CompTIA Project+ PK0-003

Risk Management Plan

by Steve Caseley

Start your 7-day free trial today.

This video is only available to subscribers.

A free trial includes:

  • Unlimited 24/7 access to our entire IT training video library.
  • Ability to train on the go with our mobile website and iOS/Android apps.
  • Note-taking, bookmarking, speed control, and closed captioning features.

What is Project Management

Project+ and how to prepare for the exam

Pre-Project Setup

Project Planning

Prepare Scope Statement

Create WBS and WBS Dictionary

Define Change Management Process

Develop Project Schedule and Resources and Roles

PERT/GANTT/CPM and Schedule Compression

Communications Management Plan

Risk Management Plan

00:00:00 - The next stop on our 2.0 project planning road map is 2.8 Risk
00:00:06 - Management Plan, or the full definition from CompTIA which is
00:00:10 - very consistent, outline the components of a risk management
00:00:14 - plan. I believe risk management is one of the more complex disciplines
00:00:19 - we are going to cover in this entire Nugget series. And the reason
00:00:22 - risk management planning or risk management in general is we
00:00:26 - are trying to plan
00:00:29 - for unknowns.
00:00:34 - And therein lies the problem. If it's unknown, how can we plan
00:00:38 - for it? But we need to plan for it. We need to recognize
00:00:46 - that risks,
00:00:50 - future bad
00:00:55 - events that could
00:01:01 - impact our project.
00:01:04 - And then with a good risk management plan recognizing that risks,
00:01:08 - future, bad events could impact our project, then we need to
00:01:11 - prevent them
00:01:14 - proactively. And that's why risk management is so important because
00:01:21 - with effective risk management, we are going to prevent these
00:01:24 - bad things from happening, but we won't know if they are going
00:01:28 - to happen without a plan, but we are trying to plan for unknowns.
00:01:33 - And I'm deliberately not trying to lay this out as confusing.
00:01:38 - I hope by the time we finish this Nugget this degree of conflict
00:01:43 - of planning for unknown and preventing bad events from happening
00:01:48 - but how can we because there are unknowns, I hope all of this
00:01:52 - will become very well-known to you by the time we finish this
00:01:56 - particular Nugget on risk management plan.
00:02:00 - The disciplines of risk management planning are created straightforward.
00:02:05 - There are four steps. First, we need to identify risks.
00:02:09 - This is where we dream,
00:02:12 - use our crystal ball,
00:02:16 - and we identify
00:02:20 - those future
00:02:23 - unknown events
00:02:27 - that could affect our project.
00:02:31 - Once we have identified the risks, then we analyze them. What's
00:02:35 - the likelihood?
00:02:40 - What's the impact?
00:02:43 - And let's face it: if we dream and worry and crystal ball and
00:02:47 - identify all future events, some of these dream and worry, unknown
00:02:52 - future events could be so unlikely, so improbable, so unrelated
00:02:58 - to our project that literally we stop worrying about them, which
00:03:02 - is why we need to go through this analysis step where we understand
00:03:05 - the likelihood and the impact of the risk events, these unknown
00:03:09 - future events coming up and affecting our project. Once we do
00:03:13 - the analysis and get rid of the unlikely's and carry forward
00:03:18 - the likely's, we then move into the planning stage where we develop
00:03:22 - a strategy
00:03:25 - for dealing with the risks.
00:03:30 - And this
00:03:33 - is where we become proactive
00:03:38 - and we do our best to eliminate, to get rid of, to transfer,
00:03:43 - to change the nature of the project so that these unknown future
00:03:47 - events aren't going to impact our project. And then finally,
00:03:51 - we control for the events. In this particular Nugget, because
00:03:55 - we are still in planning mode, we are not going to discuss risk
00:03:59 - management control. We'll discuss that in a later Nugget. This
00:04:03 - Nugget is going to focus on the first three parts of risk management:
00:04:06 - identify, analyze, and plan. Develop that risk management plan
00:04:12 - so that we can be proactive with the eliminating these unknown
00:04:17 - future, potentially bad events that could cause our project to
00:04:21 - run into delivery challenges. And
00:04:24 - even before we get into that dream and worry time, we need to
00:04:28 - understand what our project's risk profile is. How much risk
00:04:33 - is the project willing to absorb? How much risk is the project
00:04:38 - willing to go forward with? Is your project risk-averse? In which
