"If something can go wrong, it will" - Murphy's Law
Creating an effective risk management plan is an important part of any project, but unfortunately, it is often considered something that can be addressed later. However, inconveniences happen, and without a well-thought-out plan, even small problems can become emergencies. There are different types of risk management and different uses, which include credit stability, determining the length of a guarantee and calculating the rates of an insurance. In this article, we will look at risk management as planning in the event of adverse events.
Steps
Step 1. Understand how risk management works
Risk is the effect (positive or negative) of an event or series of events occurring in one or more places. It is calculated on the probability that the event has to happen and the damage it would cause (Risk = Probability * Damage). Various factors need to be identified to analyze the risk, including:
-
Events: What Could Happen?
-
Probability: What is the probability of an event happening?
- Damage: what will be the consequences of the event?
- Mitigation: How can you reduce the likelihood (and by how much)?
- Contingency: How can you reduce the damage (and to what extent)?
- Reduction = Mitigation * Contingency
-
Exposure = Risk - Reduction
- Once you have identified all the elements listed, the result will be your exposure. This is the amount of risk that cannot be avoided. You will be able to use this value to determine if the activity should be carried out.
- Often the formula boils down to a cost-benefit check. You can use these elements to determine if the risk of implementing a change is lower or higher than if the change was not made.
- Risk assumed. If you decide to continue (in some cases you may not have a choice, for example in the case of changes imposed by law) your exposure becomes what is known as the risk taken. In some environments, the risk taken is translated into dollars and is used to calculate the profitability of the finished product.
Step 2. Define your project
In this article, let's imagine you are responsible for a computer system that offers important (but not vital) information to many people. The main computer hosting this system is old and needs to be replaced. Your job is to develop a migration risk management plan. We will use a simplified model where the risk and damage will be expressed in High, Medium or Low (a procedure commonly used in the design phase).
Step 3. Get other people to participate in the process
Write down a list of possible risks. Gather many people who are familiar with the project and ask for their opinion on what might happen, how to prevent problems, and what to do if they arise. Take lots of notes! You will need to use the data from this meeting many times in the following steps. Try to keep an open mind about everyone's opinions. Stimulate "out of the box" (unconventional) thinking, but don't let the meeting ramble. You will need to be focused on the goal.
Step 4. Identify the consequences of each risk
During the meeting, you will have gathered enough information to understand what would happen if the risk became real. Associate each risk with its consequences. Try to be as specific as possible. "Project delay" is not like "Project delay of 13 days". If you will attribute a monetary value, write it down; just writing "Over budget" is too general.
Step 5. Eliminate irrelevant problems
If you have to move, for example, a car dealership database, threats such as a nuclear war, mass epidemic or a killer asteroid are all events that would ruin the project. There is nothing you can do to prepare for these eventualities or to reduce their impact. You can take them into account, but not include them in your risk plan.
Step 6. List all identified risk elements
You won't need to put them in a specific order. Just write them one at a time.
Step 7. Assign the odds
For each risk item on your list, determine if the likelihood of it happening is High, Medium, or Low. If you want to use numbers, assign a probability from 0 to 1. 0, 01 to 0, 33 = Low, 0, 34-0, 66 = Medium, 0, 67-1 = High.
Note: If the probability of an event happening is zero, you can avoid considering it. There is no reason to consider events that cannot happen (enraged T-Rex eating computer)
Step 8. Assign the damage
In general, you can assign the damage as High, Medium or Low based on some predetermined guidelines. If you want to use numbers, assign damage from 0 to 1, as follows. 0.01 to 0.33 = Low, 0.44-0.66 = Medium, 0.67-1 = High.
-
Note: If the damage of an event is zero, you can avoid taking it into account. There is no reason to consider events irrelevant, regardless of their probability (the dog ate my dinner).
Step 9. Determine the risk for each item
A board is often used in this regard. If you used the Low, Medium, and High values for Probability and Damage, the top table will be the most useful. If you have used numerical values, you will need to consider a more complex classification system similar to the one in the second table below. It is important to note that there is no universal formula for combining probability and damage; it varies according to the person filling in the table and the project to be analyzed. This is just one example:
-
Be flexible in your analysis.
