00:00:00 - The next stop on our 2.0 project planning road map is 2.8 Risk
00:00:06 - Management Plan, or the full definition from CompTIA which is
00:00:10 - very consistent, outline the components of a risk management
00:00:14 - plan. I believe risk management is one of the more complex disciplines
00:00:19 - we are going to cover in this entire Nugget series. And the reason
00:00:22 - risk management planning or risk management in general is we
00:00:26 - are trying to plan
00:00:29 - for unknowns.
00:00:34 - And therein lies the problem. If it's unknown, how can we plan
00:00:38 - for it? But we need to plan for it. We need to recognize
00:00:46 - that risks,
00:00:50 - future bad
00:00:55 - events that could
00:01:01 - impact our project.
00:01:04 - And then with a good risk management plan recognizing that risks,
00:01:08 - future, bad events could impact our project, then we need to
00:01:11 - prevent them
00:01:14 - proactively. And that's why risk management is so important because
00:01:21 - with effective risk management, we are going to prevent these
00:01:24 - bad things from happening, but we won't know if they are going
00:01:28 - to happen without a plan, but we are trying to plan for unknowns.
00:01:33 - And I'm deliberately not trying to lay this out as confusing.
00:01:38 - I hope by the time we finish this Nugget this degree of conflict
00:01:43 - of planning for unknown and preventing bad events from happening
00:01:48 - but how can we because there are unknowns, I hope all of this
00:01:52 - will become very well-known to you by the time we finish this
00:01:56 - particular Nugget on risk management plan.
00:02:00 - The disciplines of risk management planning are created straightforward.
00:02:05 - There are four steps. First, we need to identify risks.
00:02:09 - This is where we dream,
00:02:12 - use our crystal ball,
00:02:16 - and we identify
00:02:20 - those future
00:02:23 - unknown events
00:02:27 - that could affect our project.
00:02:31 - Once we have identified the risks, then we analyze them. What's
00:02:35 - the likelihood?
00:02:40 - What's the impact?
00:02:43 - And let's face it: if we dream and worry and crystal ball and
00:02:47 - identify all future events, some of these dream and worry, unknown
00:02:52 - future events could be so unlikely, so improbable, so unrelated
00:02:58 - to our project that literally we stop worrying about them, which
00:03:02 - is why we need to go through this analysis step where we understand
00:03:05 - the likelihood and the impact of the risk events, these unknown
00:03:09 - future events coming up and affecting our project. Once we do
00:03:13 - the analysis and get rid of the unlikely's and carry forward
00:03:18 - the likely's, we then move into the planning stage where we develop
00:03:22 - a strategy
00:03:25 - for dealing with the risks.
00:03:30 - And this
00:03:33 - is where we become proactive
00:03:38 - and we do our best to eliminate, to get rid of, to transfer,
00:03:43 - to change the nature of the project so that these unknown future
00:03:47 - events aren't going to impact our project. And then finally,
00:03:51 - we control for the events. In this particular Nugget, because
00:03:55 - we are still in planning mode, we are not going to discuss risk
00:03:59 - management control. We'll discuss that in a later Nugget. This
00:04:03 - Nugget is going to focus on the first three parts of risk management:
00:04:06 - identify, analyze, and plan. Develop that risk management plan
00:04:12 - so that we can be proactive with the eliminating these unknown
00:04:17 - future, potentially bad events that could cause our project to
00:04:21 - run into delivery challenges. And
00:04:24 - even before we get into that dream and worry time, we need to
00:04:28 - understand what our project's risk profile is. How much risk
00:04:33 - is the project willing to absorb? How much risk is the project
00:04:38 - willing to go forward with? Is your project risk-averse? In which
00:04:42 - case, you want
00:04:46 - no risk.
00:04:49 - In which case, we need to spend a lot of care and attention up
00:04:53 - front doing our risk identification, our risk analysis, and our
00:04:58 - risk planning because we want to eliminate, proactively remove
00:05:02 - all of the risks. Is this a neutral risk project, i.e. is this
00:05:06 - an average
00:05:10 - project? We don't want to be risk-seeking, which is the next
00:05:15 - one, but we also don't want to
00:05:18 - eliminate every last potential risk from ever happening, i.e.
