8 Resolve Risk

The mastery of risk is the foundation of modern life, from insurance to the stock market to engineering, science, and medicine. We cannot see the future, but by calculating probabilities, we can do the next best thing: make intelligent decisions and take control of our lives on the basis of scientific forecasts.

—Peter L. Bernstein

When you think of techniques for risk resolution, you might think of prototyping and simulation. Prototyping is a technique for reducing risk by buying information. Knowledge is gained through creating a physical model without adding the implementation details. Prototyping validates mental models and provides an effective means for communicating with the user community. Simulation is an analytic model of system behavior used to determine performance capabilities and limitations. Computer simulations help us evaluate large and complex systems that require numerous trade-offs. Prototyping and simulation are techniques under the class of risk resolution strategy that we defined as risk research. As we know from Chapter 6, there are several other strategies for risk resolution. The danger in describing specific approaches to risk resolution is that you might develop tunnel vision to the possibilities.

In this chapter, I discuss the process definition steps for resolving risk. I describe the risk resolution process, which defines the activities and methods to reduce risk to an acceptable level.

This chapter answers the following questions:

What are the activities of the risk resolution process?

How can you creatively resolve risk?

When is the level of risk acceptable?

8.1 Define the Risk Resolution Process

I define risk resolution success criteria in terms of the process goals, the results that we expect to achieve by using the process. We can view the risk resolution process from two perspectives: external and internal. The external view specifies the process controls, inputs, outputs, and mechanisms. The internal view specifies the process activities that transform inputs to outputs using the mechanisms.

8.1.1 Process Goals

The risk resolution process is sufficient when it satisfies these goals:

Assign responsibility and authority to the lowest possible level.

Follow a documented risk action plan.

Report results of risk resolution efforts.

Provide for risk aware decision making.

Determine the cost-effectiveness of risk management.

Is prepared to adapt to changing circumstances.

Take corrective actions when necessary.

Improve communication within the team.

Systematically control software risk.

These goals can be used as a checklist to ensure the process quality.

8.1.2 Process Definition

The risk resolution process definition is shown as an IDEF0 diagram in Figure 8.1. IDEF0 is a standard process definition notation used to describe a reusable process component for predictable risk resolution. The diagram describes the top-level process by its controls, inputs, outputs, and mechanisms [AirForce81].

Process Controls. Project resources, project requirements, and the risk management plan regulate the risk resolution process similar to the way they control the risk identification process (see Chapter 4).

Figure 8.1 Risk resolution process definition. Resolve Risk encapsulates the activities of the process that transform inputs to outputs. Controls (at the top) regulate the process. Inputs (on the left) enter the process. Outputs (on the right) exit the process. Mechanisms (at the bottom) support the process.

Process Inputs. The risk action plan is input to the risk resolution process. It contains the objectives, constraints, and strategy for risk resolution and documents the selected approach, resources required, and approval authority. The plan provides top-level guidance and allows for flexibility in achieving the objectives.

Process Outputs. Risk status, acceptable risk, reduced rework, corrective action, and problem prevention are output from the risk resolution process.

Risk status is the progress (or lack of it) made against a risk action plan. By reporting risk status, you report the results of implementing the plan.

Acceptable risk means you can live with the risk consequence, possibly the worst-case outcome. When you make sufficient progress in risk resolution, project status indicators will improve. Status indicators within acceptable ranges trigger the deactivation or suspension of risk resolution activity.

Rework is the cost of not doing something right the first time. By reducing rework, you do not have to do work over because you did it right the first time. You do not waste your time. Calculate reduced rework in terms of cost savings by doubling the cost of work, then adding an overhead factor.

Corrective action is an activity required to solve a problem. You assume that there is a known solution to a problem that can be found using corrective action. Use these procedures to find the solution that is generally acceptable to everyone. Then perform the activities to solve the problem.

Problem prevention occurs when you avoid problems, thereby eliminating their result: problem detection cost, rework cost, and opportunity cost. Because we define a problem as a risk occurrence, we must also consider the consequence of risk occurrence. Calculate problem prevention in terms of cost savings by summing the cost of detecting and fixing the problem, rework, opportunity cost, and consequence of risk occurrence.

Process Mechanisms. Mechanisms can be methods, techniques, tools, or other instruments that provide structure to the process activities. Risk resolution techniques and tools and a risk database are mechanisms of the risk resolution process.

