Sunday, 4 September 2016

Risk Management

Introduction
As promised in my earlier post, I will discuss in detail about Risk Management in this post. Let me start defining what we mean by a Risk –
“A Risk is any event that if happens can have a significant influence on execution”.
  •         if happens – amounts to probability of happening – meaning it may happen or may not happen, but there is a likelihood of happening.
  •         Influence – amounts to impact on the execution.


Thus, a Risk has two parameters – Probability and Impact.
A note here – by CMMI Institute’s definition of a Risk, Impact mentioned is negative. While, by PMI definition of a Risk, Impact can be either negative or positive.

In this blog, I go by CMMI Institute’s definition that if there is a Risk, it would mean that it can have negative impact if it occurs. This is because of two reasons –
1.   World renowned CMMI Lead Appraisers abide by this definition.
2.   Several organizations that I guided for quality implementation and sustenance, successfully managed their projects with Risk Management following this Risk definition.

Risk – An example –
Image result for risk
With this introduction, we will get into the Risk Management activities.

Risk Management Activities
Risk Management involves the following activities –
1.   Identifying Risks
2.   Assessing Risks
3.   Planning Risk Mitigation
4.   Planning Risk Contingency
5.   Monitoring Risks

1.   Identifying Risks
This is the most important and necessary activity in Risk Management. And it is an ongoing activity and not a one-time activity. When you identify Risks, the statement of Risk as a likelihood event should be recorded. For e.g.
  •         The incessant rains may damage crops.
  •          The peak rainfall may cause a flood.

These are valid statements of Risks, whereas the following are not.
  •          The incessant rains damaged crops.
  •          The peak rainfall will cause a flood.


It is recommended to have a Risk database wherein you have a record of earlier Risks and unforeseen events. This would help you as a ready reckoner for identifying the Risks in a particular field.

It is important to record the identified Risks, preferably in a tracker to facilitate monitoring.

2.   Assessing Risks
Once a Risk is identified, it needs to be assessed.  You need to find the two parameters of the Risk - probability of occurrence of the Risk and the extent of the impact if the Risk occurs.

I suggested and found practical, the following quantification of the Risks –
  •        Probability – An integer in the Scale of 1-5 (1-Lowest, 5-Highest)
  •        Impact - An integer in the Scale of 1-5 (1-Lowest, 5-Highest)

A third parameter, Risk Exposure is obtained from these two –
Risk Exposure = Probability*Impact
Thus, Risk Exposure would be an integer in the Scale of 1-25.

The next step, would be to compare the Risk Exposure to Risk Exposure Threshold.
The Risk Exposure Threshold can be defined at an organization level, a business unit level or a project level.
  •          If Risk Exposure of a Risk is more than the Risk Threshold, then you need to plan Risk Mitigation and Risk Contingency – steps 3 and 4 given below.
  •          Otherwise, proceed to step 5, skipping steps 3 and 4.
This comparison is required because, it is not cost effective to plan mitigation/ contingency for every Risk identified, unless it is of significant magnitude.

3.   Planning Risk Mitigation
A plan to mitigate a Risk aims at decreasing the probability of occurrence of the Risk.
E.g. Mitigation Plan for the Risk given in the example above.
Image result for risk

4.   Planning Risk Contingency
A contingency plan for a Risk aims at decreasing the impact of the Risk if it occurs.
E.g. Contingency Plan for the Risk given in the example above.
Image result for risk

5.   Monitoring Risks
Risk monitoring involves the following tasks –
  •          Tracking the status (open/closed) of the Risks. A Risk that is no more valid or a Risk that already happened and will not repeat in near future can be closed
  •          Noticing symptoms for occurrence of the identified Risks so that action can be taken at appropriate time. Everyone involved in the work can contribute to this task as anyone can get feelers about the symptoms. Hence, it is a good practice to discuss Risks in group meetings
  •          Execution of Risk mitigation plans when required
  •          Execution of Risk contingency plans when required
  •          Identifying Risks from time to time
  •          Contributing identified Risks to the Risk database



Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)