess those risks according to impact, probability, priority and target value. Inaddition, you should also be prepared to complete a risk impact statement, andto identify, justify and specify your recommended risk response strategy.

Appendix D: The Risk Status Worksheet

Purpose: To be used for tracking risk status and response plan progress.

Timing: This worksheet can be used at any point in a project when risk progressand status must be tracked and evaluated.

Preparation: To complete this worksheet, you will need to consider the status ofall major phases and tasks in the risk review and response process, includingspecification of all tasks required to implement risk response plans. You shouldbe prepared with task specifics including task-numbering schemes, start dates,descriptions, target completion dates and current status.

Appendix E: The Risk Identification Reference Checklist

Purpose: To be used as a reference guide for risk identification, providing achecklist of common project risks sorted by category.

Timing: This checklist can be used at the start of a project, or at any point whenproject circumstances indicate that further risk identification is warranted.

Preparation: To complete this checklist, you will need sufficient informationabout your project to select appropriate and likely risks. This checklist provides alist of common risks organized according to the following categories:

⇒ Management Risks⇒ Technology Risks⇒ Resource Risks⇒ Organizational Risks⇒ External Risks

As you consider these categories and the specific risks provided, you should alsobe prepared to enter any additional, unique risks for future analysis andconsideration.

Happy planning…..

THANK YOU FOR YOUR PURCHASE FROM ITTOOLKIT.COM

IT Management Workbooks are published and produced by Right Track Associates,Inc., information technology consultants, and producers of ITtoolkit.com. Having hadmany years of practical IT experience, with small companies, and large corporations, weknow what it is like to be on the front lines of IT services and support. No matter howyour IT shop is sized and structured, IT "people" face certain professional realities....

THE IT REALITY.....

No matter how many staff members you have, it is never enough.... No matter how large your operating budget is, it is never enough.... No matter how many projects you complete, or problems you solve, there are always

more projects and problems waiting in the wings.... For every end-user who is happy with you, someone else is probably annoyed..... Just when you think you have a handle on all the latest technology changes,

something new comes along.... It is difficult to keep up with the latest trends and skills when you are faced with a

never-ending stream of projects, problems and end-user requests.... It is hard to keep IT staff motivated, engaged and "appreciated"....

STAY AHEAD OF THE CURVE:

In short, IT work is stressful and challenging. Time is always of the essence, but time isalso always in short supply. Under these circumstances, productivity is essential - tomake the most of the resources and time that you do have. And, we have learned that theright set of practices, policies and practices can make the difference between totalfrustration and the chance to succeed.

Our series of IT Management Workbooks have been written and produced with this inmind ... to give you practical ideas, ready-to-apply processes, and useful tools.... so youcan stay ahead of the productivity curve.

We invite you to examine our series of electronic workbooks, available for easy onlinepurchase as single titles, or as multiple titles bundled into specially priced collections -giving you more tools and information at special savings.

Planning Guides Process Templates Interactive Worksheets Workbook Product Bundles ….. Save 20 – 30%

http://www.ittoolkit.com/

http://www.ittoolkit.com/pcatalog.htm

http://www.ittoolkit.com/pguides.htm

http://www.ittoolkit.com/ptemplates.htm

http://www.ittoolkit.com/itworksheet_intro.htm

http://www.ittoolkit.com/wbundles.htm

riskman

Documents