00:04:42 - case, you want
00:04:46 - no risk.
00:04:49 - In which case, we need to spend a lot of care and attention up
00:04:53 - front doing our risk identification, our risk analysis, and our
00:04:58 - risk planning because we want to eliminate, proactively remove
00:05:02 - all of the risks. Is this a neutral risk project, i.e. is this
00:05:06 - an average
00:05:10 - project? We don't want to be risk-seeking, which is the next
00:05:15 - one, but we also don't want to
00:05:18 - eliminate every last potential risk from ever happening, i.e.
00:05:22 - is this an average risk project, and we will do an average amount
00:05:27 - of risk management. And I will try to explain what these terms
00:05:31 - or what the degree of risk management is going to be. Or is this
00:05:35 - a risk-seeking project? Are we willing
00:05:40 - to accept,
00:05:43 - quote, end quote, "bad things?"
00:05:48 - And you may be saying, "Why would a project ever want to be willing
00:05:52 - to accept bad things? Bad things are going to cost project
00:05:58 - and they are going be extreme failures.
00:06:01 - So why would we ever want to say, 'Our project is risk-seeking?"
00:06:05 - realizing that when bad things happen, the projects could be
00:06:08 - fail?" Well, risk-seeking projects are what I would call R&D
00:06:13 - projects. They are breakthrough projects.
00:06:17 - They are projects where we are going to try
00:06:21 - and maybe fail.
00:06:24 - In R&D project, a breakthrough project, we've had a brilliant
00:06:29 - idea. We believe that if this project is a success, we're absolutely
00:06:34 - going to change the nature of our business. We're absolutely
00:06:37 - going to change our profitability. We're going to make some dramatic
00:06:43 - breakthrough for our organization. And if the project succeeds,
00:06:48 - it's "Yay.
00:06:52 - We have had the breakthrough. Our organization is going to be
00:06:55 - more successful." But if the project fails,
00:07:00 - well, it's, "We tried. We thought we had a good idea. Had we
00:07:05 - succeeded, we would have yay, but we didn't succeed so therefore,
00:07:10 - we tried and we failed," the proverbial Thomas Edison, "I now
00:07:14 - know one more way not to invent a light bulb." But if this is
00:07:17 - truly a risk-seeking project, our risk management plan is probably
00:07:22 - as simple as saying,
00:07:25 - "This is a risk-seeking project. We are not going to spend a
00:07:28 - lot of upfront time on risk management. We will deal with the
00:07:32 - problems as they come up. And if they can be dealt with, we will
00:07:36 - continue the project. And if the risks become insurmountable,
00:07:39 - we'll let the project, quote, end quote, "fail" because this
00:07:43 - is a risk-seeking project.
00:07:46 - More normal projects are going to be somewhere in the adverse
00:07:49 - to the neutral category. And I'm going to deal with the adverse
00:07:52 - first. This is a make-or-die
00:07:58 - project. This is not a try and fail. This project must succeed
00:08:04 - or our organization fails. The auditors have come in. They have
00:08:08 - examined our financial systems and they've determined that our
00:08:11 - financial systems are inadequate
00:08:14 - and have given us an eight-month, 12-month, whatever time for
00:08:20 - remedy is coming from the audit department, and the audit department
00:08:23 - has basically said or the external auditors have basically said,
00:08:26 - "You have eight months to turn around and rectify these problems.
00:08:31 - And if you can rectify these problems, we are going to give you
00:08:35 - a clean bill of health. But if you don't rectify these problems,
00:08:39 - we're going to write an external auditor statement that says,
00:08:41 - "We do not recommend this organization. We highly encourage all
00:08:46 - investors to stop investing in this organization." This is a
00:08:50 - make or die-type project. This project has to be risk-averse.
00:08:54 - We want no risk. We want no chances
00:08:59 - for failure.
00:09:03 - Therefore, as we are taking on the project, if we must do this
00:09:07 - in eight months,
00:09:10 - we need to ensure that we have sufficient time,
00:09:16 - we have sufficient budget,
00:09:19 - we have sufficient resources,
00:09:22 - et cetera, et cetera to absolutely guarantee.
00:09:26 - So therefore, if we must do this project in eight months, we
00:09:29 - probably should be planning on project work of let's say four
00:09:33 - months, giving ourselves 100% overrun. If this project overruns
00:09:39 - by eight months or by 100%, four months turns into eight months,
00:09:45 - and we are still going to make it. If it is a risk-averse project,
