Risk Management Methodology

June 29, 2010 | Author: PM Hut | Filed under: Project Management for Beginners,Risk Identification,Risk Management,Risk Quantification & Analysis

Risk Management Methodology
By Ray W. Frohnhoefer

We have already covered the sources of risk, and now we’ll start looking at a simple methodology which can be employed to evaluate these risks and promote proper risk management. This methodology weaves itself throughout all project management processes since risk should be addressed from project concept through project closure and ongoing operations.

  • Step 1: The first step begins with starting the risk management plan (note: link points to a PDF file on PM Hut and will open in a new window). This document is going to tell stakeholders how we are going to manage risk. Incorporating this methodology can provide most of the “meat” for this type of document.
  • Step 2: The real work begins with risk identification. This typically comes when much of the planning is done so the “hows” of our plan can be used to determine the sources of risk we need to look at. I usually like to get the team together to review the sources of risk for our project, brainstorm the specific risks, then have some of the local subject matter experts review the generated list.

  • Steps 3: This is where the quantitative (determine the probability and impact of risks) analysis occurs. There may be some objective facts and other information to consider, brainstorming, consultation with experts, and review of historical projects necessary to make the proper judgments. The results of this step is the list of risks prioritized by probability and impact (possibly the two multiplied together to give a separate number or organized on a probability impact matrix). Note this step is also a part of project planning.

  • Step 4: Here we are more subjective and qualitative in our analysis. This might include a rank ordering or placement on a probability impact matrix. This is so we can plan our responses to risk (share, transfer, accept, avoid). Note in the diagram there is a loop back to the identification of risks. Why? As we plan our responses, we will need to alter our project plans. As we alter our project plans, we may introduce more risks, so we need to once again make sure we have identified all the risks.

    At this point, we’ve completed our planning and the project is ready to go into execution.

  • Steps 5: As our project progresses, we need to monitor for risks. If one occurs, we need to implement our mitigation strategy. Some larger projects have designated risk monitors who are empowered to employ the mitigation strategies if a risk occurs. As we implement, we need to both go back to monitoring and identification. Why? If our project is constantly in motion, we need to continue to monitor for risks. Also, if we have deployed a mitigation strategy, we’ve once again changed the course of the project and need to go back to see if there are new risk possibilities.

Ray W. Frohnhoefer, MBA, PMP is the Director of the Project Support Office at EDmin as well as a consultant, speaker, writer, educator, and mentor on Project Management. Ray is also the Component Mentor for PMI Region 7 (Southwest North America), a Past President of PMI, San Diego Chapter, Inc., and an adjunct faculty member at three San Diego universities. You can find out more about his professional roles at http://www.edmin.com/company/index.cfm?function=showBioDetail&id=80 and through his blog, Tales from the Project Notebook, at http://projectnotebook.blogspot.com.

3 people have left comments

Good stuff Ray,

But you cannot multiply probability of occurrence with impact.Both are probability distributions and multiplication is not an operator for the integral equations that define those distributions.

Instead use the 5×5 matrix and assess the probability of occurrence on your ordinal scale (A-F) and the expected impact (also a probabilistic outcome) again using A-F.

Then decide what color that cell should be (Green, Yellow, Red).

The illogical situation is easy to define in the multiplication approach .1 (10%) x .9 (90%) is the same an .9 (90%) x .1 (10%). These values may or may not be the same color in the 5×5 chart.

The DoD, DOE, and NASA risk handbook do not use the simple minded PMI approach. Nor should anyone.

Glen B Alleman wrote on June 29, 2010 - 8:24 am | Visit Link

Ray, I am a bit confused with step 3. As I know, qualitative analysis should precede quantitative analysis. The purpose of qualitative analysis is to prioritize identified risks qualitatively, so that we can focus our attention on risks with highest priority. We then do quantitative analysis with these risks only, in order to exactly quantify the impact of them on our project objectives.

The reason why qualitative analysis should precede is that there may be many identified risks at first, and quantitative analysis is time-consuming, so we may not want to perform such comprehensive analysis for every risks on our project.

Long Son

Nguyen Son wrote on June 29, 2010 - 10:43 pm | Visit Link

Glen and Nguyen,

I appreciate the constructive feedback.

Glen, with regard to the multiplication, my intent is that the impact be measured in dollars when possible. Then we have the makings of a decision tree (or possibly a Monte Carlo simulation) which can be used to review the potential outcomes of more complex risk scenarios.

Nguyen, determining the dollar impact is more difficult than determing the probability, and my intent is to calculate the probability first. This allows the PM to focus on the highest priority risks.

There was also a picture illustrating the steps with this article which didn’t make it to this site.


Ray Frohnhoefer wrote on July 2, 2010 - 12:36 am | Visit Link

feel free to leave a comment

Comment Guidelines: Basic XHTML is allowed (a href, strong, em, code). All line breaks and paragraphs are automatically generated. Off-topic or inappropriate comments will be edited or deleted. Email addresses will never be published. Keep it PG-13 people!

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

All fields marked with " * " are required.

Project Management Categories