Risk resolution techniques are ways to help with the details of risk resolution. (I describe basic techniques for creativity and collaboration in section 8.2.) Risk resolution tools use computers to automate techniques for risk resolution such as prototyping and simulation. The risk database contains the name of the responsible person and the results of risk resolution activities. The database also contains a completion date for significant results.

8.1.3 Process Activities

The activities of the risk resolution process are the tasks necessary to execute the risk action plan to reduce risk to an acceptable level:

1. Respond to notification of triggering event.

2. Execute the risk action plan.

3. Report progress against the plan.

4. Correct for deviation from the plan.

I discuss these process activities as sequential steps, but they can be iterative or parallel in execution.

Respond to Notification of Triggering Event. Triggers provide notification to appropriate personnel. An individual with authority must respond to the triggering event. This does not mean dropping other important work. Rather, triggers should provide a reasonable time for response and should not constitute a crisis situation. An appropriate response includes a review of the current reality and an updated determination of the time frame for action. The decision to set another trigger or to assign the risk action plan is made.

A responsible person must be identified if the risk action plan will be assigned. Even if the plan is assigned to a group, there should be a group leader with clear authority to proceed. Factors such as availability and skill level help to determine who should be responsible for executing the risk action plan. The individual who identified or analyzed the risk need not be the one responsible for resolving it. The idea that the person who finds it fixes it does not properly motivate risk identification, because (unlike corrective action) the fix is rarely easy. The risk action plan should be delegated to the lowest level possible, the most cost-effective approach in terms of labor rates. It also provides individuals the experience that they need to increase their ability to manage risk.

Execute the Risk Action Plan. You should follow a written risk action plan to resolve risk. If the plan is not documented, chances are there is a miscommunication already. Remember that a documented plan merely provides top-level guidance. To guide you through the details, I recommend using the engineering model of requirements, design, implement, and test.¹ The phases may be very short in duration (e.g., one hour for requirements definition, one hour for design, four hours for implementation, and two hours for testing). The main idea is that you understand what it is that you are supposed to do: create a mental model prior to developing a physical model and then check the results.

¹ As an engineer, I am comfortable with the iterative steps of the engineering model and find that it is a useful paradigm—even in writing this book.

You are responsible for mapping the objectives of the risk action plan to specific actions that you will take to reduce uncertainty and increase control. For example, the action matrix shown in Figure 8.2 supports a decision to add a new feature to an existing product. It maps actions to planned objectives to ensure complete coverage. If an objective is not completely satisfied, another action should be added to the matrix. There are many actions that could be taken to meet planned objectives. The key is to list the actions that are requisite to making a decision, and no more.

Any two individuals assigned to execute a risk action plan will likely list different actions for risk resolution. Nevertheless, there are a few principles to follow that will serve you as you resolve any risk:

Think about working smarter. When you find yourself saying, “I am too busy,” you are working hard. The question is, “Are you working as smart as you could be?” What would help you to become more efficient in your work? Think about it.

Challenge yourself to find a better way. Sometimes we get complacent and think that we are already doing enough. Pretend that your competition has found a better, faster, or cheaper way. How will you respond to this challenge? What could you do?

Figure 8.2 Action matrix. A decision on adding a new product feature to an existing product has several unknowns. The action matrix maps the objectives as stated in the risk action plan to risk resolution actions.

Exploit opportunities. Take advantage of opportunities (but not of other people). Opportunities exist in the middle of difficulty and uncertainty. I have often found that when difficulty and uncertainty are gone, so are opportunities. Know when you have sufficient certainty to make a risk aware decision.

Be prepared to adapt. Circumstances change. Be prepared to adapt to them. Take notice of your outcomes. If your results are not what you expected, determine why not. Try again, using a different approach.

Use common sense. Let your common sense prevail in reasoning about difficult issues. Sometimes compromise and concession are the only way to reach a settlement. Many little steps add up to giant strides forward.

Report Progress Against the Plan. You must report the results of risk resolution efforts. Determine and communicate progress made against the plan. Report risk status on a regular basis to improve communication within the team. Simply reporting risk status is not sufficient to manage risk. The team must review risk status, measures, and metrics regularly to provide for risk aware decision making.

