Risk Management: A Discussion

Having spent over 20 years in project management I have had the opportunity to determine risk in my projects many times over. In some companies I have worked for risk would be identified, analyzed, and a mitigation plan would be created. The risks would be carefully watched and acted upon should it become an issue. Other companies would allude to risks, even list them, but stop there with no further attention. They figured they had covered their bases and need not do any more. As Verzuh points out, risk management needs to be systematically approached (Verzuh, 2012). If a lackadaisical approach is taken it will show when a risk becomes an issue and there is no plan in place to handle that risk.

Risk Management is Beneficial
Risk management is used to diminish possible threats to your project. One project contract I worked was for Uline, Inc. out of Pleasant Prairie, WI. Uline is a distributor of shipping products. They supply everything from bubble wrap to boxes. They create a huge catalog that is mailed to over 30 million customers in North America twice a year. Their eCommerce website looks just like the catalog. It looks that way because the owner, Liz Uihlein insists on it. In fact, I was told it was near impossible to get her to change that look. Uline does over $3 billion in revenue per year, 54% comes from online sales.

I was tasked with developing a project plan for redesigning the UX for their eCommerce site. Upper management had gotten permission from Mrs. Uihlein to remove a left side column that had been used for advertising. This meant a major restructuring of the site. The management team also knew they needed to develop a detailed plan to manage this project successfully.

One of the first tasks I worked on in creating this project plan was discussing the importance of defining risk. What I try to point out to my team is that risk is not as painful a process as they believed. Verzuh points out that the easy risks are the ones we know. He called these known unknowns because we know they’re potential problems, we just don’t know if or when they will occur (Verzuh, 2012). With Uline we had plenty of known unknowns. Verzuh also points out the unknown unknowns, those problems that happen unexpectedly (Verzuh, 2012). In Uline’s case there were no unknown unknowns, but I wanted to plan for them so we would be prepared in case something happened, which inevitably it does.

Creating a List
Planning is a great source for determining potential risk in your project. As requirements are gathered you begin to create a Functional Requirements Document (FRD) based on the Business Requirements Document (BRD) (Westland, 2006). Creating these documents involves many resources such as technical leads, systems architects, UX designers, Business Systems Analyst (BSA) and Business Analyst (BA) as well as subject matter experts from the business.

You can do all the brainstorming sessions you want, but from my experience nothing brings out potential risks more than determining what functionality is needed to create the business requirement. Verzuh even points out that detailed planning is an opportunity to discover risks (Verzuh, 2011). In these documents we describe what the system is supposed to do, how it is supposed to work. We begin to identify what capabilities are needed to meet those requirements.  We start to create the work breakdown structure (WBS) that defines each of the tasks required to accomplish the requirement. We create the WBS dictionary that describes the work, the assumptions and constraints in great detail (PMBOK, 2013).

Other documents we used to gather input from included the Scope document, the Charter, the project schedule, the stakeholder register, the quality management plan as well as activity cost and duration estimates (PMBOK, 2013).

As the requirements, scope definition documents, WBS, and other project data started to take shape, we began to develop a list of specific issues, concerns, and risks related to the scope and deliverables of the project. It was here that we started to identify and catalog those risks using a risk register. We developed a series of questions that helped us to further identify risks called a Risk Profile:
•    How many teams work on a given task from start to finish?
•    How much time do they devote to each task?
•    How does the task get passed over to the next team?
•    Is there a method for tracking each web page?
•    How does each web page get approved?

These were just some of the questions we asked, but from these questions we could identify potential risks; bottlenecks in the system for instance, that could cause the progress of the project to slow down.
A good risk profile is industry and organization specific, and according to Verzuh, it should address both product and management risks (Verzuh, 2012). One major specific concern to the organization of Uline was the time it took to complete tasks due to its cumbersome work/approval process. We determined that a web page from start to finish was touched by no less the 34 hands plus 10 approvers. The company had never put into place any mechanism for tracking where in the process a given page was at any given moment. A common complaint was trying to locate who had a page, who was supposed to get it next, and if it had been approved.

Ranking the Risks
As we developed the WBS we identified many risks, and while developing the WBS we would analyze each of those risks. The team would assign a probability to each risk, asking how likely it was that this risk would occur?  We entered this information into a Risk and Impact Matrix which helped us to categorize the risks from highest potential to lowest potential. By ranking the risks we were able to determine which risks we needed to concentrate on first and which ones could wait till we learned more from requirements definition. This helped to save time and we could concentrate on the crucial risks for developing our response in the event that risk turned into an issue. Mitigation plans were developed for those risks with the highest probability of occuring. PMBOK (2013) describes this process of prioritizing risks for further analysis as quantitative analysis.  We didn’t get real fancy about it. We used a simple numbering system with a range from 1-10 with 10 being the highest rank, to rank the risk. By definition the difference between a risk and issue is that a risk is an issue that hasn’t occurred.

