16
Reducing Risk
Risk identification and analysis is necessary, but it is meaningless without following through by implementing risk responses. There are several ways you can respond to risks, ranging from avoiding them altogether to accepting them. For risks that you accept, you may choose to have a contingency plan or use contingency reserve.
In this chapter you will learn about five categories of risk responses that can be used for threats on predictive and adaptive projects. You will see how you can adjust a backlog to accommodate risk responses. We will also demonstrate different techniques for estimating the necessary contingency reserve to conduct risk activities and fund risks that you decide to accept.
RISK RESPONSES
There are some risks where you know right away how you should respond. Others require a bit more thought to determine the best response. In this chapter we will explore five categories of risk responses:
- Avoid;
- Mitigate;
- Transfer;
- Escalate; and
- Accept.
You can employ multiple responses to a risk event if you feel it is necessary. Threats and opportunities have similar responses; however, we will focus on responses for threats, with only a brief explanation of the complementary opportunity responses.
Risk Avoidance
When avoiding a risk, you're taking actions that eliminate the threat. Here are some options for avoiding threats.
- Eliminate uncertainty: If you have uncertainty associated with a deliverable, you can do more research to eliminate the uncertainty.
- Relax or eliminate a constraint: If you have multiple schedule risks, you can extend the schedule to avoid the schedule constraint that is putting the delivery date at risk.
- Change a deliverable: For risks associated with technology, you might be able to find a proven or less risky technology.
For all risk responses, but especially when avoiding risks, we sometimes introduce a new risk based on the response. This is called a secondary risk. Secondary risks must be entered into the risk register, analyzed and responded to like any other risk. The complement to avoiding a threat is exploiting an opportunity. Exploiting means taking actions to ensure you capture the opportunity.
Risk Mitigation
Mitigating a risk means finding ways to reduce the probability of an event occurring and/or the impact if it does occur. Options for mitigating threats include:
- Developing prototypes or models of products;
- Running additional tests; and
- Having redundant systems.
The complement of mitigating a threat is enhancing an opportunity. Enhancing entails taking steps to increase either the size of the opportunity or the likelihood of obtaining it.
Risk Transference
Transferring risk usually equates to spending money to shift the risk management to another party. The two most common means of transference are insurance and contracts.
- Insurance. With an insurance policy you pay an insurer to absorb the financial risk of an uncertain event. However, be aware that if the event occurs, it is still your problem, the insurance company merely pays the bill.
- Contracts: You can transfer the work and the management of the risk to a vendor who might be better qualified to manage the risk. However, you are still accountable for the result, so if the vendor isn't effective, you could end up having to deal with the consequences of negative impacts.
Risk transference is another example where secondary risks associated with vendors can occur.
The complement of transferring a threat is sharing an opportunity. Sometimes by partnering with another party you can increase the likelihood of capturing an opportunity.
Risk Escalation
Escalation is used when the risk event is outside the scope of the project, or when you don't have the authority to implement the response. Examples of when escalation is an appropriate response include:
- When the project is part of a program, and the threat could affect several projects in the program;
- If the response could affect departments or divisions that are not involved with the project; and
- If the cost of the threat response exceeds the project manager's budget authority.
Threats are usually escalated to the sponsor, PMO, program manager, or product owner. Risk escalation is the same regardless of whether you are responding to a threat or an opportunity.
Risk Acceptance
Risk acceptance can be passive or active. With passive acceptance if the event occurs, you deal with it in the moment. A common acceptance strategy is to have reserve time in the schedule or reserve funds in the budget to absorb overruns for unknown events.
You can also take a more active approach to acceptance, such as developing a contingency plan to implement in the event the risk materializes. When you have a contingency plan, it is useful to identify a risk trigger that lets you know that the risk is imminent.
In some cases, you may want to develop a fallback plan in case other risk responses are not effective. For example, if you are upgrading a system and it is causing a lot of problems, you can fall back on the old system.
Passive and active acceptance operate the same for both threats and opportunities.
