Risk identification and analysis is necessary, but it is meaningless without following through by implementing risk responses. There are several ways you can respond to risks, ranging from avoiding them altogether to accepting them. For risks that you accept, you may choose to have a contingency plan or use contingency reserve.
In this chapter you will learn about five categories of risk responses that can be used for threats on predictive and adaptive projects. You will see how you can adjust a backlog to accommodate risk responses. We will also demonstrate different techniques for estimating the necessary contingency reserve to conduct risk activities and fund risks that you decide to accept.
There are some risks where you know right away how you should respond. Others require a bit more thought to determine the best response. In this chapter we will explore five categories of risk responses:
You can employ multiple responses to a risk event if you feel it is necessary. Threats and opportunities have similar responses; however, we will focus on responses for threats, with only a brief explanation of the complementary opportunity responses.
When avoiding a risk, you're taking actions that eliminate the threat. Here are some options for avoiding threats.
For all risk responses, but especially when avoiding risks, we sometimes introduce a new risk based on the response. This is called a secondary risk. Secondary risks must be entered into the risk register, analyzed and responded to like any other risk. The complement to avoiding a threat is exploiting an opportunity. Exploiting means taking actions to ensure you capture the opportunity.
Mitigating a risk means finding ways to reduce the probability of an event occurring and/or the impact if it does occur. Options for mitigating threats include:
The complement of mitigating a threat is enhancing an opportunity. Enhancing entails taking steps to increase either the size of the opportunity or the likelihood of obtaining it.
Transferring risk usually equates to spending money to shift the risk management to another party. The two most common means of transference are insurance and contracts.
Risk transference is another example where secondary risks associated with vendors can occur.
The complement of transferring a threat is sharing an opportunity. Sometimes by partnering with another party you can increase the likelihood of capturing an opportunity.
Escalation is used when the risk event is outside the scope of the project, or when you don't have the authority to implement the response. Examples of when escalation is an appropriate response include:
Threats are usually escalated to the sponsor, PMO, program manager, or product owner. Risk escalation is the same regardless of whether you are responding to a threat or an opportunity.
Risk acceptance can be passive or active. With passive acceptance if the event occurs, you deal with it in the moment. A common acceptance strategy is to have reserve time in the schedule or reserve funds in the budget to absorb overruns for unknown events.
You can also take a more active approach to acceptance, such as developing a contingency plan to implement in the event the risk materializes. When you have a contingency plan, it is useful to identify a risk trigger that lets you know that the risk is imminent.
In some cases, you may want to develop a fallback plan in case other risk responses are not effective. For example, if you are upgrading a system and it is causing a lot of problems, you can fall back on the old system.
Passive and active acceptance operate the same for both threats and opportunities.
Once you have identified risk responses, you should reanalyze your risks. You would expect to see the risk score drop based on your responses. Table 16‐1 shows an example of the updated risk register for the Dionysus Winery once the risk responses have been determined. You can see a new row has been inserted under the probability and impact and score row. The new row is shaded and shows the change in rating after the response has been developed.
Note that the scores for risks 2, 3, and 4 went down. The score for risk 1 stayed the same because the team accepted the risk. Because risk 5 is an opportunity, the score went up due to the response.
When you have agreement on the risk responses, you will likely need to update various plans and project documents. For example, for the risks identified for the Dionysus Winery you would take the following steps.
Risk 1. No action required other than purchasing the cameras.
Risk 2. Assuming the risk analysis is done before baselining, the budget would reflect the higher cost for the vendor.
Risk 3. Work with the contracting department to bring a staffing agency on board. This may result in a secondary risk of increased costs, both for the staffing agency fees and the signing bonuses. You would likely escalate this to the project sponsor to confirm that performance is a higher priority than budget for this risk.
Risk 4. Update the schedule to order the de‐stemmer crusher as soon as possible. You may incur storage fees if you don't have the space to store the equipment before the production facility is renovated.
Risk 5. Work with the relevant party at the nearby winery to purchase their barrels.