In some cases it may be correct to switch from the generic designation (high-medium-low) to the numerical one. You can use a table similar to this one.
Step 10. Rank the risks:
list all the items you have identified from highest to lowest risk.
Step 11. Calculate the total risk:
in this case the numbers will help you. In Table 6, you have seven risks with values A, A, M, M, M, B and B. These can be converted to 0.8, 0.8, 0.5, 0.5, 0.5, 0.2 and 0.2, from Table 5. The average risk total is therefore 0, 5, therefore a Medium risk.
Step 12. Develop mitigation strategies
Mitigation aims to reduce the likelihood of a risk occurring. Normally you will only have to reduce the High and Medium risks. You may want to mitigate even the smallest risks, but no doubt you will need to deal with the more serious ones first. For example, if one of the elements of risk involves a delay in the delivery of some key components, you can mitigate the risk by ordering them in advance.
Step 13. Develop contingency plans
Contingency refers to measures aimed at reducing the damage caused by an unfavorable event. Again, you will develop contingencies especially for High and Medium risk items. For example, if the core components you need don't arrive on time, you may need to use existing old components while you wait for the new ones to arrive.
Step 14. Analyze the effectiveness of the strategies
To what extent have you reduced the probability and the damage? Evaluate your emergency and mitigation strategies and change the risk level of each event.
Step 15. Calculate Your Actual Risk Now your seven risks are M, M, M, B, B, B and B, which converted to 0.5, 0.5, 0.5, 0.2, 0.2, 0.2 and 0.2
The risk is therefore 0, 329. Looking at Table 5, we see that the overall risk is now Low. The risk was originally Medium (0.5). After management strategies, your exposure is Low (0, 329). This means you have achieved a 34.2% reduction in risk thanks to mitigation and contingency. Not bad!
Step 16. Check the risks
Now that you know what the possible risks are, you will need to determine how to understand if they arise so that your contingency plans can be put in place. You can do this by identifying Risk Signs. Identify at least one for the High and Medium risk items. Then, as the project progresses, you can determine if an element of risk has become a problem. If you don't know how to identify these signs, it is possible that a risk presents itself without anyone noticing and influencing the project, even if you have a good contingency plan in place.
Advice
- Be prepared to make changes. Risk management is a fluid process, because risks are always changing. Today, you could assign high probability and high damage to an event. One of these aspects could change tomorrow. Furthermore, some risks go out of the picture and others arise over time.
- Always do thorough research. Is there any aspect that you have overlooked? What could happen that you haven't considered? It is one of the most difficult aspects of risk management and also one of the most important. Make a list of risks and check it very often.
- Use a spreadsheet to note risk plans at regular intervals.
- Part of a good emergency plan is figuring out the signs in advance. If there are any signs that a risk is occurring, implement the contingency plan.
- You can use the exposure to determine whether to take the project forward. If the estimated budget for the project is € 1 million and your exposure is 0, 329, the general rule is to allocate an additional budget of € 329,000 for risk management. Is it an investment that you can make? If the answer is no, you will need to revise your project.
- Reduction = Risk - Exposure. In this example (again in the case of a € 1 million project) your risk is 0.5 (€ 500,000) and your exposure € 329,000. The value of your reduction is therefore 171000. This can be an indication of how much to spend on mitigation and contingency plans.
- If you are an inexperienced project manager, or the project is small, you can save time by skipping the intermediate probability and damage steps and assess exposure right away.
Warnings
- Don't prepare an overly complex risk management plan. It is an important part of the project, but it should not take resources away from the operational parts of the project. If you are not careful you can take into account irrelevant risks and burden your plan with useless information.
- Don't ignore low-risk items entirely, but don't waste too much time analyzing them.
- Don't think you've identified all possible risks. It is no coincidence that another word for risk is unexpected.
- Consider what might happen if two or three things go wrong at the same time. The probability will be very low, but the damage will be very large. Almost all disasters were the result of multiple accidents.
-