IMPLEMENTING RESPONSES
Once you have identified risk responses, you should reanalyze your risks. You would expect to see the risk score drop based on your responses. Table 16‐1 shows an example of the updated risk register for the Dionysus Winery once the risk responses have been determined. You can see a new row has been inserted under the probability and impact and score row. The new row is shaded and shows the change in rating after the response has been developed.
Note that the scores for risks 2, 3, and 4 went down. The score for risk 1 stayed the same because the team accepted the risk. Because risk 5 is an opportunity, the score went up due to the response.
When you have agreement on the risk responses, you will likely need to update various plans and project documents. For example, for the risks identified for the Dionysus Winery you would take the following steps.
Risk 1. No action required other than purchasing the cameras.
Risk 2. Assuming the risk analysis is done before baselining, the budget would reflect the higher cost for the vendor.
Risk 3. Work with the contracting department to bring a staffing agency on board. This may result in a secondary risk of increased costs, both for the staffing agency fees and the signing bonuses. You would likely escalate this to the project sponsor to confirm that performance is a higher priority than budget for this risk.
Risk 4. Update the schedule to order the de‐stemmer crusher as soon as possible. You may incur storage fees if you don't have the space to store the equipment before the production facility is renovated.
Risk 5. Work with the relevant party at the nearby winery to purchase their barrels.
TABLE 16-1 Dionysus Winery Risk Register with Responses
| ID | Risk Statement | Prob | Impact | Score | Response | ||
|---|---|---|---|---|---|---|---|
| Time | Cost | Performance | |||||
| 1T | Because the cost of outdoor security cameras is greater than anticipated, we may overrun the budget for that work package. | 5 | 0 | 2 | 0 | 10 | Accept: Use contingency funds. |
| 5 | 0 | 2 | 0 | 10 | |||
| 2T | The city may not approve the plans for the restaurant, causing a schedule delay. | 2 | 4 | 3 | 0 | 14 | Mitigate: Pay more for a vendor with a better track record of getting city approval. |
| 1 | 4 | 3 | 0 | 7 | |||
| 3 T | Because of a labor shortage for housekeeping staff, we may not be able to staff all the positions, causing a degradation in performance for the hotel. | 3 | 0 | 0 | 4 | 12 | Transfer: Work with a staffing agency. Mitigate: Offer a $500 signing bonus. |
| 1 | 0 | 0 | 2 | 2 | |||
| 4 T | Due to global supply chain issues, the de‐stemmer crusher may be delayed, causing a delay in the start of operations for the wine production facility. | 5 | 5 | 0 | 4 | 45 | Avoid: Order the equipment at the start of the project. This allows 11 months for equipment that may incur a 4‐month delay. |
| 0 | 0 | 0 | 0 | 0 | |||
| 5 O | Because a nearby winery is closing its doors, there is an opportunity to acquire some of their wine barrels at a discounted rate. | 3 | 0 | 4 | 3 | 21 | Exploit: Purchase the barrels. |
| 5 | 0 | 4 | 3 | 35 | |||
RISK‐ADJUSTED BACKLOG
Projects that use Agile methods may keep a risk register or impediment log. One of the principles associated with Agile is early and continuous delivery. Thus, anything that gets in the way of delivery is a risk or impediment. Project work is kept in a backlog that can be reprioritized at the start of each iteration. Therefore, the product owner may choose to incorporate risk reduction work items into the backlog and prioritize them along with the development work. This results in a risk‐adjusted backlog.
Here are three sample risks from the Dionysus Winery management system:
- Greek God Wineries is updating their enterprise architecture. There are two options under consideration; one will not entail a change to our interface mapping, the other will.
- Greek God Wineries is installing a new knowledge management system at the same time we will be creating the user instructions. The system will not allow new content until after the new knowledge management system is installed and tested. This will cause a delay in user instructions.
- The cloud carrier is upgrading their system. Once the upgraded system is live, we will have to test our data and functionality to ensure it works correctly in the new environment.
These risks will need to be addressed and the responses incorporated into the prioritized backlog.
