Risk mitigation is the most common of all the risk handling strategies. It is the process of taking specific courses of action to reduce the probability and/or reduce the impact of risks. This often involves using reviews, risk reduction milestones, novel work approaches, and similar management actions. The project manager must develop risk mitigation plans and then 42 Chapter 3

track activities based on those plans. All these actions are built into the project plan (cost plans, schedule plans) and ultimately into the work breakdown structure (WBS).

Through risk mitigation, the project manager may emphasize minimizing the probability that the risk will occur or minimizing the impact if the risk occurs. Depending on the specific risk, either approach may be effective.

Risk Acceptance

Acceptance, also known as retention, is the decision to acknowledge and endure the consequences if a risk event occurs. It is broken down into two basic types of acceptance, active and passive.

Passive acceptance is the acceptance of risk without taking any action to resolve it, cope with it, or otherwise manage it. The only actions required in passive acceptance are documentation of the risk, as well as acknowl- edgement by management and the team (and the customer, if appropriate) that the risk exists and that the organization is willing to endure its consequences, should the risk occur.

Active acceptance acknowledges the risk as well, but calls for the development of contingency plans, and in some cases, fallback plans.

Contingency plans are implemented to deal with risks only when the risk events come to pass. This may include detailed instructions on how to manage risks retroactively or may be as simple as a contingency reserve budget established for the project.

Contingency reserves are frequently fodder for discussion because some view them as project panaceas and others see them as a crutch for those who cannot manage effectively. These reserves are sometimes referred to as contingency allowances. Organizations should not establish universal rules for applying contingency, such as flat percentages or fixed monetary (or schedule) amounts. Instead, contingency reserves should reflect the degree of risk acceptance in a project, as well as the overall levels of risk associated with the project. Organizations may set contingency values by applying culturally acceptable metrics to the risk models (discussed in Chapter 23).

They may also set contingency reserves through negotiation with the project manager or by using the expected values of the project's quantified risks as analyzed earlier. Nonetheless, if contingency reserves are to be applied, they must reflect the realities of the project as a unique effort toward a specific objective, thus requiring a specific level of risk support.

Fallback plans are implemented in active acceptance to deal with managing accepted risks if the contingency plans are insufficient.

The

Risk

Management Structure 43

Fallback plans represent the safety net that ensures the entire project will not collapse in failure.

Selecting the proper strategy may require project managers to identify specific strategies for each risk. It may also require that managers identify single strategies that may apply to a broader subset of risks or to common causes. A popular tool for identifying such opportunities is the risk response strategy matrix. This matrix encourages the examination of risk responses both in the context of other risks in the project as well as in the context of the other risk responses. The risk response strategy matrix is examined in Chapter 26.

Ideally, the project team that has completed risk response planning will have established a contingency reserve for the necessary funds and time to deal with project risk. They will have an adjusted WBS that reflects issues that surfaced during risk response analysis and incorporates any new activity the strategies require. They also will have communicated the risks, risk strategies, and any residual (or leftover) risks to the management team to ensure there is buy-in on the approach. Moreover, they will have con- tractual agreements to support any deflection or transference. As a by- product, there is also the possibility that new risks will arise as a result of the new strategies. Those new risks should be examined using the same process as the earlier risks-identification, qualification, quantification, and response planning-as appropriate.

Risk Monitoring and Control

After risks are identified, qualified, and quantified, and clear responses are developed, those findings must be put into action. Risk monitoring and control involves implementing the risk management plan, which should be an integral part of the project plan. Two key challenges are associated with monitoring and control. The first is putting the risk plans into action and ensuring the plans are still valid. The second is generating meaningful documentation to support the process.

Implementing the risk plans should be a function of putting the project plan into action. If the project plan is in place and the risk strategies have been integrated, then the risk plans should be self-fulfilling. Ensuring that the plans are still valid, however, is not as simple. Risk monitoring involves extensive tracking of the risks and their environment. Have the plans been implemented as proposed? Were the responses as effective as anticipated?

