There are risks in every project, and the biggest mistake you can make is to ignore them and hope they’ll go away by themselves.

Risk is the possibility of some sort of loss, and it is the only way to avoid risk is to do nothing. There are all sorts of risks involved in any project, and that’s why risk management is so important.

Proactive risk management is a way of dealing with problems before they happen. This involves implementing strategies that determine what risks are involved in a project, whether they’re important and how to deal with them. It is a five-step process, comprised of:

1. Risk identification
2. Risk analysis
3. Risk action planning
4. Risk tracking
5. Risk control

The issue of environment is crucial to good risk management.. Strategies can be employed to deal with these potential problems only by having an environment where everyone involved in a project feels comfortable discussing risk

The first, and most important thing, to remember about risk management, is that risk is the possibility, and not the certainty, of loss. Though it’s common for project teams to consider risks to be something negative, taking risks is important to progress. Risk allows you to see where pitfalls may lie ahead, and manage them before they become a major issue and result in loss.

Once you can see where the possibility of loss exists, you can take action to eliminate them or deal with the problems once they’ve happened. The major principle of risk management is dealing with the risk, and thereby lowering your odds that a loss will result.

There are a number of sources of risk for every project. The source of a risk is an object, person, or structure that provides the possibility of loss. It is important to identify the sources of risk related to your particular project, so they can be properly addressed and you don’t have to deal with the consequences.

A risk source is made up of two components: risk factor category, and risk factor. The risk factor category breaks the project into small groups, each of which contain individual risk factors. The risk factor categories could be following:

• schedule
• budget and cost
• project missions and goals
• project characteristics
• personnel
• customer and end user
• technology
• development environment
• organizational management, operational environment, decision drivers

The risk factor is the final component of a risk source that is used to identify the risk. As we’ll see later, this can include such things as size of the project, availability of facilities, project fit governmental regulations, and political influences.

Unfortunately, there is no simple list of risks and sources to memorize. What may be significant to one project may not necessarily be the case on other projects.

One of the most common risk sources involved in any project is scheduling which is usually limited. As such, a schedule has an extensive list of risks associated with it, including the following:

• Schedules being overly optimistic. If a best-case scenario is used rather than realistic.
• Target dates are moved up. When this happens, there is often a need for a tradeoff in other areas. Either the budget needs to be increased to pay for overtime and/or additional team members, or features need to be dropped.
• Delays in one area of the schedule have a cascading effect on other areas. When tasks can’t be completed on time, it affects time for other tasks.
• Tasks that are necessary to the project’s success aren’t included in the schedule.

It is important to address these risks early in a project. As the project progresses, the schedule should be reassessed. The worst thing that can be done when an overly optimistic schedule is readjusting is doing it with great optimism. Remember to be realistic!

Budgets are another common source of risk, and also have a number of risks associated with them:

• The budget associated with the project has been cut.
• Costs associated with the project have changed since the original budget was drafted. As such, more money is needed.

As with other risk sources, risks associated with budgets and costs should be reassessed throughout the life of a project. Besides it is often the case that other areas of a project (such as features) are traded off to keep within the original budget.

It is vital that everyone working on a project understands the mission and goals. The primary risk is that if project members don’t understand what they are working on or hoping to achieve. The process of a project should be based on milestones. A common risk of missions and goals is that they are written in difficult to understand words.

Project characteristics are also a source of risk. Again, cryptic language and unclear wording in specifications. If developers don’t understand what features are being asked for, it can lead to problems. If an Exit function needs to be added under the File menu, say that! Don’t ask for a “text-based feature to terminate said application and remove binary data from memory.”

The most common risk for project characteristics is change. Customers or end users suddenly realize that certain features must be added. External environments, such as government regulations, law or technical standards, can also require changes in the project and then you will have to change certain characteristics to meet these changes.

Usually the personnel also aren’t fully considered in risk management. Issues such as morale, relationships, and teamwork are often missed when identifying risks. These three areas relate to productivity or could slow down the decision-making process. Besides, there are more risks connected to personnel:

1. Hiring. Hiring personnel taking longer than originally expected.
2. Work habits. Personnel are working slower than expected, or doing things that are affecting the productivity of other team members.
3. Availability. Certain personnel are available only on a part-time basis, tied up with other projects, or personnel leave the project before it’s completed.

Other people-orientated risk sources are customers and end users. Customers and end users aren’t necessarily the same. Customers pay for the product, while end users are the people who actually use a product. The customer may approve a product, while the end user may decide that it isn’t satisfactory. Other risks related to these sources include the following:

• Input from the end user isn’t provided, so the product doesn’t meet expectations.
• Expectations for the project is beyond what development can provide.
• Customer is slow in making decisions or reviewing documentation regarding the project.

Once you’ve worked on a computer for any length of time, you realize that technology also is a source of risks. Networks go down and system requirements must be met before updated development suites can be installed.

Over the last few years, the development environment has been recognized as a risk source. If the environment is comfortable then productivity will improve. It is difficult to do good work if facilities are noisy, uncomfortable or crowded. Other risks of the development environment include facilities not being ready when the project begins, like no desks, chairs, working phones, or computers. The development environment also holds the risks of development tools not working as expected, or being chosen because they are cheap rather than functional.