Figure 16‐1 assumes the first iteration is complete. At the iteration planning meeting the product owner reprioritized the backlog. The following changes were made:
- A new task was added to develop an interface map that would meet the needs of the other potential enterprise architecture. The team estimated that it would take less effort than the original interface mapping since they could reuse some of the work.
- Writing the user instructions was moved up to accommodate the new knowledge management system. By getting the work done early, the user instructions will be brought over when the new knowledge system cuts over.
- A new task was added to test the upgraded cloud environment. It is scheduled for the next iteration.
The new or reordered tasks are shown with a thick border.
For hybrid projects you would track all risks and responses on the risk register to ensure you have an overarching view of risk for the project. As you can see, these risk responses added another iteration to the schedule. The project manager and product owner would need to confer to determine if additional team members could be brought in to clean the data and thus shorten the duration or if the few extra days can be absorbed in the overall schedule.
FIGURE 16‐1 Risk‐adjusted backlog.
RESERVE
Reserve is an umbrella term that refers to additional funds or additional time that the project team uses to deal with risk. There are two types of reserve, contingency reserve and management reserve.
Contingency Reserve
Contingency reserve is usually under the control of the project manager. It is used to accommodate accepted risks and variances that are within the variance thresholds. Because contingency reserve is considered part of the cost and schedule baselines, it is expected to be used. This gives the project manager the freedom to make decisions for the good of the project, such as taking a few extra days to ensure the requirements are complete or spending some funds for a subject matter expert to provide feedback on a prototype. These decisions can ultimately reduce risk on the project and lead to better outcomes.
One of the easiest ways to determine the appropriate amount of reserve is to take a percentage of the schedule duration or budget. For low‐risk projects, 10% is standard. For high‐risk projects, 50% is more realistic. But these are very broad parameters. To get a more accurate number, you can develop risk‐adjusted estimates.
Risk‐Adjusted Estimates
Risk‐adjusted estimates consider the range of outcomes associated with a work package by using the multipoint estimating technique described in Chapter 10. This generally entails interviewing the people who will be doing the work and asking them what their optimistic estimate is for the work, their pessimistic estimate, and their most likely estimate. When doing this, it helps to understand the rationale for each estimate. In other words, what would have to happen for the optimistic estimate, what would go wrong for the pessimistic estimate, and what assumptions are present for the most likely estimate.
Table 16‐2 shows five work packages with optimistic, most likely, and pessimistic cost estimates.
For risk‐adjusted estimates, a beta distribution equation is used to determine an expected value. The beta distribution equation is 
. This equation weights the most likely estimate more than the optimistic and pessimistic estimates. The expected value is an average outcome. In other words, 50% of the time the results will be less than the expected value, and 50% of the time they will be greater than the expected value.
When you apply the weighted average equation and sum the totals, you can see the outcome in Table 16‐3.
TABLE 16-2 Calculating Risk‐Adjusted Estimates—Step 1
| Work package | Optimistic | Most likely | Pessimistic |
|---|---|---|---|
| A | $ 2,000 | $ 3,050 | $ 5,000 |
| B | $ 1,500 | $ 1,600 | $ 1,850 |
| C | $ 3,000 | $ 5,100 | $ 6,000 |
| D | $ 4,500 | $ 5,200 | $ 6,200 |
| E | $ 2,500 | $ 3,000 | $ 4,100 |
| Total | $13,500 | $17,950 | $23,150 |
TABLE 16-3 Calculating Risk‐Adjusted Estimates—Step 2
| Work package | Optimistic | Most likely | Pessimistic | Expected value |
|---|---|---|---|---|
| A | $ 2,000 | $ 3,050 | $ 5,000 | $ 3,200 |
| B | $ 1,500 | $ 1,600 | $ 1,850 | $ 1,625 |
| C | $ 3,000 | $ 5,100 | $ 6,000 | $ 4,900 |
| D | $ 4,500 | $ 5,200 | $ 6,200 | $ 5,250 |
| E | $ 2,500 | $ 3,000 | $ 4,100 | $ 3,100 |
| Total | $13,500 | $17,950 | $23,150 | $18,075 |
If your expected value total is greater than the sum of your most likely estimates, there is less than 50% likelihood that you will achieve your cost or schedule goal. Which means the sum of the most likely estimates is not very likely!