00:05:22 - is this an average risk project, and we will do an average amount
00:05:27 - of risk management. And I will try to explain what these terms
00:05:31 - or what the degree of risk management is going to be. Or is this
00:05:35 - a risk-seeking project? Are we willing
00:05:40 - to accept,
00:05:43 - quote, end quote, "bad things?"
00:05:48 - And you may be saying, "Why would a project ever want to be willing
00:05:52 - to accept bad things? Bad things are going to cost project
00:05:58 - and they are going be extreme failures.
00:06:01 - So why would we ever want to say, 'Our project is risk-seeking?"
00:06:05 - realizing that when bad things happen, the projects could be
00:06:08 - fail?" Well, risk-seeking projects are what I would call R&D
00:06:13 - projects. They are breakthrough projects.
00:06:17 - They are projects where we are going to try
00:06:21 - and maybe fail.
00:06:24 - In R&D project, a breakthrough project, we've had a brilliant
00:06:29 - idea. We believe that if this project is a success, we're absolutely
00:06:34 - going to change the nature of our business. We're absolutely
00:06:37 - going to change our profitability. We're going to make some dramatic
00:06:43 - breakthrough for our organization. And if the project succeeds,
00:06:48 - it's "Yay.
00:06:52 - We have had the breakthrough. Our organization is going to be
00:06:55 - more successful." But if the project fails,
00:07:00 - well, it's, "We tried. We thought we had a good idea. Had we
00:07:05 - succeeded, we would have yay, but we didn't succeed so therefore,
00:07:10 - we tried and we failed," the proverbial Thomas Edison, "I now
00:07:14 - know one more way not to invent a light bulb." But if this is
00:07:17 - truly a risk-seeking project, our risk management plan is probably
00:07:22 - as simple as saying,
00:07:25 - "This is a risk-seeking project. We are not going to spend a
00:07:28 - lot of upfront time on risk management. We will deal with the
00:07:32 - problems as they come up. And if they can be dealt with, we will
00:07:36 - continue the project. And if the risks become insurmountable,
00:07:39 - we'll let the project, quote, end quote, "fail" because this
00:07:43 - is a risk-seeking project.
00:07:46 - More normal projects are going to be somewhere in the adverse
00:07:49 - to the neutral category. And I'm going to deal with the adverse
00:07:52 - first. This is a make-or-die
00:07:58 - project. This is not a try and fail. This project must succeed
00:08:04 - or our organization fails. The auditors have come in. They have
00:08:08 - examined our financial systems and they've determined that our
00:08:11 - financial systems are inadequate
00:08:14 - and have given us an eight-month, 12-month, whatever time for
00:08:20 - remedy is coming from the audit department, and the audit department
00:08:23 - has basically said or the external auditors have basically said,
00:08:26 - "You have eight months to turn around and rectify these problems.
00:08:31 - And if you can rectify these problems, we are going to give you
00:08:35 - a clean bill of health. But if you don't rectify these problems,
00:08:39 - we're going to write an external auditor statement that says,
00:08:41 - "We do not recommend this organization. We highly encourage all
00:08:46 - investors to stop investing in this organization." This is a
00:08:50 - make or die-type project. This project has to be risk-averse.
00:08:54 - We want no risk. We want no chances
00:08:59 - for failure.
00:09:03 - Therefore, as we are taking on the project, if we must do this
00:09:07 - in eight months,
00:09:10 - we need to ensure that we have sufficient time,
00:09:16 - we have sufficient budget,
00:09:19 - we have sufficient resources,
00:09:22 - et cetera, et cetera to absolutely guarantee.
00:09:26 - So therefore, if we must do this project in eight months, we
00:09:29 - probably should be planning on project work of let's say four
00:09:33 - months, giving ourselves 100% overrun. If this project overruns
00:09:39 - by eight months or by 100%, four months turns into eight months,
00:09:45 - and we are still going to make it. If it is a risk-averse project,
00:09:49 - we need to build schedule contingency. We need to ensure we have
00:09:53 - enough budget. If we need to hire
00:09:57 - externals, if we need to hire better tools,
00:10:05 - if we need to add more money to make the project a success, we
00:10:10 - need to make sure we have the ability to do that. We may need
00:10:14 - to dedicate
00:10:16 - higher level resources, overstaff everyone. Instead of putting
00:10:20 - a programmer on the project, we are going to put a senior programmer
00:10:23 - on the project. This is not the kind of project where we're going
00:10:26 - to put green beings and people training to grow in the position.
