Risk Management: A Project and Work Management Process Area at Maturity Level 3
Purpose
The purpose of Risk Management (RSKM) is to identify potential problems before they occur so that risk handling activities can be planned and invoked as needed across the life of the product or work to mitigate adverse impacts on achieving objectives.
Introductory Notes
Risk management is a continuous, forward-looking process that is an important part of work management. Risk management should address issues that could endanger achievement of critical objectives. A continuous risk management approach effectively anticipates and mitigates risks that can have a critical impact on work activities.
Effective risk management includes early and aggressive risk identification through collaboration and the involvement of relevant stakeholders as described in the stakeholder involvement plan addressed in the Work Planning process area. Strong leadership among all relevant stakeholders is needed to establish an environment for free and open disclosure and discussion of risk.
Risk management should consider both internal and external, as well as both technical and non-technical, sources of cost, schedule, performance, and other risks. Early and aggressive detection of risk is important because it is typically easier, less costly, and less disruptive to make changes and correct work efforts during the earlier, rather than the later, phases of the work lifecycle.
For example, decisions related to service system architecture are often made early before their impacts can be fully understood, and thus the risk implications of such choices should be carefully considered.
Industry standards can help when determining how to prevent or mitigate specific risks commonly found in a particular industry. Certain risks can be proactively managed or mitigated by reviewing industry best practices and lessons learned.
Risk management can be divided into the following parts:
• Defining a risk management strategy
• Identifying and analyzing risks
• Handling identified risks, including the implementation of risk mitigation plans as needed
As represented in the Work Planning and Work Monitoring and Control process areas, organizations initially may focus on risk identification for awareness and react to the realization of these risks as they occur. The Risk Management process area describes an evolution of these specific practices to systematically plan, anticipate, and mitigate risks to proactively minimize their impact on the work.
Although the primary emphasis of the Risk Management process area is on the work or work group, these concepts can also be applied to manage organizational risks.
Related Process Areas
Refer to the Service Continuity process area for more information about establishing and maintaining plans to ensure continuity of services during and following any significant disruption of normal operations.
Refer to the Decision Analysis and Resolution process area for more information about analyzing possible decisions using a formal evaluation process that evaluates identified alternatives against established criteria.
Refer to the Work Monitoring and Control process area for more information about monitoring risks.
Refer to the Work Planning process area for more information about identifying risks and planning stakeholder involvement.
Specific Practices by Goal
SG 1 Prepare for Risk Management
Preparation for risk management is conducted.
Prepare for risk management by establishing and maintaining a strategy for identifying, analyzing, and mitigating risks. Typically, this strategy is documented in a risk management plan. The risk management strategy addresses specific actions and the management approach used to apply and control the risk management program. The strategy typically includes identifying sources of risk, the scheme used to categorize risks, and parameters used to evaluate, bound, and control risks for effective handling.
SP 1.1 Determine Risk Sources and Categories
Determine risk sources and categories.
Identifying risk sources provides a basis for systematically examining changing situations over time to uncover circumstances that affect the ability of the work group to meet its objectives. Risk sources are both internal and external to the work. As the work progresses, additional sources of risk can be identified. Establishing categories for risks provides a mechanism for collecting and organizing risks as well as ensuring appropriate scrutiny and management attention to risks that can have serious consequences on meeting work objectives.
Example Work Products
1. Risk source lists (external and internal)
2. Risk categories list
Subpractices
1. Determine risk sources.
Risk sources are fundamental drivers that cause risks in work activities or organization. There are many sources of risks, both internal and external to a work group. Risk sources identify where risks can originate.
Many of these sources of risk are accepted without adequately planning for them. Early identification of both internal and external sources of risk can lead to early identification of risks. Risk mitigation plans can then be implemented early in the work to preclude occurrence of risks or reduce consequences of their occurrence.
2. Determine risk categories.
Risk categories are “bins” used for collecting and organizing risks. Identifying risk categories aids the future consolidation of activities in risk mitigation plans.
A risk taxonomy can be used to provide a framework for determining risk sources and categories.
SP 1.2 Define Risk Parameters
Define parameters used to analyze and categorize risks and to control the risk management effort.
Parameters for evaluating, categorizing, and prioritizing risks include the following:
• Risk likelihood (i.e., probability of risk occurrence)
• Risk consequence (i.e., impact and severity of risk occurrence)
• Thresholds to trigger management activities
Risk parameters are used to provide common and consistent criteria for comparing risks to be managed. Without these parameters, it is difficult to gauge the severity of an unwanted change caused by a risk and to prioritize the actions required for risk mitigation planning.
Work groups should document the parameters used to analyze and categorize risks so that they are available for reference throughout the work because circumstances change over time. Using these parameters, risks can easily be re-categorized and analyzed when changes occur.