Once you discover that the most likely estimates are not sufficient, what do you do? There are two ways to handle this; one uses a spreadsheet to provide a quick but not precisely accurate estimate, and the other entails modeling software, which provides excellent information for estimating and forecasting. Purchasing and using modeling software is usually considered overkill for projects that are less than $20,000,000, so we will focus on the simpler spreadsheet version.
Calculating Contingency Reserve
When you apply the beta distribution equation, you get a distribution of outcomes with the expected value as the 50% point. Figure 16‐2 shows an outcome distribution with the sum of the most likely and the sum of the expected values indicated.
FIGURE 16‐2 Calculating risk‐adjusted estimates—step 3.
TABLE 16-4 Calculating Risk‐Adjusted Estimates—Step 4
| Work package | Optimistic | Most likely | Pessimistic | Expected value | Standard deviation | Variance |
|---|---|---|---|---|---|---|
| A | $ 2,000 | $ 3,050 | $ 5,000 | $ 3,200 | $ 500 | $250,000 |
| B | $ 1,500 | $ 1,600 | $ 1,850 | $ 1,625 | $ 58 | $ 3,403 |
| C | $ 3,000 | $ 5,100 | $ 6,000 | $ 4,900 | $ 500 | $250,000 |
| D | $ 4,500 | $ 5,200 | $ 6,200 | $ 5,250 | $ 283 | $ 80,278 |
| E | $ 2,500 | $ 3,000 | $ 4,100 | $ 3,100 | $ 267 | $ 71,111 |
| Total | $13,500 | $17,950 | $23,150 | $18,075 | $654,792 |
To get a rough estimate that will get you approximately in the 84% confidence range, subtract the optimistic estimates from the pessimistic estimates and divide by six for each work package. This gives you a standard deviation for each work package.
Next, square the standard deviation for each work package to get the variance. Table 16‐4 shows the worksheet with the standard deviation and variance calculated.
Sum all the variances to get a total variance for the project; for our example the total variance is $654,792. Once you have the project variance, take the square root of that number. That is the standard deviation for the project. For our example, the standard deviation of the project is $809. If you add the standard deviation for the project to the sum of the expected values, you will get a number that you should be able to meet or beat 84% of the time. For our example the expected value plus one standard deviation is $18,884.
Management Reserve
Management reserve is different from contingency reserve. Management reserve covers unknown risks or unplanned, in‐scope work.
When projects are part of a larger program, we usually do not have access to management reserve. Management reserve is frequently held at the PMO, program, or portfolio level. Most smaller projects don't have a management reserve.
Examples of how management reserve might be used include:
- If you miss a requirement, management reserve would be used to pay for the unplanned in‐scope work;
- If a component is failing and you need to rework it and conduct additional testing, management reserve would pay for the work and testing;
- If an unforeseen risk event occurs, management reserve covers the risk response or the impacts.
SUMMARY
In this chapter we looked at responding to risks. We covered five risk responses: avoid, mitigate, transfer, escalate, and accept. Some risk responses result in secondary risks, which need to be analyzed and responded to. For risks that are accepted, it is a good idea to establish risk triggers and fallback plans. Agile projects may integrate risk reduction activities into their backlog to create a risk‐adjusted backlog.
Contingency reserve protects your cost and schedule baselines and allows you to make good decisions to reduce risk. We showed how to estimate contingency reserve by comparing most likely estimates to expected values and then calculating the needed contingency.
Key Terms
- contingency reserve
- fallback plan
- management reserve
- reserve
- risk acceptance
- risk avoidance
- risk escalation
- risk mitigation
- risk transference
- risk trigger
- risk‐adjusted backlog
- secondary risk