Correct for Deviation from the Plan. There are times when your results are not satisfactory and you must use another approach. You should take corrective actions when necessary. Determine the action required by using the corrective action procedure described in section 8.4.

8.2 Define Risk Resolution Techniques

Rather than describing techniques to deal with specific risks, it is more important to understand the two fundamental components of risk resolution: creativity and collaboration. You will repeatedly use these two fundamental components to resolve risk.

8.2.1 Creativity

Creativity is inventiveness in originating ideas [Miller87]. Implementing the risk action plan may require generating new and innovative ideas. We can use techniques for innovation to resolve risk creatively. The creative process—how we generate new ideas—is based on our preferences for thinking of new ideas. An innovation style is an approach to the creative process. Each of us has a unique innovation style profile that determines how we like to create. We can learn techniques to apply innovation styles to generate new ideas. Whether we want to improve on an existing product, think of a new feature, or develop a completely new process, there are four innovation styles that help us to use the creative process methodically:

Envisioning. This style focuses on the end result. You can imagine an ideal outcome, and then let your goals guide you to realize your dream. Envisioning provides teams with direction, inspiration, and momentum. An example of the envisioning style is John F. Kennedy’s vision of putting a man on the moon and returning him safely to earth.

Experimenting. This style uses the scientific method of trial and error: following a known process to obtain repeatable and practical results. Experimenting emphasizes fact finding and information gathering, and then tests new combinations of ideas. An example of the experimenting style to help a major aerospace company find qualified software engineers is shown in Figure 8.3.

Exploring. This style adds a sense of adventure by its unpredictable nature. You use analogies and metaphors to generate new ideas. Exploring provides a team with the potential for dramatic breakthroughs by approaching problems from new angles. An example of the exploring style is General Electric’s application of defense technology to the automobile industry [Schine96].

Figure 8.3 Experimenting innovation style. The experimenting innovation style generates and tests different combinations of ideas for advertising and hiring software engineers.

Modifying. This style moves forward one step at a time, building on what is true and proved by applying known methods and using experience. Modifying provides a team with stability and incremental improvements. An example of the modifying style is the SEI Capability Maturity Model.

When we use all four innovation styles, we identify a complete set of options.

8.2.2 Collaboration

In his book Shared Minds, Michael Schrage says collaboration is “two or more individuals with complementary skills, interacting to create a shared understanding that none had previously possessed or could have come to on their own” [Schrage90]. There are barriers to collaboration, as Edward Hall describes in his book Beyond Culture: “There is positive reinforcement for not collaborating. Where talent is centered on making a personal reputation, collaboration will get the back of the hand” [Hall76].

Risks are rarely resolved in isolation. More often, it is the lack of understanding among people that causes risk. One of the best ways to reduce uncertainty, gain knowledge, and increase chances for success is through other people. “Two heads are better than one” is the old adage for involving other people to help you reduce risk. Team collaboration, dialogue in working with others on your team, is essential in risk resolution. Successful collaboration is based on your ability to communicate. As you work with others, there are three problems that are possible in communication:

Sending the wrong message. You can send the wrong message when written communication is ambiguous and when spoken communication is vague. Team communication is best when you check to verify the interpretation of the reader or listener.

Receiving the wrong message. When you read between the lines or do not listen to body language, you can receive the wrong message. Team communication can be improved if you repeat back what you thought you heard. The time spent clarifying written documents and verbal questions will be small compared to the rework they might have otherwise caused.

A break in the communication link. When you leave a voice-mail message, you cannot be sure that the other party received it. Team communication should ensure that what one group sent, the other received and understood.

8.3 Define Risk Management Return on Investment

Risk management ROI is the savings for all managed risks divided by the total cost of risk management activities, which is expressed in the following equation:

Cost of risk management is the total investment in resources—time spent in risk management meetings, the cost of reporting risk information, and the staff to develop a risk action plan—for risk assessment and risk control. Savings is the return for each managed risk. There are two types of savings: avoidance and reduction.

Cost avoidance is the difference between possible cost without risk resolution and the actual cost with risk resolution. An example of cost avoidance is any resolution strategy that successfully contains cost growth to maintain the budget. Table 8.1 describes the calculation for cost avoidance, which depends on four possible risk outcomes.

