What Could Go Wrong?
In my previous article on Risk Management and Assessment, I explained that risk in a project can either be a threat, as in having a potential negative impact on the project, or there can be risk events that present the potential for an opportunity to benefit the project in some respect; in both cases, good or bad, the effects will be felt in the overall performance measures of the project (schedule time/duration, cost, resources, and or scope). Furthermore, we began to cover the issue of risk identification; however, there is more to discuss in this area, especially in respect to who identifies risk, the categories of risk, and assembling these identified items in some logical manner to better managed and respond accordingly.
Who IDs, How to ID, and How to Capture?
Who identifies the risk? The same people that help identify all the Work Breakdown Structure (WBS), Project Breakdown Structure (PBS) and Work Packages (WPs) participate with the Project Manager (PM) to identify potential threats or risks to the project and product. Participants will generally include the project team, subject matter experts (SMEs), functional managers, customer/client, end users, stakeholders, and outside experts as well as the results from previous projects. Sometimes a PM might find it advantageous to assemble a risk management team specifically tasked to identify potential threats or risks to the project and recommend ways to mitigate or respond with some form of contingency.
Why do we differentiate project versus product risk? Project risk is relevant to the threats and opportunities relating to cost, time/duration, material/equipment resourcing, and project scope, needs of the decision makers and availability of human resources/workers/expertise. Product risk, on the other hand, goes directly to the product scope - the potential of threat and opportunity in regards to the design, specifications, features, functions, even the customer, client, and or sponsor's expectations.
Meetings/Problem Solving: Use your meeting management and team building skills. Tools and techniques available to you include: Brainstorming, SWOT (strength, weaknesses, opportunities, and threats) analysis, diagramming techniques, cause and effect diagrams, and system and process flow charts. This is another opportunity to bring the team together to exercise problem solving.
Identify Potential Risk Events and Their Characteristics
How do we begin this exercise in identifying project risk? Keep it simple, be realistic but not naïve. Begin with the project charter; we usually find our primary scope information, projected budget, assumptions and constraints. We will also need to rely a great deal on the WBS, PBS, WPs, and project schedule, as well as other project plan information such as product scope/description, technical information, cost estimates, resource plan, procurement data, historical project information and any other business and organizational policies. Analyze each work package to determine and identify every possible opportunity for something to go wrong. Consider the potential for risk in the following areas, both internal and external. Let's break it down like this:
Human Resource (HR) Risk: Changing staff and team members will happen; the potential of a key person to quit the job or a new untrained or unknown competency added to the project exists in any project, especially the large and long duration projects. Internal issues within the business, company or organization include: Do you have the team members and workers, with the necessary skills to perform the needed work? Is there a need for training or will there be a learning curve that will affect the progress of the project? External HR risk may also involve any outsourced contract work. Are there sufficient external work sources for the specific WP requirements? Will you need to hire consultants, contractors, day-laborers, etc.?
Don't forget to determine the primary stakeholder's (i.e. sponsor, customer, and client) tolerance or sensitivity to risk. In some cases, a primary stakeholder(s) has a laissez-faire attitude towards risk events, while another stakeholder may have a low to no tolerance to the same risk event. The lower the tolerance level is, the more control, stricter control, and greater will be the requirement on the Project Manager (PM) to coordinate and communicate risk impact reporting and ensure that decision making is done at the appropriate level of the organization.
Expendable Materials and Supplies: Do you or will you have, the right parts, at the right time, and at the right cost? Many projects require materials and supplies that are considered internal resources; things that the business uses often and may be generic expendable items. Do you have, or will you have what is needed, when it is needed? The same goes for external materials and supplies. In both internal and external cases there might be a lead time needed to order these materials and supplies.
Owned Specialized Equipment and Tools: Do you or will you have the right tools and equipment, internally and externally sourced, at the right time and at the right cost?
Outsourced Equipment and Tools: Leased, Rented, or Borrowed Specialized Equipment and Tools: Do you or will you have the right tools and equipment, internally and externally sourced, at the right time and at the right cost?
Additional Items to consider are contract types, cost, schedule, and environmental factors such as the impact of weather, politics, and social considerations, quality such as risks to the product scope in terms of deliverables, specific features and functions, and anything contained in the details Design and Specifications Documents.
Things do change as we all know. First of all, know that risk identification is not a one-time activity: after the initial risk identification meeting, risk updates should be included in every project status and performance meeting. While identifying the risk events, determine the triggers and warning signs that indicate if and when a risk item is to come to fruition. I'll cover more on triggers, probabilities, and documenting risk in the next few articles.