00:09:49 - we need to build schedule contingency. We need to ensure we have
00:09:53 - enough budget. If we need to hire
00:09:57 - externals, if we need to hire better tools,
00:10:05 - if we need to add more money to make the project a success, we
00:10:10 - need to make sure we have the ability to do that. We may need
00:10:14 - to dedicate
00:10:16 - higher level resources, overstaff everyone. Instead of putting
00:10:20 - a programmer on the project, we are going to put a senior programmer
00:10:23 - on the project. This is not the kind of project where we're going
00:10:26 - to put green beings and people training to grow in the position.
00:10:30 - We are going to overresource. This is risk-averse. We want no
00:10:33 - risk. We want no chances for failure.
00:10:37 - Or is this a neutral project? It's an average project. If we
00:10:41 - need to be done in eight months, well, let's say our schedule
00:10:45 - is going to be 6.5 months, leaving us 1.5 months of contingency.
00:10:52 - The budget. If this is going to be a $50,000 project, we're probably
00:10:56 - going to tell management we need to have $60,000 so that we have
00:10:59 - some room to hire externals to get better tools. In terms of
00:11:05 - resourcing, again, we may accept one or two green horns on the
00:11:09 - project, but we still need a degree of qualified resources.
00:11:14 - Once you know the risk profile, adverse, neutral, seeking, we're
00:11:19 - ready to start to go in and start to do the true work around
00:11:23 - risk management planning. So having determined that our project's
00:11:28 - risk profile is probably anything but seeking, the next step,
00:11:32 - or really, the first step in risk management is identifying the
00:11:36 - risks. We need to dream.
00:11:41 - We need to worry.
00:11:43 - We need to talk to experts.
00:11:48 - We need to blue sky.
00:11:53 - We need to identify all
00:11:56 - possible risks,
00:12:02 - the proverbial blue sky. There is no such thing as a bad risk.
00:12:06 - We identify all risks, all possible risks to the project. Where
00:12:10 - are the risks going to come from? The technology.
00:12:14 - We're using new technology. Our technology is not adequately
00:12:17 - sized. Our technology is likely to change release levels. The
00:12:21 - risk could come from the human resources. The team is inexperienced.
00:12:25 - We will not have enough resources. Resources will be pulled off
00:12:28 - our project to work on other higher priority organizational projects.
00:12:33 - There could be legislative changes. The government has told us
00:12:37 - that the changes must be done in certain time. Or there is a
00:12:40 - risk that the government is going to change, and the mandate
00:12:43 - for the project is going to change. The business itself could
00:12:46 - introduce risks. Is the business in a growth stage? Is the business
00:12:50 - in a regression stage? The competition. The competition is going
00:12:55 - to make changes that again are going to cause dynamic changes
00:12:58 - to our organization.
00:13:00 - We need to brainstorm. We need to think about other projects
00:13:04 - where we've done work of a similar nature before. We need to
00:13:08 - dream. We need to worry. We need to talk to the experts. We need
00:13:11 - the blue sky. Basically, the bottom line is we need to identify
00:13:16 - all possible risks. There is no such thing as a bad risk at this
00:13:21 - moment. In just a moment, we are going to very quickly eliminate
00:13:25 - all of the bad risks when we do our risk analysis. But the first
00:13:29 - step is to get all of the risks down on a white board, down on
00:13:33 - a piece of paper somewhere. And if we start to try to analyze
00:13:38 - the risks at this point in time, we risk limiting our creativity.
00:13:43 - Again, I often become this broken record, in the identification
00:13:48 - stage, we want to identify our risks. There is no such thing
00:13:51 - as a bad risk. Once we believe we have a complete,
00:13:56 - comprehensive, scary list,
00:14:04 - then it's time to move on to the next step, which is our analysis
00:14:08 - of these risks.
00:14:10 - So now, we are going to start to identify the bad
00:14:15 - risks and we are going to eliminate them
00:14:21 - because in identify, we probably identified hundreds,
00:14:28 - maybe even thousands of risks, depending on how much time we
00:14:31 - had to do our risk identification. But many of those risks are
00:14:35 - going to be what I would call bad risks that we need to eliminate.
00:14:39 - How do we do that? Well, the first step is we need to review
00:14:42 - and understand the risks. It's easy to say, "We're in brainstorming.