00:10:30 - We are going to overresource. This is risk-averse. We want no
00:10:33 - risk. We want no chances for failure.
00:10:37 - Or is this a neutral project? It's an average project. If we
00:10:41 - need to be done in eight months, well, let's say our schedule
00:10:45 - is going to be 6.5 months, leaving us 1.5 months of contingency.
00:10:52 - The budget. If this is going to be a $50,000 project, we're probably
00:10:56 - going to tell management we need to have $60,000 so that we have
00:10:59 - some room to hire externals to get better tools. In terms of
00:11:05 - resourcing, again, we may accept one or two green horns on the
00:11:09 - project, but we still need a degree of qualified resources.
00:11:14 - Once you know the risk profile, adverse, neutral, seeking, we're
00:11:19 - ready to start to go in and start to do the true work around
00:11:23 - risk management planning. So having determined that our project's
00:11:28 - risk profile is probably anything but seeking, the next step,
00:11:32 - or really, the first step in risk management is identifying the
00:11:36 - risks. We need to dream.
00:11:41 - We need to worry.
00:11:43 - We need to talk to experts.
00:11:48 - We need to blue sky.
00:11:53 - We need to identify all
00:11:56 - possible risks,
00:12:02 - the proverbial blue sky. There is no such thing as a bad risk.
00:12:06 - We identify all risks, all possible risks to the project. Where
00:12:10 - are the risks going to come from? The technology.
00:12:14 - We're using new technology. Our technology is not adequately
00:12:17 - sized. Our technology is likely to change release levels. The
00:12:21 - risk could come from the human resources. The team is inexperienced.
00:12:25 - We will not have enough resources. Resources will be pulled off
00:12:28 - our project to work on other higher priority organizational projects.
00:12:33 - There could be legislative changes. The government has told us
00:12:37 - that the changes must be done in certain time. Or there is a
00:12:40 - risk that the government is going to change, and the mandate
00:12:43 - for the project is going to change. The business itself could
00:12:46 - introduce risks. Is the business in a growth stage? Is the business
00:12:50 - in a regression stage? The competition. The competition is going
00:12:55 - to make changes that again are going to cause dynamic changes
00:12:58 - to our organization.
00:13:00 - We need to brainstorm. We need to think about other projects
00:13:04 - where we've done work of a similar nature before. We need to
00:13:08 - dream. We need to worry. We need to talk to the experts. We need
00:13:11 - the blue sky. Basically, the bottom line is we need to identify
00:13:16 - all possible risks. There is no such thing as a bad risk at this
00:13:21 - moment. In just a moment, we are going to very quickly eliminate
00:13:25 - all of the bad risks when we do our risk analysis. But the first
00:13:29 - step is to get all of the risks down on a white board, down on
00:13:33 - a piece of paper somewhere. And if we start to try to analyze
00:13:38 - the risks at this point in time, we risk limiting our creativity.
00:13:43 - Again, I often become this broken record, in the identification
00:13:48 - stage, we want to identify our risks. There is no such thing
00:13:51 - as a bad risk. Once we believe we have a complete,
00:13:56 - comprehensive, scary list,
00:14:04 - then it's time to move on to the next step, which is our analysis
00:14:08 - of these risks.
00:14:10 - So now, we are going to start to identify the bad
00:14:15 - risks and we are going to eliminate them
00:14:21 - because in identify, we probably identified hundreds,
00:14:28 - maybe even thousands of risks, depending on how much time we
00:14:31 - had to do our risk identification. But many of those risks are
00:14:35 - going to be what I would call bad risks that we need to eliminate.
00:14:39 - How do we do that? Well, the first step is we need to review
00:14:42 - and understand the risks. It's easy to say, "We're in brainstorming.