The work group can use techniques such as failure mode and effects analysis (FMEA) to examine risks of potential failures in the service system or in selected service delivery processes. Such techniques can help to provide discipline in working with risk parameters.
Example Work Products
1. Risk evaluation, categorization, and prioritization criteria
2. Risk management requirements (e.g., control and approval levels, reassessment intervals)
Subpractices
1. Define consistent criteria for evaluating and quantifying risk likelihood and severity levels.
Consistently used criteria (e.g., bounds on likelihood, severity levels) allow impacts of different risks to be commonly understood, to receive the appropriate level of scrutiny, and to obtain the management attention warranted. In managing dissimilar risks (e.g., staff safety versus environmental pollution), it is important to ensure consistency in the end result. (For example, a high-impact risk of environmental pollution is as important as a high-impact risk to staff safety.) One way of providing a common basis for comparing dissimilar risks is assigning dollar values to risks (e.g., through a process of risk monetization).
2. Define thresholds for each risk category.
For each risk category, thresholds can be established to determine acceptability or unacceptability of risks, prioritization of risks, or triggers for management action.
3. Define bounds on the extent to which thresholds are applied against or within a category.
There are few limits to which risks can be assessed in either a quantitative or qualitative fashion. Definition of bounds (or boundary conditions) can be used to help define the extent of the risk management effort and avoid excessive resource expenditures. Bounds can include the exclusion of a risk source from a category. These bounds can also exclude conditions that occur below a given frequency.
SP 1.3 Establish a Risk Management Strategy
Establish and maintain the strategy to be used for risk management.
A comprehensive risk management strategy addresses items such as the following:
• The scope of the risk management effort
• Methods and tools to be used for risk identification, risk analysis, risk mitigation, risk monitoring, and communication
• Work-specific sources of risks
• How risks are to be organized, categorized, compared, and consolidated
• Parameters used for taking action on identified risks, including likelihood, consequence, and thresholds
• Risk mitigation techniques to be used, such as prototyping, piloting, simulation, alternative designs, or evolutionary development
• The definition of risk measures used to monitor the status of risks
• Time intervals for risk monitoring or reassessment
The risk management strategy should be guided by a common vision of success that describes desired future work outcomes in terms of the product delivered, its cost, and its fitness for the task. The risk management strategy is often documented in a risk management plan for the organization or work group. This strategy is reviewed with relevant stakeholders to promote commitment and understanding.
A risk management strategy should be developed early in the work lifecycle, so that relevant risks are identified and managed proactively. Early identification and assessment of critical risks allows the work group to formulate risk handling approaches and adjust work definition and allocation of resources based on critical risks.
Example Work Products
1. Risk management strategy
SG 2 Identify and Analyze Risks
Risks are identified and analyzed to determine their relative importance.
The degree of risk affects the resources assigned to handle the risk and the timing of when appropriate management attention is required.
Risk analysis entails identifying risks from identified internal and external sources and evaluating each identified risk to determine its likelihood and consequences. Risk categorization, based on an evaluation against established risk categories and criteria developed for the risk management strategy, provides information needed for risk handling. Related risks can be grouped to enable efficient handling and effective use of risk management resources.
SP 2.1 Identify Risks
Identify and document risks.
Identifying potential issues, hazards, threats, and vulnerabilities that could negatively affect work efforts or plans is the basis for sound and successful risk management. Risks should be identified and described understandably before they can be analyzed and managed properly. Risks are documented in a concise statement that includes the context, conditions, and consequences of risk occurrence.
Risk identification should be an organized, thorough approach to seek out probable or realistic risks in achieving objectives. To be effective, risk identification should not attempt to address every possible event. Using categories and parameters developed in the risk management strategy and identified sources of risk can provide the discipline and streamlining appropriate for risk identification. Identified risks form a baseline for initiating risk management activities. Risks should be reviewed periodically to reexamine possible sources of risk and changing conditions to uncover sources and risks previously overlooked or nonexistent when the risk management strategy was last updated.
Risk identification focuses on the identification of risks, not the placement of blame. The results of risk identification activities should never be used by management to evaluate the performance of individuals.
Example Work Products
1. List of identified risks, including the context, conditions, and consequences of risk occurrence
Subpractices
1. Identify the risks associated with cost, schedule, and performance.
Risks associated with cost, schedule, performance, and other business objectives should be examined to understand their effect on work objectives. Risk candidates can be discovered that are outside the scope of work objectives but vital to customer interests. For example, risks in development costs, product acquisition costs, cost of spare (or replacement) products, and product disposition (or disposal) costs have design implications.
The customer may not have considered the full cost of supporting a fielded product or using a delivered service. The customer should be informed of such risks, but actively managing those risks may not be necessary. Mechanisms for making such decisions should be examined at work activity and organization levels and put in place if deemed appropriate, especially for risks that affect the work group’s ability to verify and validate the product.