00:14:46 - Let's put the risk on the board. Let's give each risk a name,"
00:14:51 - and then stop thinking about it and go on to the next one. Now
00:14:55 - it's time to slow down, start to apply the old brain matter to
00:14:59 - it, and we need to review and understand the risks. Start to
00:15:03 - put more meat
00:15:08 - to the definition of the risk. And key is these next two steps.
00:15:12 - We need to understand the probability,
00:15:14 - what's the likelihood,
00:15:20 - and what's the impact,
00:15:22 - how serious
00:15:25 - is the risk.
00:15:27 - Once we identify the probability, and let's stick with the likelihood
00:15:32 - between 1%
00:15:34 - to 100%,
00:15:38 - and it very quickly allows us to eliminate
00:15:41 - from that hundreds and come up with a short list of maybe 20
00:15:45 - or 30. If a probability of a risk is 3%,
00:15:52 - do we believe we have time to worry about, to develop strategies
00:15:58 - to deal with a risk that only has a 3% probability of occurring?
00:16:03 - And I would suggest if the risk is in a low probability like
00:16:07 - that, probably even if this is an absolutely risk-averse project,
00:16:13 - we are going to eliminate it. If the risk is at a 99.5%
00:16:20 - probability, if we truly believe that a risk is at a 99.5%
00:16:26 - probability, I would suggest that's not a risk. That's a delivery
00:16:32 - reality. Let's stop fooling ourselves and calling it a risk.
00:16:38 - It's a delivery reality and we must
00:16:41 - deal with it immediately, and we must get it out of our project's
00:16:45 - vocabulary. So high, very high, let's say anything from 95% plus,
00:16:53 - yes, it's something we have to deal with as a project manager.
00:16:56 - We don't want to call it a risk and say, "Oh, this bad thing
00:17:00 - could happen at some point in time in the project. I'll worry
00:17:03 - about it when it comes along." If it's a 95, 96, 99.5% probability,
00:17:09 - worry about it now and get rid of it now. So somewhere between
00:17:13 - the 5%
00:17:16 - and the 95%,
00:17:18 - we're going to start assessing the probability.
00:17:21 - Where do we do our line and say, "Don't care, don't care?" Is
00:17:26 - it at 40%? Is it at 60%? This is where that profile comes in.
00:17:34 - If this is an averse,
00:17:38 - that number is probably down here maybe in the 20% range. If
00:17:42 - it's seeking,
00:17:44 - the number is way up in the 90s. As I said, risk-seeking, we
00:17:48 - probably stop risk management at that point in time. But if it's
00:17:52 - average, and I'm not saying an average project, the threshold
00:17:57 - is at 50%, but it's certainly going to be somewhere on the greater
00:18:03 - than 50% side of an average project's worrying about risks. But
00:18:09 - before we just truly eliminate our risk based on probability,
00:18:14 - we also need to understand the impact of the risk. If this risk
00:18:19 - has a 10%
00:18:21 - probability but it has an impact
00:18:25 - of $1
00:18:29 - million, we probably need to spend some time worrying about it.
00:18:32 - If the risk has a probability of 95%
00:18:37 - and an impact of.05
00:18:40 - cent we probably don't worry about it at all. It's just, "Yes,
00:18:44 - it's going to happen. It's going to cost my project.05 cent
00:18:47 - ." And I'm being a little extreme with my numbers, but just to
00:18:50 - drive home, we really need to understand the probability and
00:18:54 - the impact,
00:18:56 - and we will talk about using the probability in the impact together
00:19:00 - in something called risk ranking in a few moments. But once we
00:19:05 - review and understand the risks, understand the probability,
00:19:09 - understand the impact, that allows us to do this step, which
00:19:13 - is to determine the relevance. Is this brainstormed, blue sky
00:19:17 - risk relevant to proceed,
00:19:21 - or is this brainstormed
00:19:23 - blue sky risk something that we can be fairly high confidence
00:19:29 - that we can ignore?
00:19:31 - So next, I want to show you what I believe is a very easy way
00:19:36 - to try to weed out based on probability and the impact the risks
00:19:42 - that are relevant to our project and the risks that are not relevant.
00:19:47 - I personally find this risk graph a very, very easy tool that
00:19:51 - I can use to determine the relevance of my risks, and a lot of
00:19:55 - people will call this a Risk
00:19:58 - Ranking Matrix.
00:20:05 - So whether you call it a risk graph or a risk ranking matrix,
00:20:07 - I find it as a very effective tool. And literally, we just put
00:20:12 - impact on one axis, probability on another, rank them from low,