00:14:46 - Let's put the risk on the board. Let's give each risk a name,"
00:14:51 - and then stop thinking about it and go on to the next one. Now
00:14:55 - it's time to slow down, start to apply the old brain matter to
00:14:59 - it, and we need to review and understand the risks. Start to
00:15:03 - put more meat
00:15:08 - to the definition of the risk. And key is these next two steps.
00:15:12 - We need to understand the probability,
00:15:14 - what's the likelihood,
00:15:20 - and what's the impact,
00:15:22 - how serious
00:15:25 - is the risk.
00:15:27 - Once we identify the probability, and let's stick with the likelihood
00:15:32 - between 1%
00:15:34 - to 100%,
00:15:38 - and it very quickly allows us to eliminate
00:15:41 - from that hundreds and come up with a short list of maybe 20
00:15:45 - or 30. If a probability of a risk is 3%,
00:15:52 - do we believe we have time to worry about, to develop strategies
00:15:58 - to deal with a risk that only has a 3% probability of occurring?
00:16:03 - And I would suggest if the risk is in a low probability like
00:16:07 - that, probably even if this is an absolutely risk-averse project,
00:16:13 - we are going to eliminate it. If the risk is at a 99.5%
00:16:20 - probability, if we truly believe that a risk is at a 99.5%
00:16:26 - probability, I would suggest that's not a risk. That's a delivery
00:16:32 - reality. Let's stop fooling ourselves and calling it a risk.
00:16:38 - It's a delivery reality and we must
00:16:41 - deal with it immediately, and we must get it out of our project's
00:16:45 - vocabulary. So high, very high, let's say anything from 95% plus,
00:16:53 - yes, it's something we have to deal with as a project manager.
00:16:56 - We don't want to call it a risk and say, "Oh, this bad thing
00:17:00 - could happen at some point in time in the project. I'll worry
00:17:03 - about it when it comes along." If it's a 95, 96, 99.5% probability,
00:17:09 - worry about it now and get rid of it now. So somewhere between
00:17:13 - the 5%
00:17:16 - and the 95%,
00:17:18 - we're going to start assessing the probability.
00:17:21 - Where do we do our line and say, "Don't care, don't care?" Is
00:17:26 - it at 40%? Is it at 60%? This is where that profile comes in.
00:17:34 - If this is an averse,
00:17:38 - that number is probably down here maybe in the 20% range. If
00:17:42 - it's seeking,
00:17:44 - the number is way up in the 90s. As I said, risk-seeking, we
00:17:48 - probably stop risk management at that point in time. But if it's
00:17:52 - average, and I'm not saying an average project, the threshold
00:17:57 - is at 50%, but it's certainly going to be somewhere on the greater
00:18:03 - than 50% side of an average project's worrying about risks. But
00:18:09 - before we just truly eliminate our risk based on probability,
00:18:14 - we also need to understand the impact of the risk. If this risk
00:18:19 - has a 10%
00:18:21 - probability but it has an impact
00:18:25 - of $1
00:18:29 - million, we probably need to spend some time worrying about it.
00:18:32 - If the risk has a probability of 95%
00:18:37 - and an impact of.05
00:18:40 - cent we probably don't worry about it at all. It's just, "Yes,
00:18:44 - it's going to happen. It's going to cost my project.05 cent
00:18:47 - ." And I'm being a little extreme with my numbers, but just to
00:18:50 - drive home, we really need to understand the probability and
00:18:54 - the impact,
00:18:56 - and we will talk about using the probability in the impact together
00:19:00 - in something called risk ranking in a few moments. But once we
00:19:05 - review and understand the risks, understand the probability,
00:19:09 - understand the impact, that allows us to do this step, which
00:19:13 - is to determine the relevance. Is this brainstormed, blue sky
00:19:17 - risk relevant to proceed,
00:19:21 - or is this brainstormed
00:19:23 - blue sky risk something that we can be fairly high confidence
00:19:29 - that we can ignore?
00:19:31 - So next, I want to show you what I believe is a very easy way
00:19:36 - to try to weed out based on probability and the impact the risks
00:19:42 - that are relevant to our project and the risks that are not relevant.