The company’s operational environment and organizational management are two risk sources, which are often out of your control. Unfortunately, you can only add these risks into the project’s overall plans and try to work around them.

There are basically two approaches to risk management: proactive and reactive. Proactive risk management deals with risks before they become problems that result in loss. Reactive risk management deals with risks after they’ve occurred.

Proactive risk management requires implementing a plan to manage risks. The process used in this case must be measurable and repeatable. Proactive risk management model is basically a five-step process.

One approach to proactive risk management is elimination of risk sources and factors. Unfortunately this isn’t possible in a number of cases. For example, if you’re having a problem with upper levels of organizational management, you can’t make personnel changes at that level. However, let’s say you identify contractors as a risk source and you’ve found a particular contractor to have slow performance, or not deliver what’s expected. You are able to eliminate the risk source by either not hiring that particular problem contractor or by developing the entire product internally.

Risk is viewed as possible opportunity since opportunities come with risk. The sources of risks are evaluated, and used as a means rather than an end. For example, if it is known that the development environment won’t be ready immediately, this gives developers the opportunity to work on other projects until it is ready. By evaluating risk sources and risks effectively, you can use risks to your advantage.

Preventing risk is the transition between the reactive and proactive approaches to risk management. During the planning stages of a project, a project team identifies risks in a project, and keeps them from occurring.

You’ve probably heard the phrase “there’s no point closing the barn door after the horses have run away!” This essentially captures the spirit of reactive risk management. Reactive risk management reacts to the consequences of risk. This may involve fixing problems, assigning additional resources and so forth.

Risk statements are used to describe the risks involved in a project. This does not only include mentioning the symptoms of a risk, but what the result of a risk could be. In creating a risk statement, you are identifying and analyzing risk. Risk analysis evaluates the impact of the identified risks and considers alternatives to factors causing the risk.

The first step in the risk management process, and in creating a risk statement, is identification. Risk identification involves project members and stakeholders following a series of steps, which result in the identification and ranking of risk factors. This involves the following:

• Using risk factor charts and risk assessment tables
• Discussing the risks openly and freely
• Ranking risks by importance

When this is done, a risk statement is developed, and the risk is entered on a master list.

A risk factor chart is used to determine whether a risk should be considered high, medium, or low. Though called a chart, it is actually a table used to document risk factors in a project.

When ranking risks, you need to view the risk in the context of the current project. Just because you found a risk factor to be high ranking in a previous project, doesn’t mean it rates as high on the current project.

Once risks have been identified, the second step of the proactive risk management process is to analyze them. Analysis takes the raw data and converts it into information used in decision making. Analysis determines which risks the project members should work on. It is pointless to work on risks that are unlikely to occur, or have little or no impact on a project.

So, two factors are important: risk probability and risk impact. Risk probability is the likelihood of events occurring, while risk impact is the amount of loss that could result.

Risk probability is usually indicated by a numerical value between 0 and 1. It is often more subjective than scientific since it is difficult to accurately predict.

There are several methods that team can use to estimate risk probability. One that is commonly used is having the person, who is most familiar with the area of risk provide an estimate. Other members of the team then discuss this. Another common method is through group consensus. Each member provides an estimate on their own, along with the logic and reasons behind the estimate. After discussion they re-evaluating their work and so forth until they come to a consensus.

Risk impact is the second factor involved in risk analysis. It measures the size of loss. It is measured in currency for risks with a financial impact, time increments (days and weeks) for risks with a time impact etc. By using a scale of 1 to 5, you can show the seriousness of the impact. High values are used to indicate high losses.

Risk exposure and risk impact are often used synonymously. This is because the size of loss is incorporated into the risk exposure. Risk exposure is used to balance the likelihood of an actual loss with the magnitude of the potential loss.

Risk exposure is equal to the size of loss multiplied by the risk potential estimate. In finding the risk exposure of risks in a project, a risk assessment table is used. To understand how this works, let’s go through this example. If you estimated that there is a 25% chance that facilities wouldn’t be available on time and size of loss could be 4 weeks then you have a risk exposure of 1 week. Once you’ve gotten this estimate, you would incorporate an extra week into your schedule, so that the risk you’re exposed to won’t affect the overall schedule.

Table 2: Risk Assessment Table

Once these steps have been completed, you are ready to prepare the risk statement. The following must appear in the risk statement, or it will not be complete:

1. Source of a risk
2. Risk(s) associated with the source
3. Expected result

Priorities are often set by the risk exposure figure on a risk assessment table. By ranking the risks by this figure, you are then able to create a Top 10 Risk List.

A Top 10 Risk List helps you to show which risks are the highest priority in a project, so you can determine which risks require attention. In ranking by risk exposure, it is important that all of the values representing risk impact are of the same units of measurement. This means that each of the size of loss values is, for example, either in weeks, dollars, or levels of impact (such as a scale of 1 to 5 for comparing different risks).

Identification and analysis are the foundation for the remaining three steps. Data from those steps is used to create an action plan to track and control the risks involved in a project.

This image illustrates how the process as a whole works.

