Risk Management activities include documenting and identifying project risks; analysis, assessment, and prioritization of those project risks; and laying out plans to implement actions to reduce the project risks throughout the project’s life cycle. Risk Management planning provides a control mechanism to monitor, report, and direct all risk mitigation activities. Risk management is initiated during the System Concept Development Phase and continues through all subsequent phases.
- Risk Identification
Risk is an undesirable situation or circumstance, which has both a probability of occurring and a potential consequence to project success. Risk has an impact on cost, schedule, and performance. Risk identification is the process of identifying uncertainty within all aspects of a project. In other words, what might go wrong and what happens if it does. For most information system projects, these risks may be grouped in the following categories:
What are the categories of risks to information system projects?
- Risk associated with creating a new capability or capacity
- Risk associated with implementing, operating, and maintaining a new capability
- Risk caused by events outside the project’s control, such as public law changes
- Cost and Schedule. Risk where cost or schedule estimates are inaccurate or planned efficiencies are not realized
Risks should be identified continuously by project participants (at all levels) and the project management team should capture these risks in definitive statements of probability and impact. Lessons learned from previous projects may be a significant source for identifying potential risks on a new project.
- Risk Analysis
Risk Analysis quantifies the identified risks and conducts detailed sensitivity studies of the most critical variables involved. The outcome of these analyses may be a quantified list of probabilities of occurrence and consequences that may be combined into a single numerical score. This single score allows project risks to be prioritized.
- Risk Planning
Risk planning decides what to do about a project risk. Available actions are:
- Avoid the risk.
- Control the risk
- Assume the risk
- Transfer the risk
The action selected for each risk will depend on the project phase, the options that are available, and the resources that can be used for risk management. A majority of project activities involve tracking and controlling the project risk.
- Risk Tracking
Risk tracking involves gathering and analyzing project information that measures risk. For example, test reports, design reviews, and configuration audits are risk tracking tools used by project management to assess the technical risk of moving forward into the next life cycle phase.
- Risk Control
Risk control takes the results of risk tracking and decides what to do and then does it. For example, if a project design review shows inadequate progress in one area, the decision may be made to change technical approaches or delay the project.
3.5.1 Risk Mitigation Techniques
Risk mitigation techniques are used to control or transfer risk until an acceptable risk level is reached. The most common techniques are inherent in good management and engineering practice:
- Budget management reserve – mitigates cost risk.
- Schedule slack – mitigates schedule risk.
- Parallel development – mitigates technical risk.
- Prototyping – mitigates technical risk.
- Incentive fee and incentive-firm contract types – mitigates cost risk.
- Entrance and exit criteria for major design reviews – mitigates cost, schedule and technical risks.
3.5.2 Risk Communication
Risk information should be communicated to all levels of the project organization and to appropriate external organizations. This ensures understanding of the project risks and the planned strategies to address the risk. Risk information then feeds the decision processes within the project and should establish support within external organizations for mitigation activities. For example, an agency comptroller who understands the project risks is more likely to allow the project manager to have a management reserve within the project budget.
Communicating risk information in a clear, understandable, balanced, and useful manner is difficult. The ability to state the problem at hand clearly, concisely, and without ambiguity is essential. Ensure that the mitigation activities conveyed include alternatives, objectively stated justifications and trade off analyses. A well-planned and executed risk management program ensures the decision maker receives unbiased information – resulting in the best project decisions.
Risk is an inevitable factor in all management and development projects. However, appropriate evasive actions, and if risk does threaten the project, then damage-control techniques can be adopted to ensure survivability of the project.