00:19:47 - I personally find this risk graph a very, very easy tool that
00:19:51 - I can use to determine the relevance of my risks, and a lot of
00:19:55 - people will call this a Risk
00:19:58 - Ranking Matrix.
00:20:05 - So whether you call it a risk graph or a risk ranking matrix,
00:20:07 - I find it as a very effective tool. And literally, we just put
00:20:12 - impact on one axis, probability on another, rank them from low,
00:20:16 - medium, high, maybe 0 to 100%,
00:20:21 - impact from $0 to whatever the highest impact is going to be,
00:20:27 - $50,000 or whatever. I personally like to stick with a fairly
00:20:31 - low degree of specification. I prefer the low, medium, high.
00:20:36 - It's an unknown future event. What's the probability it's going
00:20:41 - to happen? Do you really believe you can sit down and say, "I
00:20:44 - can predict that this unknown future event has a 46% probability
00:20:50 - of occurrence?" I don't think so. Do you think you can sit down
00:20:54 - and say, "This unknown future event has a medium probability
00:20:59 - of occurring?" Probably yes. Same thing on impact. What's the
00:21:03 - impact? It's an unknown future. Is it really going to cost me
00:21:06 - $50,000 to deal with it? Well, I don't know but it's probably
00:21:10 - going to be pretty expensive. Anyway, the degree of the type
00:21:13 - of measurement you have on your axes is wherever your own comfort
00:21:18 - level is going to reside.
00:21:21 - We develop the graph. We apply our risk profile. This is a risk-averse
00:21:28 - project. We're probably going to put our threshold
00:21:32 - right down there somewhere. Only these few risks that are going
00:21:36 - to be in the halfway up the medium impact, halfway up the probability,
00:21:41 - and lower are going to be ignored. And everything else is going
00:21:46 - to be of relevance to the project. If this is an average project,
00:21:53 - so this is an adverse,
00:21:56 - this is an average,
00:21:59 - and this obviously is a seeking.
00:22:04 - Now, I'm your individual project. You're not going to draw the
00:22:07 - three lines. You're simply going to say, "Based on my risk profile,
00:22:11 - I care about only the risks that are going to be in
00:22:17 - these quadrants," for example. Or, "For my risk profile, I care
00:22:21 - about the risks that are going to be in this quadrant," or whatever
00:22:25 - again is going to match the profile for your project. And then
00:22:29 - you simply start plotting your risks onto the graph. Now, you're
00:22:35 - not going to put the whole name under the graph, but you're going
00:22:37 - to say, "Risk #1 has a fairly high medium probability and has
00:22:45 - is a very high medium impact," so you're going to put risk #1
00:22:50 - right there. Risk #2 is a very average probability, very average
00:22:56 - impact, so you're going to put risk #2 there. Risk #3 has a very
00:23:01 - high probability but a relatively low impact, so you're going
00:23:06 - to put it there. And again, you're just going to plot, roughly
00:23:11 - plot. This is not scientific. This is not to 15 decimal points.
00:23:14 - But you're going to roughly plot each one of your identified
00:23:17 - risks onto the graph, and based on your cutoff point, this is
00:23:22 - going to tell you that risks 1 and 3 are of relevance and 2 being
00:23:27 - right on the threshold, we probably would want to apply it as
00:23:31 - well. And that way, it allows us to determine that 1, 2, 4 I
00:23:37 - guess I better put 3 in there, 6, 12, 21, and 43
00:23:44 - are the relevant risks that I want to worry about going forward
00:23:49 - on my project.
00:23:52 - And the last step to analysis is risk ranking or prioritizing.
00:24:00 - So we did our plotting on to our graph and we determined that
00:24:04 - 1, 2, 3, 4, up to 43 are the risks that we're going to use carrying
00:24:11 - forward. All of those risks are not equal. The risks that have
00:24:16 - a high impact and a high probability are, quote, end quote, "more
00:24:21 - important" and therefore are going to receive more of our time,
00:24:26 - and the risks that have a medium impact and a medium probability,
00:24:30 - assuming that that is our threshold for cutoff for an average
00:24:34 - risk project, we're going to give them less priority. So it's
00:24:38 - just another way to try to manage the sea of risks that we have
00:24:44 - saddled ourselves with through risk identification, risk analysis
00:24:49 - to prioritize and make sure that moving forward in the risk planning,
00:24:54 - we're planning our time on the most critical, important prioritized
00:25:02 - risks, and that we are allocating less time to the less important
00:25:07 - risks. So our final step in risk management planning is to plan
00:25:13 - our strategy
00:25:16 - for those prioritized
00:25:21 - risks that meet
00:25:27 - our risk profile.