TABLE 16-1 Dionysus Winery Risk Register with Responses
ID | Risk Statement | Prob | Impact | Score | Response | ||
---|---|---|---|---|---|---|---|
Time | Cost | Performance | |||||
1T | Because the cost of outdoor security cameras is greater than anticipated, we may overrun the budget for that work package. | 5 | 0 | 2 | 0 | 10 | Accept: Use contingency funds. |
5 | 0 | 2 | 0 | 10 | |||
2T | The city may not approve the plans for the restaurant, causing a schedule delay. | 2 | 4 | 3 | 0 | 14 | Mitigate: Pay more for a vendor with a better track record of getting city approval. |
1 | 4 | 3 | 0 | 7 | |||
3 T | Because of a labor shortage for housekeeping staff, we may not be able to staff all the positions, causing a degradation in performance for the hotel. | 3 | 0 | 0 | 4 | 12 | Transfer: Work with a staffing agency. Mitigate: Offer a $500 signing bonus. |
1 | 0 | 0 | 2 | 2 | |||
4 T | Due to global supply chain issues, the de‐stemmer crusher may be delayed, causing a delay in the start of operations for the wine production facility. | 5 | 5 | 0 | 4 | 45 | Avoid: Order the equipment at the start of the project. This allows 11 months for equipment that may incur a 4‐month delay. |
0 | 0 | 0 | 0 | 0 | |||
5 O | Because a nearby winery is closing its doors, there is an opportunity to acquire some of their wine barrels at a discounted rate. | 3 | 0 | 4 | 3 | 21 | Exploit: Purchase the barrels. |
5 | 0 | 4 | 3 | 35 |
Projects that use Agile methods may keep a risk register or impediment log. One of the principles associated with Agile is early and continuous delivery. Thus, anything that gets in the way of delivery is a risk or impediment. Project work is kept in a backlog that can be reprioritized at the start of each iteration. Therefore, the product owner may choose to incorporate risk reduction work items into the backlog and prioritize them along with the development work. This results in a risk‐adjusted backlog.
Here are three sample risks from the Dionysus Winery management system:
These risks will need to be addressed and the responses incorporated into the prioritized backlog.
Figure 16‐1 assumes the first iteration is complete. At the iteration planning meeting the product owner reprioritized the backlog. The following changes were made:
The new or reordered tasks are shown with a thick border.
For hybrid projects you would track all risks and responses on the risk register to ensure you have an overarching view of risk for the project. As you can see, these risk responses added another iteration to the schedule. The project manager and product owner would need to confer to determine if additional team members could be brought in to clean the data and thus shorten the duration or if the few extra days can be absorbed in the overall schedule.
Reserve is an umbrella term that refers to additional funds or additional time that the project team uses to deal with risk. There are two types of reserve, contingency reserve and management reserve.
Contingency reserve is usually under the control of the project manager. It is used to accommodate accepted risks and variances that are within the variance thresholds. Because contingency reserve is considered part of the cost and schedule baselines, it is expected to be used. This gives the project manager the freedom to make decisions for the good of the project, such as taking a few extra days to ensure the requirements are complete or spending some funds for a subject matter expert to provide feedback on a prototype. These decisions can ultimately reduce risk on the project and lead to better outcomes.
One of the easiest ways to determine the appropriate amount of reserve is to take a percentage of the schedule duration or budget. For low‐risk projects, 10% is standard. For high‐risk projects, 50% is more realistic. But these are very broad parameters. To get a more accurate number, you can develop risk‐adjusted estimates.
Risk‐adjusted estimates consider the range of outcomes associated with a work package by using the multipoint estimating technique described in Chapter 10. This generally entails interviewing the people who will be doing the work and asking them what their optimistic estimate is for the work, their pessimistic estimate, and their most likely estimate. When doing this, it helps to understand the rationale for each estimate. In other words, what would have to happen for the optimistic estimate, what would go wrong for the pessimistic estimate, and what assumptions are present for the most likely estimate.
Table 16‐2 shows five work packages with optimistic, most likely, and pessimistic cost estimates.
For risk‐adjusted estimates, a beta distribution equation is used to determine an expected value. The beta distribution equation is . This equation weights the most likely estimate more than the optimistic and pessimistic estimates. The expected value is an average outcome. In other words, 50% of the time the results will be less than the expected value, and 50% of the time they will be greater than the expected value.
When you apply the weighted average equation and sum the totals, you can see the outcome in Table 16‐3.
