skip to: page content | links on this page | site navigation | footer (site information)

IS&T Project Management Office

IS&T PMO Home Page | IS&T Home Page | Web Mail | Estorage | Site Map
Project Request | Scope Document | Project Charter | Stakeholder Checklist | Budget Request | Go / No Go Decision Point |
WBS | Project Plan | Risk Management Plan | Change Management Plan | Cost Benefit Analysis | Go / No Go Decision Point |
Acceptance Management | Status Meetings | Status Reports |
Issues & Action Item Log | Decision Log | Go / No Go Decision Point |
Sponsor Acceptance | Project Plan Closeout | Financial Closure | Lessons Learned | Customer Survey | Project Team Recognition |
vPMO Log-on | Level5Partners | PMO Network |
HCIP | Panther / Cheetah Decommission |
subglobal8 link | subglobal8 link | subglobal8 link | subglobal8 link | subglobal8 link | subglobal8 link | subglobal8 link

Risk Management

Risk is unknown, that's why it's so risky. For the project manager and the project team, risk should be constantly reviewed and changes made to avoid unwanted risk in the project. One of the tools of a project manager is the risk assessment. By performing a risk assessment, the project team can work to identify potential risks early on and develop a strategy to deal with the risk.

Click here for an example of a Risk Analysis template.

 

Risk Analysis Header Information
Number Column Risk
Risk Level Currently Assigned
Risk Strategy Risk Plan

 

Risk Analysis

A risk, as defined by the Project Management Body of Knowledge, Third Edition, is "an uncertain event or condition that, if it occurs, has a positive or negative effect on a project's objectives" (PMBOK Guide Third edition, Glossary pg. 373). While there is risk inherent with any project, the project manager and project team should be constantly aware of any risks that will impact the successful completion of any project. Once way to accomplish this is by completing a risk analysis for any identified risk and to review risks periodically with the team.

Risk analysis is one way that the project team can identify potential problems or opportunities early so that a strategy can be developed should the event occur. A strategy does not to be completed for every indented risk, however the project team should make a decision on the level of risk that the project will support and develop a plan for every risk above that level. For instance, a project team may say that for it's project, any risk that has a medium or high impact, a risk assessment will be completed. During the risk analysis a risk plan will be developed with alternatives if the risk occurs.

Most people associate risks with an event that the project team does not want to occur with the project. There are, however,some risks that, if they occur, could have a positive outcome. These risks are called opportunities. Identification of these opportunities should also be included as part of the risk assessment and potential benefit identified.

Top of Page

Header Information

At the top of the spreadsheet you will see some basic information that you will need to provide about the project. This includes the project name, project manager and revision date. The revision date should be updated every time that there is a change to the spreadsheet. There is no need to save previous copies, as all information will be retained on the avoided page. Once a risk is avoided it is simply moved to the closed page for historical reference.

Top of Page

Number Column

While the number column may seem unimportant, it is actually very important in remaining on track. The number column should increment by one each time an new risk is added to the log. If there are gaps in the numbers, this will serve as a reminder that the risk has passed or been mitigated so that it is no longer a risk. The closed item should be moved to the second page of the spreadsheet on the closed risk list.

Top of Page

Risk

This column should include a detail description of the identified risk. If the risk arose from an identified issue, then the issue number should be included as part of the description. Be sure to include any date that may be a risk factor. The rule of thumb should be that the more information that can be provided, the better the planning that can be completed.

Top of Page

Risk Level

In determining a risk's impact to the project, there are two items to consider:

  • Impact: A risk's impact to the project identifies the time, money and resources that will need to be extended if the risk takes place. Usually this is broken down into three levels: low, medium, and high. The definition of these three levels will depend on the project and the project team. A $10,000 addition in resources may be low for a $10,000,000 project, but rate very high for a $25,000 project.
  • Likeliness: A risk's likeliness to occur is the probably of the event happening. This is rated as unlikely, likely and very likely. This rating should be uniformed among all projects.

The Georgia State University PMO uses a three by three grid to identify a risk based on these two dimensions. Along one axis includes the impact while the other axis deals with likeliness. This represents a graphical view of the risk that is easily seen by the project team members.

 

The project team will need to identify the threshold of risk that is is willing to take. Anything above this level, the team will establish a full risk plan for the event. For example, using the grid to the left, a project team may identify that any risk that has a medium or high impact AND a likely or very likely probability, will have a risk assessment completed. This means that if the red dot is in any of the darker six shaded boxes that a risk assessment will be completed.

While a project team may not need to complete a risk assessment on any risk that falls into one of the three lightest shaded boxes, the team should still review them to make sure that the risk does not escalate.

Top of Page

Currently Assigned

Every risk should be assigned to an owner who will track and report on the risk. This person will be responsible for following up and tracking the risk. The person assigned should be able to understand the risk and be able to make a recommendation to the project team on the response.

The owner of the risk may change over the course of the project. That is the reason for the currently assigned title. If a risk is changed so that it now affects a new group, make sure that the currently assigned column is updated with the new team member.

Top of Page

Risk Strategy

Once a risk has been identified, then there are several strategy options that the project team can take. The Georgia State University PMO has identified three strategies to deal with negative risks and three to deal with opportunities and one that will work with either type. The are:

  • +- Acceptance - With this strategy the project team has either decided not to alter the project to avoid the risk, or there are no alternatives to dealing with the risks. Some projects may have a contingency fund set up with the project that can be used if risk or a change occurs. This budget can then be used to accept this risk.
  • - Avoid - This strategy includes changing the project plan so that the risk can be avoided. Risks identified early on in the project will more likely be able to use this strategy. As the project progresses, the cost and time needed to avoid a risk will grow.
  • - Mitigate - Mitigation includes taking additional actions to lessen the impact that a risk may have on a project. One example would be to include an additional QA testing round before the general release. By instituting this round of testing, the chances that more issues are capture prior to public release will reduce the risk of releasing code that is faulty.
  • - Transfer - Transfer is the ability to move the risk from the project team to a third party that will own the risk and the response. This is most often done by carrying insurance or by contracting. This does not eliminate the risk for the project, it simply moves it to a third party. Usually transference increases the cost of the project as the third party request a premium to carry the liability.
  • + Exploit - Some people may see exploitation as a bad word. In this context it is simply taking full advantage of a possible opportunity for a project. While risk is uncertain, this strategy is used to make the likelihood of the risk increase so that the project team can capitalize on the results.
  • + Share - This strategy is like the transference strategy. This can be done by sharing the positive opportunities of a project with a third party. One example of a share strategy would be to form a joint venture so that the full potential of the opportunity is developed.
  • + Enhance - Enhancing is a strategy that increases the impact of an opportunity as well as the likelihood that the opportunity will happen. This will require the project team to alter the project plan to make sure that the opportunity discussed is a reality and increases the benefits of the full project.

Top of Page

Risk Plan

The risk plan is where the project team needs to identify the specific steps that will be taken to deal with the risk. This will include an elaboration of the strategy and how the team plans to implement the plan. If necessary, additional tasks will need to be added to the project plan and noted. If the plan is very lengthy, then the project manager may want to create a separate report outlining the risk in detail and the purposed solution.

Top of Page

 

About Us | Contact Us | ©2005 Georgia State University IS&T PMO