00:25:33 - What are we going to do about these risks? We have a number of
00:25:36 - risks. Hopefully it's a small manageable number, 10, 15, maybe
00:25:40 - 20 prioritized risks that meet/exceed
00:25:44 - our risk profile. We have these future unknown bad things that
00:25:49 - are going to impact our project. What can we do about it? Well,
00:25:53 - there are only four things we can do about a risk. Number one
00:25:57 - is to avoid. If there is an unknown future event that we can
00:26:04 - avoid, we should. What does avoid mean? We change our project
00:26:10 - delivery approach
00:26:15 - now, talking about being proactive. We are going to change our
00:26:18 - project delivery approach now. Through our risk analysis, we
00:26:22 - identified that there was a risk that the learning curve for
00:26:26 - the new programming language was going to be higher than the
00:26:30 - programming language vendor has led us to believe. That is our
00:26:34 - risk. We believe there is going to be a learning curve risk on
00:26:37 - our project.
00:26:40 - How do we avoid it? We simply change the project approach and
00:26:45 - we don't
00:26:47 - use the new language.
00:26:53 - We believe there is a very high degree probability and impact
00:26:57 - that the learning curve is going to impact our project. This
00:27:00 - is a very risk-averse project, so we simply say, "This is not
00:27:05 - the time to cut our teeth on something new. We are going to change
00:27:10 - our project delivery approach now. We are going to avoid that
00:27:13 - risk altogether. We're not going to use that
00:27:17 - language. Avoidance.
00:27:21 - Some risks will be too costly to avoid. Some risks will be impractical
00:27:27 - to avoid. So the next strategy is to transfer. Find
00:27:34 - someone else
00:27:39 - to do
00:27:41 - it/take on the risk.
00:27:47 - And you may, at first, say, "Well, that's a pretty sleazy way
00:27:50 - to do it. If you think there is a project risk, you're just going
00:27:52 - to slough it off on someone else." Well, we do that every day
00:27:56 - in our personal lives. I would expect every one of you listening
00:27:59 - to this Nugget series has car insurance, has life insurance,
00:28:03 - has home insurance, has medical insurance. We're transferring
00:28:07 - the risk of a car accident to our insurance company. So transference
00:28:11 - isn't sleazy. Transference is good, solid practice.
00:28:17 - How can we transfer project risks?
00:28:20 - Again, let's use that same example. We believe that the learning
00:28:25 - curve on our project is going to be high. There is a risk to
00:28:30 - the project for doing that. We explored using the avoidance strategy,
00:28:34 - and senior management has said, "No, it's critical that we use
00:28:38 - this new language. We have to start somewhere, and your project
00:28:41 - is somewhere that we're going to start it on." So we decide to
00:28:44 - use a transference approach. We are going to find somebody else
00:28:48 - to do it to take on the risk. We are going to hire
00:28:52 - consultants, and we are going to staff
00:28:59 - 50% of the project with consultants who have known
00:29:05 - expertise. And we are going to tell these consultants that not
00:29:10 - only do you have project delivery responsibilities to write the
00:29:14 - code using the new programming language. You also have a coaching
00:29:18 - responsibility to coach our staff to help them overcome the learning
00:29:23 - curve. Risk strategy number two, transfer. Find someone else
00:29:29 - with the skills, with the availability, with the resources to
00:29:32 - take on the risk and absorb the risk for you.
00:29:37 - Option number three is to mitigate.
00:29:41 - Try to reduce
00:29:44 - the impact/probability.
00:29:53 - Taking that same example, we believe there is a learning curve
00:29:57 - issue for our project. We've reviewed with management the possibility
00:30:01 - of taking an avoidance strategy. We've been told, "Not going
00:30:05 - to fly. You must use the new language." We've explored the possibility
00:30:09 - of using a transfer approach. It is such a new language. There
00:30:13 - are no consultants available that we can't do any transference.