In addition to the cost risks identified above, other cost risks can include the ones associated with funding levels, funding estimates, and distributed budgets.
Risks associated with service agreements, such as supplier dependencies, customer processes, and unrealistic service levels also should be considered.
Schedule risks can include risks associated with planned activities, key events, and milestones.
Performance maintenance attributes are those characteristics that enable an in-use product or service to provide required performance, such as maintaining safety and security performance.
There are risks that do not fall into cost, schedule, or performance categories, but can be associated with other aspects of the organization’s operation.
2. Review environmental elements that can affect the work.
Risks to the work that frequently are missed include risks supposedly outside the scope of the work group (i.e., the work group does not control whether they occur but can mitigate their impact). These risks can include weather or natural disasters, political changes, and telecommunications failures.
3. Review all elements of the work breakdown structure as part of identifying risks to help ensure that all aspects of the work effort have been considered.
4. Review all elements of the work plan as part of identifying risks to help ensure that all aspects of the work have been considered.
Refer to the Work Planning process area for more information about identifying risks.
5. Document the context, conditions, and potential consequences of each risk.
Risk statements are typically documented in a standard format that contains the risk context, conditions, and consequences of occurrence. The risk context provides additional information about the risk such as the relative time frame of the risk, the circumstances or conditions surrounding the risk that has brought about the concern, and any doubt or uncertainty.
6. Identify the relevant stakeholders associated with each risk.
SP 2.2 Evaluate, Categorize, and Prioritize Risks
Evaluate and categorize each identified risk using defined risk categories and parameters, and determine its relative priority.
The evaluation of risks is needed to assign a relative importance to each identified risk and is used in determining when appropriate management attention is required. Often it is useful to aggregate risks based on their interrelationships and develop options at an aggregate level. When an aggregate risk is formed by a roll up of lower level risks, care should be taken to ensure that important lower level risks are not ignored.
Collectively, the activities of risk evaluation, categorization, and prioritization are sometimes called a “risk assessment” or “risk analysis.”
Example Work Products
1. List of risks and their assigned priority
Subpractices
1. Evaluate identified risks using defined risk parameters.
Each risk is evaluated and assigned values according to defined risk parameters, which can include likelihood, consequence (i.e., severity, impact), and thresholds. The assigned risk parameter values can be integrated to produce additional measures, such as risk exposure (i.e., the combination of likelihood and consequence), which can be used to prioritize risks for handling.
Often, a scale with three to five values is used to evaluate both likelihood and consequence.
Probability values are frequently used to quantify likelihood. Consequences are generally related to cost, schedule, environmental impact, or human measures (e.g., labor hours lost, severity of injury).
Risk evaluation is often a difficult and time consuming task. Specific expertise or group techniques may be needed to assess risks and gain confidence in the prioritization. In addition, priorities can require reevaluation as time progresses. To provide a basis for comparing the impact of the realization of identified risks, consequences of the risks can be monetized.
2. Categorize and group risks according to defined risk categories.
Risks are categorized into defined risk categories, providing a means to review them according to their source, taxonomy, or component. Related or equivalent risks can be grouped for efficient handling. The cause-and-effect relationships between related risks are documented.
3. Prioritize risks for mitigation.
A relative priority is determined for each risk based on assigned risk parameters. Clear criteria should be used to determine risk priority. Risk prioritization helps to determine the most effective areas to which resources for risk mitigation can be applied with the greatest positive impact on the work.
SG 3 Mitigate Risks
Risks are handled and mitigated as appropriate to reduce adverse impacts on achieving objectives.
The steps in handling risks include developing risk handling options, monitoring risks, and performing risk handling activities when defined thresholds are exceeded. Risk mitigation plans are developed and implemented for selected risks to proactively reduce the potential impact of risk occurrence. Risk mitigation planning can also include contingency plans to deal with the impact of selected risks that can occur despite attempts to mitigate them. Risk parameters used to trigger risk handling activities are defined by the risk management strategy.
SP 3.1 Develop Risk Mitigation Plans
Develop a risk mitigation plan in accordance with the risk management strategy.
A critical component of risk mitigation planning is developing alternative courses of action, workarounds, and fallback positions, and a recommended course of action for each critical risk. The risk mitigation plan for a given risk includes techniques and methods used to avoid, reduce, and control the probability of risk occurrence; the extent of damage incurred should the risk occur (sometimes called a “contingency plan”); or both. Risks are monitored and when they exceed established thresholds, risk mitigation plans are deployed to return the affected effort to an acceptable risk level. If the risk cannot be mitigated, a contingency plan can be invoked. Both risk mitigation and contingency plans often are generated only for selected risks for which consequences of the risks are high or unacceptable. Other risks may be accepted and simply monitored.