00:20:16 - medium, high, maybe 0 to 100%,
00:20:21 - impact from $0 to whatever the highest impact is going to be,
00:20:27 - $50,000 or whatever. I personally like to stick with a fairly
00:20:31 - low degree of specification. I prefer the low, medium, high.
00:20:36 - It's an unknown future event. What's the probability it's going
00:20:41 - to happen? Do you really believe you can sit down and say, "I
00:20:44 - can predict that this unknown future event has a 46% probability
00:20:50 - of occurrence?" I don't think so. Do you think you can sit down
00:20:54 - and say, "This unknown future event has a medium probability
00:20:59 - of occurring?" Probably yes. Same thing on impact. What's the
00:21:03 - impact? It's an unknown future. Is it really going to cost me
00:21:06 - $50,000 to deal with it? Well, I don't know but it's probably
00:21:10 - going to be pretty expensive. Anyway, the degree of the type
00:21:13 - of measurement you have on your axes is wherever your own comfort
00:21:18 - level is going to reside.
00:21:21 - We develop the graph. We apply our risk profile. This is a risk-averse
00:21:28 - project. We're probably going to put our threshold
00:21:32 - right down there somewhere. Only these few risks that are going
00:21:36 - to be in the halfway up the medium impact, halfway up the probability,
00:21:41 - and lower are going to be ignored. And everything else is going
00:21:46 - to be of relevance to the project. If this is an average project,
00:21:53 - so this is an adverse,
00:21:56 - this is an average,
00:21:59 - and this obviously is a seeking.
00:22:04 - Now, I'm your individual project. You're not going to draw the
00:22:07 - three lines. You're simply going to say, "Based on my risk profile,
00:22:11 - I care about only the risks that are going to be in
00:22:17 - these quadrants," for example. Or, "For my risk profile, I care
00:22:21 - about the risks that are going to be in this quadrant," or whatever
00:22:25 - again is going to match the profile for your project. And then
00:22:29 - you simply start plotting your risks onto the graph. Now, you're
00:22:35 - not going to put the whole name under the graph, but you're going
00:22:37 - to say, "Risk #1 has a fairly high medium probability and has
00:22:45 - is a very high medium impact," so you're going to put risk #1
00:22:50 - right there. Risk #2 is a very average probability, very average
00:22:56 - impact, so you're going to put risk #2 there. Risk #3 has a very
00:23:01 - high probability but a relatively low impact, so you're going
00:23:06 - to put it there. And again, you're just going to plot, roughly
00:23:11 - plot. This is not scientific. This is not to 15 decimal points.
00:23:14 - But you're going to roughly plot each one of your identified
00:23:17 - risks onto the graph, and based on your cutoff point, this is
00:23:22 - going to tell you that risks 1 and 3 are of relevance and 2 being
00:23:27 - right on the threshold, we probably would want to apply it as
00:23:31 - well. And that way, it allows us to determine that 1, 2, 4 I
00:23:37 - guess I better put 3 in there, 6, 12, 21, and 43
00:23:44 - are the relevant risks that I want to worry about going forward
00:23:49 - on my project.
00:23:52 - And the last step to analysis is risk ranking or prioritizing.
00:24:00 - So we did our plotting on to our graph and we determined that
00:24:04 - 1, 2, 3, 4, up to 43 are the risks that we're going to use carrying
00:24:11 - forward. All of those risks are not equal. The risks that have
00:24:16 - a high impact and a high probability are, quote, end quote, "more
00:24:21 - important" and therefore are going to receive more of our time,
00:24:26 - and the risks that have a medium impact and a medium probability,
00:24:30 - assuming that that is our threshold for cutoff for an average
00:24:34 - risk project, we're going to give them less priority. So it's
00:24:38 - just another way to try to manage the sea of risks that we have
00:24:44 - saddled ourselves with through risk identification, risk analysis
00:24:49 - to prioritize and make sure that moving forward in the risk planning,
00:24:54 - we're planning our time on the most critical, important prioritized
00:25:02 - risks, and that we are allocating less time to the less important
00:25:07 - risks. So our final step in risk management planning is to plan
00:25:13 - our strategy
00:25:16 - for those prioritized
00:25:21 - risks that meet
00:25:27 - our risk profile.
00:25:33 - What are we going to do about these risks? We have a number of
00:25:36 - risks. Hopefully it's a small manageable number, 10, 15, maybe
00:25:40 - 20 prioritized risks that meet/exceed
00:25:44 - our risk profile. We have these future unknown bad things that