00:30:18 - So our next strategy is to mitigate. We believe there is going
00:30:21 - to be a learning curve. We enroll in
00:30:26 - the recommended courses.
00:30:33 - We train the team.
00:30:35 - We still believe there is risk with doing that, so we also plan
00:30:41 - extra dollars
00:30:43 - to bring
00:30:46 - the trainer back
00:30:49 - on site
00:30:52 - to coach. And
00:30:54 - this is the difference between hiring the consultants who are
00:30:57 - going to take on delivery responsibilities and in increasing
00:31:02 - in our educational allowances by bringing the trainer on-site
00:31:07 - to coach so we're mitigating. We're reducing the impact well,
00:31:11 - we're not we are reducing the impact because hopefully, their
00:31:13 - learning curve will be lessened. And we're reducing the probability
00:31:18 - by having that trainer on site to coach our team. So I would
00:31:22 - suggest that's strategy number three. And finally, the worst
00:31:27 - case strategy is we can't avoid it, we can't transfer it, we
00:31:33 - can't mitigate it, so we're just going to have to accept the
00:31:36 - fact that some unmanageable, uncontrollable, unavoidable, untransferable,
00:31:43 - immitigable risk is going to come and impact our project, so
00:31:47 - we are going to accept it. Now that's a bit of a doomsday alarmist
00:31:51 - strategy. There will be risks that we have no choice but to accept.
00:31:56 - But every time we choose to accept a risk, we need to build in
00:32:00 - something called contingency. And
00:32:05 - let's look and see what contingency really is. Contingency is
00:32:10 - what we use when we decided that accept
00:32:14 - is our risk management plan, our risk management strategy. And
00:32:18 - I don't think I need to spend a lot of time on contingency because
00:32:21 - I expect everybody knows what contingency is. It's the allowance
00:32:25 - for the risk. It's extra
00:32:28 - time in the schedule
00:32:33 - and/or extra dollars
00:32:37 - in the budget
00:32:41 - so that when that unknown future bad thing comes up that we can't
00:32:47 - deal with that we have some time in our back pocket as project
00:32:51 - managers build into the schedule that allows us to do the extra
00:32:55 - work, that allows us to do the rework, that allows us to spin
00:32:58 - our wheels, that allows us to accept the fact that a bad thing
00:33:02 - is happening to our project and still deliver our project on
00:33:06 - schedule, or allows us to spend more money and still allows us
00:33:09 - to deliver our project on budget.
00:33:13 - As we are building in contingency, we should build in contingency
00:33:17 - at two levels. We should build in contingency at the task-specific
00:33:21 - or really the risk-specific level. We have a risk that the learning
00:33:27 - curve for our project is going to be extreme.
00:33:30 - Our only strategy that's remaining is acceptance, so we are going
00:33:35 - to build in two weeks
00:33:38 - schedule contingency. We
00:33:40 - are going to build in $10,000 extra cost for the project to allow
00:33:45 - our developers to work for those two weeks to make up the time
00:33:50 - lost in the learning curve. And we build that in.
00:33:55 - We build it into the project. When we are publishing milestones,
00:34:00 - when we are publishing the budget, we don't publish the aggressive
00:34:06 - risk out schedule
00:34:11 - and budget.
00:34:16 - We publish
00:34:20 - the contingency
00:34:25 - in schedule
00:34:29 - and budget.
00:34:32 - And that's a key thing to make note of. We publish the contingency
00:34:35 - in, schedule, and budget. Already in this Nugget series, we've
00:34:39 - talked at great lengths about developing a sound realistic WBS
00:34:44 - that's going to create a sound realistic schedule.
00:34:48 - We've agonized over the resource and we've agonized over the
00:34:52 - dependencies, and we've developed a project schedule that says
00:34:55 - this project is going to be done on June 15th. That's the aggressive
00:35:01 - risk out schedule in budget. We need to build two weeks of schedule
00:35:07 - contingency in, so we publish the project is going to be done
00:35:11 - on June the 25th
00:35:14 - or whatever, two weeks plus or minus weekends it's going to be.