Often, especially for high-impact risks, more than one approach to handling a risk should be generated.
In many cases, risks are accepted or watched. Risk acceptance is usually done when the risk is judged too low for formal mitigation or when there appears to be no viable way to reduce the risk. If a risk is accepted, the rationale for this decision should be documented. Risks are watched when there is an objectively defined, verifiable, and documented threshold (e.g., for cost, schedule, performance, risk exposure) that will trigger risk mitigation planning or invoke a contingency plan.
Refer to the Decision Analysis and Resolution process area for more information about evaluating alternatives and selecting solutions.
Adequate consideration should be given early to technology demonstrations, models, simulations, pilots, and prototypes as part of risk mitigation planning.
Example Work Products
1. Documented handling options for each identified risk
2. Risk mitigation plans
3. Contingency plans
4. List of those who are responsible for tracking and addressing each risk
Subpractices
1. Determine the levels and thresholds that define when a risk becomes unacceptable and triggers the execution of a risk mitigation plan or contingency plan.
Risk level (derived using a risk model) is a measure combining the uncertainty of reaching an objective with the consequences of failing to reach the objective.
Risk levels and thresholds that bound planned or acceptable cost, schedule, or performance should be clearly understood and defined to provide a means with which risk can be understood. Proper categorization of risk is essential for ensuring an appropriate priority based on severity and the associated management response. There can be multiple thresholds employed to initiate varying levels of management response. Typically, thresholds for the execution of risk mitigation plans are set to engage before the execution of contingency plans.
2. Identify the person or group responsible for addressing each risk.
3. Determine the costs and benefits of implementing the risk mitigation plan for each risk.
Risk mitigation activities should be examined for benefits they provide versus resources they will expend. Just like any other design activity, alternative plans may need to be developed and costs and benefits of each alternative assessed. The most appropriate plan is selected for implementation.
4. Develop an overall risk mitigation plan for the work to orchestrate the implementation of individual risk mitigation and contingency plans.
The complete set of risk mitigation plans may not be affordable. A tradeoff analysis should be performed to prioritize risk mitigation plans for implementation.
5. Develop contingency plans for selected critical risks in the event their impacts are realized.
Risk mitigation plans are developed and implemented as needed to proactively reduce risks before they become problems. Despite best efforts, some risks can be unavoidable and will become problems that affect the work. Contingency plans can be developed for critical risks to describe actions a work group can take to deal with the occurrence of this impact. The intent is to define a proactive plan for handling the risk. Either the risk is reduced (mitigation) or addressed (contingency). In either event, the risk is managed.
Some risk management literature may consider contingency plans a synonym or subset of risk mitigation plans. These plans also can be addressed together as risk handling or risk action plans.
SP 3.2 Implement Risk Mitigation Plans
Monitor the status of each risk periodically and implement the risk mitigation plan as appropriate.
To effectively control and manage risks during the work effort, follow a proactive program to regularly monitor risks and the status and results of risk handling actions. The risk management strategy defines the intervals at which risk status should be revisited. This activity can result in the discovery of new risks or new risk handling options that can require replanning and reassessment. In either event, acceptability thresholds associated with the risk should be compared to the risk status to determine the need for implementing a risk mitigation plan.
Example Work Products
1. Updated lists of risk status
2. Updated assessments of risk likelihood, consequence, and thresholds
3. Updated list of risk handling options
4. Updated list of actions taken to handle risks
5. Risk mitigation plans of risk handling options
Subpractices
1. Monitor risk status.
After a risk mitigation plan is initiated, the risk is still monitored. Thresholds are assessed to check for the potential execution of a contingency plan.
A mechanism for monitoring should be employed.
2. Provide a method for tracking open risk handling action items to closure.
Refer to the Work Monitoring and Control process area for more information about managing corrective action to closure.
3. Invoke selected risk handling options when monitored risks exceed defined thresholds.
Often, risk handling is only performed for risks judged to be high and medium. The risk handling strategy for a given risk can include techniques and methods to avoid, reduce, and control the likelihood of the risk or the extent of damage incurred should the risk occur, or both. In this context, risk handling includes both risk mitigation plans and contingency plans.
Risk handling techniques are developed to avoid, reduce, and control adverse impact to work objectives and to bring about acceptable outcomes in light of probable impacts. Actions generated to handle a risk require proper resource loading and scheduling in plans and baseline schedules. This replanning should closely consider the effects on adjacent or dependent work initiatives or activities.
4. Establish a schedule or period of performance for each risk handling activity that includes a start date and anticipated completion date.
5. Provide a continued commitment of resources for each plan to allow the successful execution of risk handling activities.
6. Collect performance measures on risk handling activities.