00:25:49 - are going to impact our project. What can we do about it? Well,
00:25:53 - there are only four things we can do about a risk. Number one
00:25:57 - is to avoid. If there is an unknown future event that we can
00:26:04 - avoid, we should. What does avoid mean? We change our project
00:26:10 - delivery approach
00:26:15 - now, talking about being proactive. We are going to change our
00:26:18 - project delivery approach now. Through our risk analysis, we
00:26:22 - identified that there was a risk that the learning curve for
00:26:26 - the new programming language was going to be higher than the
00:26:30 - programming language vendor has led us to believe. That is our
00:26:34 - risk. We believe there is going to be a learning curve risk on
00:26:37 - our project.
00:26:40 - How do we avoid it? We simply change the project approach and
00:26:45 - we don't
00:26:47 - use the new language.
00:26:53 - We believe there is a very high degree probability and impact
00:26:57 - that the learning curve is going to impact our project. This
00:27:00 - is a very risk-averse project, so we simply say, "This is not
00:27:05 - the time to cut our teeth on something new. We are going to change
00:27:10 - our project delivery approach now. We are going to avoid that
00:27:13 - risk altogether. We're not going to use that
00:27:17 - language. Avoidance.
00:27:21 - Some risks will be too costly to avoid. Some risks will be impractical
00:27:27 - to avoid. So the next strategy is to transfer. Find
00:27:34 - someone else
00:27:39 - to do
00:27:41 - it/take on the risk.
00:27:47 - And you may, at first, say, "Well, that's a pretty sleazy way
00:27:50 - to do it. If you think there is a project risk, you're just going
00:27:52 - to slough it off on someone else." Well, we do that every day
00:27:56 - in our personal lives. I would expect every one of you listening
00:27:59 - to this Nugget series has car insurance, has life insurance,
00:28:03 - has home insurance, has medical insurance. We're transferring
00:28:07 - the risk of a car accident to our insurance company. So transference
00:28:11 - isn't sleazy. Transference is good, solid practice.
00:28:17 - How can we transfer project risks?
00:28:20 - Again, let's use that same example. We believe that the learning
00:28:25 - curve on our project is going to be high. There is a risk to
00:28:30 - the project for doing that. We explored using the avoidance strategy,
00:28:34 - and senior management has said, "No, it's critical that we use
00:28:38 - this new language. We have to start somewhere, and your project
00:28:41 - is somewhere that we're going to start it on." So we decide to
00:28:44 - use a transference approach. We are going to find somebody else
00:28:48 - to do it to take on the risk. We are going to hire
00:28:52 - consultants, and we are going to staff
00:28:59 - 50% of the project with consultants who have known
00:29:05 - expertise. And we are going to tell these consultants that not
00:29:10 - only do you have project delivery responsibilities to write the
00:29:14 - code using the new programming language. You also have a coaching
00:29:18 - responsibility to coach our staff to help them overcome the learning
00:29:23 - curve. Risk strategy number two, transfer. Find someone else
00:29:29 - with the skills, with the availability, with the resources to
00:29:32 - take on the risk and absorb the risk for you.
00:29:37 - Option number three is to mitigate.
00:29:41 - Try to reduce
00:29:44 - the impact/probability.
00:29:53 - Taking that same example, we believe there is a learning curve
00:29:57 - issue for our project. We've reviewed with management the possibility
00:30:01 - of taking an avoidance strategy. We've been told, "Not going
00:30:05 - to fly. You must use the new language." We've explored the possibility
00:30:09 - of using a transfer approach. It is such a new language. There
00:30:13 - are no consultants available that we can't do any transference.
00:30:18 - So our next strategy is to mitigate. We believe there is going
00:30:21 - to be a learning curve. We enroll in
00:30:26 - the recommended courses.
00:30:33 - We train the team.
00:30:35 - We still believe there is risk with doing that, so we also plan
00:30:41 - extra dollars
00:30:43 - to bring
00:30:46 - the trainer back
00:30:49 - on site
00:30:52 - to coach. And
00:30:54 - this is the difference between hiring the consultants who are
00:30:57 - going to take on delivery responsibilities and in increasing
00:31:02 - in our educational allowances by bringing the trainer on-site
00:31:07 - to coach so we're mitigating. We're reducing the impact well,
