Project Risk Management

: "If a project has no risks, don't do it." - WaltzingWithBears by TomDeMarco and TimothyLister

RiskManagement is balancing the amount of risk we want to take with the amount of risk our project exposes us to.

Our RiskExposure varies over the length of a project. RiskManagement therefore must be a continuous iterative process even if our project lifecycle is not.

A RiskManagementCycle?:

(re)discover the risks that might impact the project
break new risks into resolvable components - RiskTree
estimate the probability and lifetime of each new risk
create a ContingencyPlan for each new problem
cost any mitigation required by the ContingencyPlan
decide on a strategy for each risk
add RiskMitigation tasks and a RiskReserve to the schedule
as risks materialise, start their ContingencyPlans
remove risks once they have materialised or expired
at regular intervals return to the discovery phase

The FiveCoreRisks of software projects should number among our identified risks. They are:

inherent schedule flaw
FeatureCreep
employee turnover
ambiguous specification
poor productivity

For more on RiskManagement strategies see:

A common risk is lack of skills. For example, when developers who have written nothing but Visual Basic are expected to crank out production Java code. In this situation:

RiskAvoidance: write in Visual Basic
RiskReduction: hire an expert to lead the team
RiskMitigation: train your programmers in Java
RiskTransfer: liquidated damages; insurance
RiskAcceptance: add slack to the schedule for learning and mistakes[1]
RiskEvasion: hope they work it out

RiskDiscovery? is feedback. If we don't act on it, we have wasted our time collecting it. HandWaving is a common RiskEvasion tactic. However, RiskManagement takes time and resources like any other part of ProjectManagement. Once we have our RiskExposure for each risk, we can sort our risks and manage only the TopTenRisks.

[1] acceptance means accepting a portion of the impact equal to the probability and padding the cost/schedule accordingly; this is in contrast to evasion, where we trust to luck that the impact will not occur.

Contributors: LaurentBossavit, PaulSinnett, and others

Resources

EnterpriseRiskManagement? framework summary 2004 http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf

See AnatomyOfRisk, AtsRiskManagement, ExtremeRiskManagement