Figure 1: The risk management process

In the identification step, we identified a list of risks. In the analysis step, the impact of the identified risks was evaluated, as well as alternatives to what is causing the risk. The risk statement and Top 10 Risk List created from these first two steps are then used at the remaining steps.

The third step of the risk management process is risk action planning. In this step, the data is transformed into meaningful information, which is used to generate strategies to deal with the risk.

The fourth step in this process is tracking. Just because strategies have been developed, doesn’t necessarily mean that they will work. As such, it is important that the status of risks is monitored, as are the actions taken to prevent loss.

The final step is control. This step requires the team to control risk action plans, correct the plan if necessary, and make improvements to the risk management process.

The process of proactive risk management requires risks to be assessed continuously. Risks are carried forward from one phase to the next, and dealt with until they are resolved or become actual problems. When they become a problem, they are then handled with reactive risk management.

The third step of the risk management process is risk action planning. This takes the information gathered in the previous steps, and transforms it into decisions and actions.

There are four possible methods to deal with a risk

1. Research
2. Acceptance
3. Avoidance
4. Management

Research is performed when there isn’t enough information currently available. It is important to always consider whether additional analysis is required, so that the wrong action isn’t taken.

Acceptance is when you’re willing to live with what you’ve got. No further action is needed.

Avoidance is the final area of risk action planning. You are removing risks without changing the project itself. For example, if you are unfamiliar or uncomfortable dealing with certain features of a software product, you could contract out that area to another firm.

Management means that the team should determine if they can do anything to minimize the risk’s impact should it actually occur. There are three goals to risk management:

1. Reduce the probability that the risk will actually occur.
2. Reduce the loss that could result from the risk.
3. Change the consequences associated with the risk.

Achieving the goals of managing risks involves creating and implementing strategies and contingency plans to deal with the problem. In managing specific risks, there are a number of strategies available.

When luck, the budget, and upper management are with you, you can reduce risks be putting more resources into the project. If there is a risk that the schedule won’t be met, you can hire more people, and get more desks, chairs, and computers into the office space. Unfortunately, this may not be the case in many projects if the budget is tight.

In cases where the risk is out of the team’s control or can’t be resolved, a workaround should be found to reduce risks. If the program has a bug that can’t be resolved by a certain date, let upper management and marketing know about it. This keeps everyone outside the project team from being surprised when the problem occurs. After release, a bug fix or patch for the problem can be released, and/or it can be resolved in the next version of the program.

Sometimes you can transfer the risk from one area of a project to another, which thereby minimizes the risk. For example, by moving the feature from the client executable to a separate component or the server part. If you are unfamiliar with an activity in a project, you can transfer the risk by subcontracting part of the project to someone with more experience. While there are risks involved with contracting work out, the risks involved are less than those of allowing unqualified people to perform work they know little or nothing about.

It is important to document all of this information so that you can refer to it throughout the project and use it in later steps in the risk management process. The following information that should appear on a risk action form:

• risk identifier
• risk statement
• risk management strategy – Description of the strategy to prevent the risk
• action items – What are You going to do
• due dates – What are You going to do
• personnel assignments – Who should do
• risk contingency strategy - Shows what the team strategy will be should the original plan fail.

Once the plan has been put into action, it needs to be monitored adjusted. This is where the last two steps of proactive risk management come into play.

The fourth step in the risk management process is risk tracking. Risk tracking watches events as a result of the action plan and determines whether the plan is successful or not.

Part of risk tracking involves updates and assessments of the Top 10 Risk List. By reviewing this list on a weekly basis, you will be able to see if certain risks have gone down or up in rank. At the very least, this list should be evaluated monthly or when a milestone has been reached. While an initial Top 10 Risk List will simply have ten items ranked from highest to lowest, tracking uses the list to show an item’s previous ranking and its current ranking. This allows the team to see where risks are being dealt with successfully, and which risks are getting worse, and may need serious re-evaluation.

Table 4: Top 10 Risk List

In creating a Top 10 Risk List, it is advisable to keep track of the number of times a risk has appeared in the Top 10. If its ranking has fluctuated repeatedly, and appeared in the listing numerous times, then it could be an indication that the action plan isn’t working as well as it could.

The final step of the proactive risk management process is risk control. This involves responding to triggers that indicate a plan is failing or has failed, making corrections in the initial risk action plan, and making improvements to the process of risk management.

It is important to remember that no matter how good your plans are, or how well things should work, success in risk management always falls on how well people perform in risk management.

Risk is the possibility of a loss. To increase your odds that risks don’t result in a loss of some sort, risk management is used. Risk management involves identifying, addressing, and possibly eliminating the sources of risk. It is an environment and discipline of proactive decisions and actions.

Risks are inherent to any project, and it is important to identify risk sources and their associated risks so they can be dealt with accordingly. There is no standard set of risk sources on a project, so what may be a major risk source on one project may not be an issue on other projects. As such, you need to identify and analyze the risk sources for each individual project.

Proactive risk management involves five steps that work together in dealing with risks before they result in loss. These steps consist of identification, analysis, risk action planning, tracking, and control. Together they deal with risks before they become an actual problem.