00:31:11 - we're not we are reducing the impact because hopefully, their
00:31:13 - learning curve will be lessened. And we're reducing the probability
00:31:18 - by having that trainer on site to coach our team. So I would
00:31:22 - suggest that's strategy number three. And finally, the worst
00:31:27 - case strategy is we can't avoid it, we can't transfer it, we
00:31:33 - can't mitigate it, so we're just going to have to accept the
00:31:36 - fact that some unmanageable, uncontrollable, unavoidable, untransferable,
00:31:43 - immitigable risk is going to come and impact our project, so
00:31:47 - we are going to accept it. Now that's a bit of a doomsday alarmist
00:31:51 - strategy. There will be risks that we have no choice but to accept.
00:31:56 - But every time we choose to accept a risk, we need to build in
00:32:00 - something called contingency. And
00:32:05 - let's look and see what contingency really is. Contingency is
00:32:10 - what we use when we decided that accept
00:32:14 - is our risk management plan, our risk management strategy. And
00:32:18 - I don't think I need to spend a lot of time on contingency because
00:32:21 - I expect everybody knows what contingency is. It's the allowance
00:32:25 - for the risk. It's extra
00:32:28 - time in the schedule
00:32:33 - and/or extra dollars
00:32:37 - in the budget
00:32:41 - so that when that unknown future bad thing comes up that we can't
00:32:47 - deal with that we have some time in our back pocket as project
00:32:51 - managers build into the schedule that allows us to do the extra
00:32:55 - work, that allows us to do the rework, that allows us to spin
00:32:58 - our wheels, that allows us to accept the fact that a bad thing
00:33:02 - is happening to our project and still deliver our project on
00:33:06 - schedule, or allows us to spend more money and still allows us
00:33:09 - to deliver our project on budget.
00:33:13 - As we are building in contingency, we should build in contingency
00:33:17 - at two levels. We should build in contingency at the task-specific
00:33:21 - or really the risk-specific level. We have a risk that the learning
00:33:27 - curve for our project is going to be extreme.
00:33:30 - Our only strategy that's remaining is acceptance, so we are going
00:33:35 - to build in two weeks
00:33:38 - schedule contingency. We
00:33:40 - are going to build in $10,000 extra cost for the project to allow
00:33:45 - our developers to work for those two weeks to make up the time
00:33:50 - lost in the learning curve. And we build that in.
00:33:55 - We build it into the project. When we are publishing milestones,
00:34:00 - when we are publishing the budget, we don't publish the aggressive
00:34:06 - risk out schedule
00:34:11 - and budget.
00:34:16 - We publish
00:34:20 - the contingency
00:34:25 - in schedule
00:34:29 - and budget.
00:34:32 - And that's a key thing to make note of. We publish the contingency
00:34:35 - in, schedule, and budget. Already in this Nugget series, we've
00:34:39 - talked at great lengths about developing a sound realistic WBS
00:34:44 - that's going to create a sound realistic schedule.
00:34:48 - We've agonized over the resource and we've agonized over the
00:34:52 - dependencies, and we've developed a project schedule that says
00:34:55 - this project is going to be done on June 15th. That's the aggressive
00:35:01 - risk out schedule in budget. We need to build two weeks of schedule
00:35:07 - contingency in, so we publish the project is going to be done
00:35:11 - on June the 25th
00:35:14 - or whatever, two weeks plus or minus weekends it's going to be.
00:35:17 - And that's the date, that's the schedule that we publish, and
00:35:21 - that's the budget that we publish. So for every risk event that
00:35:25 - we've developed and accept strategy for, we need to build schedule
00:35:31 - and budget contingency in, and we need to publish our final schedule
00:35:36 - and budget with all of the risk-specific contingencies built
00:35:40 - in. And if this is anything from an average
00:35:45 - definitely to an adverse
00:35:49 - project, we probably need to build in a little extra 10%, 15%
00:35:55 - extra contingency for unknown unknowns. We've spent all of our
00:36:00 - time dreaming, worrying about all of the unknown events that
00:36:03 - we can dream of. There is a high probability there are going
00:36:08 - to be some unknown events that we don't even dream about. So
00:36:11 - we need to build a little extra contingency schedule and budget
00:36:16 - into the project. If this is an average project, building in
00:36:20 - 10 to 15% is probably a realistic number. If this is an averse,
00:36:25 - as I suggested in the introduction, we may need to build as much