Did the project team follow organizational policy and procedure? Are the project assumptions still valid? Have risk triggers occurred? Have new external influences changed the organization's risk exposure? Have new risks surfaced?

44 Chapter 3

Answers to these questions may drive radically different approaches to the project and to its risks. Alternative strategy development, reassess- ments, reviewing contingency plan implementation, or replanning may be essential to project survival or success.

Different tools serve the evaluation requirements of risk monitoring and control. Basic project management tools, such as earned value analysis, provide insight on the relative levels of variance and the tasks that drive the variance. Technical performance measurement (TPM) is a quality management tool that examines the performance of the organization in terms of each individual work package objective. Dubbed by some as the

"earned value of quality," TPM affords insight on performance variance and the potential influences of risks that have occurred.

As the project progresses, there are risk-specific evaluations to facilitate risk control. Formal risk audits examine the project team's success at iden- tifying risks, assessing probability, and developing appropriate strategies.

The frequency of risk audits is largely determined by the duration of the project and the criticality of the deliverables involved. A project with mission-critical deliverables will, by its very nature, undergo more frequent audits than a project developed for a support mission.

Risk reviews, though less formal than risk audits, are vital nonetheless.

Risk reviews allow for an examination of the risks, probabilities, impacts, and strategies, largely to determine if supplemental action or review will be required. As with audits, the criticality of the project and its duration determine in large part the frequency of such reviews.

The challenge is dealing with risk events as they occur. Flaws in carefully structured plans become evident when those plans are imple- mented. Some strategies work very effectively; others prove far less effective. Thus, it often becomes necessary to begin the cycle anew, which involves either reconsidering risk responses or probing even further back in the process to reevaluate identified risks.

However, the process cannot possibly manage all risks. Some risks will occur without having been preemptively identified. Those that do will be managed "on the fly" without careful consideration and review. The workarounds, or unplanned responses to negative risk events, provide project teams with a last chance to deal with problems because they are reactive rather than proactive and rarely have the level of support that well-considered risk responses do. Thus, because workarounds are devel- oped without a long-term planning window, they are also frequently more costly or time-consuming. In essence, workarounds are contingency plans without the planning.

The

Risk

Management Structure 45

As risk control and monitoring are applied, data are generated.

Responses succeed and fail. Some risks materialize and some do not.

Probabilities shift and time alters impact values. These changes may drive changes in the organization's existing risk identification checklists and should also be captured in a risk database along with any new information.

Such a database need not rely exclusively on database tools such as Microsoft Accessa or FoxProa but may be catalogued in the project management software with the project plan. As discussed earlier, text and numbers fields in the project management software can be used to support risk identification as follows:

Task Name Text 12 Number 12 Number 13 Number 14 Number 15

Renamed, the fields take on a different look and now support the project:

WBS Task Name Risk Event Probability Impact Overall Risk Priority

- - - - - - -

This same approach can also augment risk response information and the effectiveness of the strategies de^plo^yed:

Renamed, the fields take on a different look and now support the project:

As with the earlier example, retention of this information with the project plan significantly increases the probability that others will reuse this information as the project plan is appropriated for use on other, similar efforts. Risk strategies and their outcomes are critical elements of an organization's intellectual property. Failure to properly store them in an accessible fashion is to diminish the value of the project and the project team in their contributions to technical capital.

Summary

Risk planning is the development of organizational and project-specific infrastructure to support the risk planning and management processes.

Risk identification is the process of identifying project risks.

Risk qualification is the process of sorting risks by general probability and impact terms to facilitate analysis of the most critical risks.

m Risk quantification is the process of quantifying risks against a well- defined rating scheme and honing that quantification to assess overall project impact.

w Risk response planning involves evaluating and refining risk mitigation strategies.

Risk monitoring and control is the implementation of those strategies and the evaluation and recording thereof.

w Risk management is a continual process throughout any project.

The Risk Management Structure 47

Management