TABLE 16-2 Calculating Risk‐Adjusted Estimates—Step 1
Work package | Optimistic | Most likely | Pessimistic |
---|---|---|---|
A | $ 2,000 | $ 3,050 | $ 5,000 |
B | $ 1,500 | $ 1,600 | $ 1,850 |
C | $ 3,000 | $ 5,100 | $ 6,000 |
D | $ 4,500 | $ 5,200 | $ 6,200 |
E | $ 2,500 | $ 3,000 | $ 4,100 |
Total | $13,500 | $17,950 | $23,150 |
TABLE 16-3 Calculating Risk‐Adjusted Estimates—Step 2
Work package | Optimistic | Most likely | Pessimistic | Expected value |
---|---|---|---|---|
A | $ 2,000 | $ 3,050 | $ 5,000 | $ 3,200 |
B | $ 1,500 | $ 1,600 | $ 1,850 | $ 1,625 |
C | $ 3,000 | $ 5,100 | $ 6,000 | $ 4,900 |
D | $ 4,500 | $ 5,200 | $ 6,200 | $ 5,250 |
E | $ 2,500 | $ 3,000 | $ 4,100 | $ 3,100 |
Total | $13,500 | $17,950 | $23,150 | $18,075 |
If your expected value total is greater than the sum of your most likely estimates, there is less than 50% likelihood that you will achieve your cost or schedule goal. Which means the sum of the most likely estimates is not very likely!
Once you discover that the most likely estimates are not sufficient, what do you do? There are two ways to handle this; one uses a spreadsheet to provide a quick but not precisely accurate estimate, and the other entails modeling software, which provides excellent information for estimating and forecasting. Purchasing and using modeling software is usually considered overkill for projects that are less than $20,000,000, so we will focus on the simpler spreadsheet version.
When you apply the beta distribution equation, you get a distribution of outcomes with the expected value as the 50% point. Figure 16‐2 shows an outcome distribution with the sum of the most likely and the sum of the expected values indicated.
TABLE 16-4 Calculating Risk‐Adjusted Estimates—Step 4
Work package | Optimistic | Most likely | Pessimistic | Expected value | Standard deviation | Variance |
---|---|---|---|---|---|---|
A | $ 2,000 | $ 3,050 | $ 5,000 | $ 3,200 | $ 500 | $250,000 |
B | $ 1,500 | $ 1,600 | $ 1,850 | $ 1,625 | $ 58 | $ 3,403 |
C | $ 3,000 | $ 5,100 | $ 6,000 | $ 4,900 | $ 500 | $250,000 |
D | $ 4,500 | $ 5,200 | $ 6,200 | $ 5,250 | $ 283 | $ 80,278 |
E | $ 2,500 | $ 3,000 | $ 4,100 | $ 3,100 | $ 267 | $ 71,111 |
Total | $13,500 | $17,950 | $23,150 | $18,075 | $654,792 |
To get a rough estimate that will get you approximately in the 84% confidence range, subtract the optimistic estimates from the pessimistic estimates and divide by six for each work package. This gives you a standard deviation for each work package.
Next, square the standard deviation for each work package to get the variance. Table 16‐4 shows the worksheet with the standard deviation and variance calculated.
Sum all the variances to get a total variance for the project; for our example the total variance is $654,792. Once you have the project variance, take the square root of that number. That is the standard deviation for the project. For our example, the standard deviation of the project is $809. If you add the standard deviation for the project to the sum of the expected values, you will get a number that you should be able to meet or beat 84% of the time. For our example the expected value plus one standard deviation is $18,884.
Management reserve is different from contingency reserve. Management reserve covers unknown risks or unplanned, in‐scope work.
When projects are part of a larger program, we usually do not have access to management reserve. Management reserve is frequently held at the PMO, program, or portfolio level. Most smaller projects don't have a management reserve.
Examples of how management reserve might be used include:
In this chapter we looked at responding to risks. We covered five risk responses: avoid, mitigate, transfer, escalate, and accept. Some risk responses result in secondary risks, which need to be analyzed and responded to. For risks that are accepted, it is a good idea to establish risk triggers and fallback plans. Agile projects may integrate risk reduction activities into their backlog to create a risk‐adjusted backlog.
Contingency reserve protects your cost and schedule baselines and allows you to make good decisions to reduce risk. We showed how to estimate contingency reserve by comparing most likely estimates to expected values and then calculating the needed contingency.
3.16.54.63