Cost reduction is the difference between planned and actual costs. Through cost reduction, it is possible to underrun the budget. Risk management practices can also lead to opportunities for a project to do better than the baseline plan. Unless an alternate course of action is taken, planned resources will be used. When the alternate course of action was the result of risk management activities, savings are captured as a reduction in cost.

Table 8.1 Cost Avoidance Calculation

Note: RE_t: the interim expectation of risk exposure. Ct : the interim expectation of risk consequence. C_{t = 0}: the initial expectation of risk consequence. C_{t = 1}: the measured actual risk consequence.

8.4 Develop a Corrective Action Procedure

A corrective action procedure helps to correct for variations in the process or the product. For example, the risk management process may require corrective action in terms of process improvement. The risk action plan is an intermediate product that may require corrective action in terms of modifying an approach that has not produced satisfactory results.

The corrective action procedure has four steps:

1.Identify the problem. Find the problem in the process or the product. The product can be an intermediate work product, such as the risk action plan.

2.Assess the problem. Perform an analysis to understand and evaluate the documented problem.

3.Plan action. Approve a plan for action to solve the problem.

4.Monitor progress. Track progress until the problem is solved. Record lessons learned for future reference.

8.5 Summary

In this chapter, I described the process definition steps for resolving risk:

1. Define the risk resolution process.

2. Define risk resolution techniques.

3. Define risk management return on investment.

4. Develop a corrective action procedure.

I described the risk resolution process, which defines the activities and methods to reduce risk to an acceptable level. The activities of the risk resolution process are as follows:

1. Respond to notification of triggering event.

2. Execute the risk action plan.

3. Report progress against the plan.

4. Correct for deviation from the plan.

I described four innovation styles for creatively resolving risk:

Envisioning.

Experimenting.

Exploring.

Modifying.

I described when the level of risk is acceptable. When there is sufficient progress in risk resolution, project status indicators will improve. Status indicators within acceptable ranges trigger the deactivation or suspension of risk resolution activity. You make a risk-aware decision to live with the risk consequence.

8.6 Questions for Discussion

1. Describe the risk resolution process goals. Why is each goal important? Define quantitative success criteria for each goal.

2. Your requirements specification contains 100 requirements. The design phase began even though 20 percent of the requirements had TBDs (to be determined shall statements). The best-case outcome is that all your assumptions will be correct. Your training in risk management leads you to believe that about half of the TBDs are at risk. Calculate the cost of rework based on the assumption that half of the TBDs are at risk. What is the most likely outcome?

3. You identified an external system interface risk at a design review, and a technical interchange meeting was scheduled to resolve it. Ten people met for two hours before deciding on an agreeable resolution. Calculate the cost savings for preventing this problem, assuming that it would have been detected during system integration.

4. What is the rationale for assigning a risk action plan to the lowest possible level? What do you think would happen if the project manager was personally responsible for all the risks and their resolution?

5. What are the two fundamental components of risk resolution? Why are they fundamental?

6. List five difficulties and five uncertainties that you have in your current assignment. Describe an opportunity that exists in each difficulty and uncertainty that you face. How could you exploit these opportunities?

7. Reporting risk status on a regular basis improves communication within the team. What are the problems that are possible in communication among team members?

8. What is your plan to sustain the risk management process once it is in place? Quantify the resources your plan will require. What mechanisms will provide a check and balance to perpetuate an effective process?

9. How do you generate new ideas? What are the advantages of using the creative process to generate new ideas?

10. Do you agree that the mastery of risk is the foundation of modern life? Discuss why you do or do not agree.

8.7 References

[AirForce81] Integrated Computer Aided Manufacturing Architecture, Part II, Vol. IV: Function Modeling Manual (IDEF0). AFWAL-TR-81-4023. Wright-Patterson Air Force Base, OH: Air Force Systems Command, June 1981.

[Bernstein96] Bernstein P. Against the Gods: The Remarkable Story of Risk. New York: Wiley, 1996.

[Hall76] Hall Edward. Beyond Culture. New York: Doubleday, 1976.

[Miller87] Miller W. The Creative Edge. Reading, MA: Addison-Wesley, 1987.

[Schine96] Schine E., et al. Liftoff: Michael Armstrong has made Hughes an electronics and telecom contender. Business Week, April 22:136–147, 1996.

[Schrage90] Schrage M. Shared Minds. New York: Random House, 1990.