00:35:17 - And that's the date, that's the schedule that we publish, and
00:35:21 - that's the budget that we publish. So for every risk event that
00:35:25 - we've developed and accept strategy for, we need to build schedule
00:35:31 - and budget contingency in, and we need to publish our final schedule
00:35:36 - and budget with all of the risk-specific contingencies built
00:35:40 - in. And if this is anything from an average
00:35:45 - definitely to an adverse
00:35:49 - project, we probably need to build in a little extra 10%, 15%
00:35:55 - extra contingency for unknown unknowns. We've spent all of our
00:36:00 - time dreaming, worrying about all of the unknown events that
00:36:03 - we can dream of. There is a high probability there are going
00:36:08 - to be some unknown events that we don't even dream about. So
00:36:11 - we need to build a little extra contingency schedule and budget
00:36:16 - into the project. If this is an average project, building in
00:36:20 - 10 to 15% is probably a realistic number. If this is an averse,
00:36:25 - as I suggested in the introduction, we may need to build as much
00:36:29 - as 50%
00:36:31 - extra schedule contingency, extra budget consistency to ensure
00:36:37 - that our project is going to be a success
00:36:40 - and we build it into the project.
00:36:43 - This concludes our Nugget on Risk Management Plan Development.
00:36:47 - This Nugget was focused on the first three elements of the risk
00:36:50 - management approach: identify, analyze, and plan. The last, control,
00:36:55 - will be dealt with in a later Nugget when we are in the Monitoring
00:36:57 - and Control segment of the Project Plus Certification Exam. This
00:37:02 - Nugget focused on identification. Dream
00:37:06 - and worry,
00:37:08 - blue sky, all possible
00:37:14 - bad things,
00:37:18 - unknowns that could impact our project. Once we've done a comprehensive
00:37:25 - dream and worry of all the possible bad things, all of the unknowns,
00:37:29 - we then analyze, and our analysis is based primarily on probability
00:37:37 - and impact.
00:37:40 - Using the probability and impact, we take that large list of
00:37:44 - bad unknowns and we come up with an ordered,
00:37:49 - prioritized of the critical
00:37:57 - risks, those future possible bad unknowns that could impact our
00:38:01 - project, and then we develop the plan for dealing with them.
00:38:04 - And our plan is we can avoid,
00:38:09 - we can change the approach.
00:38:14 - Now, to make those unknown things go away, we can transfer.
00:38:21 - We can find someone, somewhere, some organization that has the
00:38:25 - skills, the ability
00:38:30 - to accept the risk, and they take on the risk. We can mitigate.
00:38:40 - We can try to lessen the impact
00:38:46 - for the risk by taking proactive actions. And sometimes, we have
00:38:50 - no choice but to accept. And when we accept, we develop contingency,
00:38:58 - which builds in buffer
00:39:01 - in both the schedule
00:39:05 - and the budget to allow us to deal with these unknown bad things
00:39:10 - when they come up.
00:39:13 - As I said in the introduction, I find risk management to be a
00:39:16 - difficult concept for some project managers to accept because
00:39:19 - we are dealing with intangibles. We are dealing with unknown
00:39:24 - future bad things, and we are asking you to develop solid plans
00:39:29 - to deal with those unknown bad things. We're asking you to assess
00:39:33 - the probability and the impact of those future unknown bad things,
00:39:37 - and we are asking you to develop concrete plans, including allocation
00:39:42 - of money and schedule for unknown bad things.
00:39:47 - But good risk management is critical to good successful project
00:39:52 - management, and a solid understanding of risk management is going
00:39:56 - to be, I don't want to use the word "critical," but it's going
00:39:59 - to be key to passing your Project Plus certification. Effective
00:40:03 - risk management will be a considerable subject matter in your
00:40:09 - Project Plus. So I would highly recommend that you develop a
00:40:13 - solid understanding for the identification, the analysis, and
00:40:16 - the planning activities associated with risk management. This
00:40:22 - concludes our Nugget on Risk Management Planning. I hope this
00:40:25 - module has been informative for you, and thank you very much
00:40:28 - for viewing.