Describing the Risk
So, documenting risks is crucial. But getting the team to take the time to document is the challenge. Many of the risks were initially written simply as “There is a risk that a document won’t be approved”. And the mitigation plan was: “We will monitor it”. The actual risk was that at any given moment a web page could sit on an approver’s desk for more than the planned for duration which was one day. The question was how do you hasten the process along should this event occur? Just as important: How do identify its occurrence?
In the risk register we had a column for stating/describing the risk. In this column we succinctly described the potential risk so that anyone could clearly understand what the risk was. We described the impact this could have on the project if it occurred. We identified the teams impacted by this risk. We categorized each risk by what department and the type of impact; scope, schedule, budget. Each risk was given an id number so we could easily track it.

An Example
We had identified a risk as the bottle neck that could occur in the work/approval process. We had ranked this risk as highly likely to occur. Our first risk: The approval process could be held up due to an approver not completing their task within the planned for duration. A second risk: The project not knowing the location of a web page at any given moment in the process. Our mitigation plan addressed the need for a method to identify the location of a web page at a given moment in the entire process that was available to the team and was in real time. We needed to map out the entire process from end to end. We proposed building an application that would allow handlers of the web pages to indicate that they had just passed a web page along to the next handler. The thought here is that everyone likes to get tasks off their desk but are not so willing to indicate right away that they just received the assigned document. So, the responsibility of indicating in the system was given to the passer rather than the receiver. Now it was incumbent upon the receiver to want to become a passer. That application would show where the document was, when it was received, thus how long the receiver had it in their possession. It would also allow for the page to be approved in order of approver to show all the completed approved documents had been done according to company hierarchy. Thus our mitigation plan for identifying a bottleneck minimized the chances of the risk occurring was to build an application that helped us to administer the process.

Contingency Plan
Once we had properly identified, analyzed, prioritized, created a set of preventative actions to reduce the likelihood of a risk occurring, developed a response to mitigate should a risk occur, we had to determine what the costs of our preventive actions and/or responses was going to be. In the case of creating the application for tracking a web page, it was how many hours it would take to create the application? Thus more iteration as we had to plan the applications functionality and design, we had to identify/define/mitigate the risks associated with this side project as it would be handled by a different team. Verzuh(2012) and Kendrick (2009) both point out that risk management happens repeatedly throughout the project, that risk management is truly an iterative process. Our contingency plan included money in the budget that could only be expended if the event occurred. We had to keep in mind that this was money that would be tied up for the life of the project or until the threat of the risk passed. The contingency plan also identified ways in which to adjust the schedule so as to minimize any affects to it if the risk occurs.
Contingency plans are like insurance; they’re nice to have in case something happens. Just remember they don’t come cheap. You will be tying up that money in the contingency fund for the life of the project or until the risk becomes a moot issue.

Managing the Risk
We realized early on in the planning of this project that we would need to continuously plan for risk. We knew that we needed to create a plan that not only would have a process for identifying future risk, but would also include how we would analyze it, prioritize it, categorize it, deal with it; in other words, how we manage future risks. By documenting this process you are working towards minimizing any potential unknown unknowns that could have an impact on the project. Even though we had not identified any unknown unknowns, that didn’t mean they didn’t exist. A portion of our contingency funds were just for those unknown unknowns.  We realized that if it could go wrong, it would. And in this project there was much that could go wrong.

Risk Register
As discussed earlier, we had created a risk register. This tool would be used to track our risks as the project progressed. We used the information gathered during our planning to fill out the form. Such information as the risk identifier, risk description, status, risk cause, the probability of occurring, the impact on the project should the risk become an issue, the risk score, and our response (mitigation). It included spaces for revised probabilities, impacts and scores should conditions change. The register also showed who was responsible for tracking a risk. The communication plan called for making the risk register an agenda item for each team status meeting. Making the risk register an agenda item meant the risks would be monitored closely. The object was to make sure the team was doing the planned work to minimize the effect or responded quickly to minimize any effect on the project should a risk occur.  What the responsible member of the team will be looking for is the trigger event signifying the occurrence of the risk. Once this trigger is pulled we can begin to enact the mitigation plan we have in place.

Conclusion
A number of stakeholders would rather avoid risk analysis altogether. I think a major part of a Project Managers job is to ensure the proper planning for the eventuality of a risk occurring. This is a far better reaction to a risk then avoidance. The problem here is that avoidance may mean changing the scope of the project opting instead for a less than satisfactory solution. As in investing, there is a reason why low/risk securities have a low return. Remember that the harder the risk is to detect, and the larger its impact, the greater cost required in higher contingency dollars and time. One need only imagine the cost incurred for failing to plan for risk when that risk occurs.

In Uline’s case, the biggest risk was a bottle neck being created due to the approving process. We put into place a mitigation plan to minimize the impact which would be implemented thus minimizing the impact greatly.

Risks need to be planned for. If they’re not planned for, if they’re not well thought out, and they’re not communicated to all stakeholders, then your project is doomed to failure.

References:
Kendrick, T. (2009). Identifying and managing project risk: Essential tools for failure-proofing your project. New York: AMACON.
Project Management Institute. (2013). A guide to the project management body of knowledge (PMBOK guide), fifth edition. Newtown Square, PA: Author.
Verzuh, E. (2012). The fast forward MBA in project management, fourth edition. Hoboken, NJ: John Wiley & Sons.
Westland, J. (2006). The project management life cycle: A complete step-by-step methodology for initiating, planning, executing and closing the project successfully. London: Kogan Page.