00:36:29 - as 50%
00:36:31 - extra schedule contingency, extra budget consistency to ensure
00:36:37 - that our project is going to be a success
00:36:40 - and we build it into the project.
00:36:43 - This concludes our Nugget on Risk Management Plan Development.
00:36:47 - This Nugget was focused on the first three elements of the risk
00:36:50 - management approach: identify, analyze, and plan. The last, control,
00:36:55 - will be dealt with in a later Nugget when we are in the Monitoring
00:36:57 - and Control segment of the Project Plus Certification Exam. This
00:37:02 - Nugget focused on identification. Dream
00:37:06 - and worry,
00:37:08 - blue sky, all possible
00:37:14 - bad things,
00:37:18 - unknowns that could impact our project. Once we've done a comprehensive
00:37:25 - dream and worry of all the possible bad things, all of the unknowns,
00:37:29 - we then analyze, and our analysis is based primarily on probability
00:37:37 - and impact.
00:37:40 - Using the probability and impact, we take that large list of
00:37:44 - bad unknowns and we come up with an ordered,
00:37:49 - prioritized of the critical
00:37:57 - risks, those future possible bad unknowns that could impact our
00:38:01 - project, and then we develop the plan for dealing with them.
00:38:04 - And our plan is we can avoid,
00:38:09 - we can change the approach.
00:38:14 - Now, to make those unknown things go away, we can transfer.
00:38:21 - We can find someone, somewhere, some organization that has the
00:38:25 - skills, the ability
00:38:30 - to accept the risk, and they take on the risk. We can mitigate.
00:38:40 - We can try to lessen the impact
00:38:46 - for the risk by taking proactive actions. And sometimes, we have
00:38:50 - no choice but to accept. And when we accept, we develop contingency,
00:38:58 - which builds in buffer
00:39:01 - in both the schedule
00:39:05 - and the budget to allow us to deal with these unknown bad things
00:39:10 - when they come up.
00:39:13 - As I said in the introduction, I find risk management to be a
00:39:16 - difficult concept for some project managers to accept because
00:39:19 - we are dealing with intangibles. We are dealing with unknown
00:39:24 - future bad things, and we are asking you to develop solid plans
00:39:29 - to deal with those unknown bad things. We're asking you to assess
00:39:33 - the probability and the impact of those future unknown bad things,
00:39:37 - and we are asking you to develop concrete plans, including allocation
00:39:42 - of money and schedule for unknown bad things.
00:39:47 - But good risk management is critical to good successful project
00:39:52 - management, and a solid understanding of risk management is going
00:39:56 - to be, I don't want to use the word "critical," but it's going
00:39:59 - to be key to passing your Project Plus certification. Effective
00:40:03 - risk management will be a considerable subject matter in your
00:40:09 - Project Plus. So I would highly recommend that you develop a
00:40:13 - solid understanding for the identification, the analysis, and
00:40:16 - the planning activities associated with risk management. This
00:40:22 - concludes our Nugget on Risk Management Planning. I hope this
00:40:25 - module has been informative for you, and thank you very much
00:40:28 - for viewing.

Quality Management Plan

Cost Management Plan

Procurement Management Plan

Transition and Project Management Plan

Human Resource Management

Project Governance

Project Tracking

Project Change Management

Project Risk Management

Project Quality Management

Project Delivery Management

Earned Value Management

Project Communication Management

Project Closure

Please help us improve by sharing your feedback on training courses and videos. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus

Course Features

Speed Control

Play videos at a faster or slower pace.


Pick up where you left off watching a video.


Jot down information to refer back to at a later time.

Closed Captions

Follow what the trainers are saying with ease.

Premium Features

Transcender® Practice Exams

These practice tests help you review your knowledge and prepare you for exams.

Offline Training

Our mobile apps offer the ability to download videos and train anytime, anywhere offline.

Accountability Coaching

Develop and maintain a study plan with assistance from coaches.
Steve Caseley

Steve Caseley

CBT Nuggets Trainer


Area Of Expertise:
Project Management, MS Project, Development Methodologies, Agile Development

Stay Connected

Get the latest updates on the subjects you choose.

  © 2015 CBT Nuggets. All rights reserved. Licensing Agreement | Billing Agreement | Privacy Policy | RSS