15 Develop the Plan
Success or failure is often determined on the drawing board.
—Robert J. McKain
A risk management plan incorporates the documented goals, strategy, and methods for performing risk management on a project. The purpose of developing such a plan is to determine the approach for performing risk management cost-effectively on the project. The plan should be long enough to convey this information to project participants. For a small project, the risk management plan might be only 5 pages long. For a large project, the plan might grow to 20 pages. The plan may be a separate document or part of a larger plan (e.g., project management plan, system engineering master plan, or software development plan).
The risk management plan develops from a draft annotated outline that project leaders review to identify problems and promote understanding of the plan. Incorporating feedback from the reviewers helps to develop a better plan—better in the sense that people believe more in their own creations. The not-invented-here (NIH) syndrome is the resistance of people to execute plans that they did not invent. Involving others (as a minimum, the project leaders) in the development of the draft risk management plan is critical to removing the NIH roadblock.
The risk management plan should be documented in an easily understood format. It should be approved through the appropriate management to promote support and commitment, then be distributed to the project team to provide common goals, strategy, and methods for performing risk management. The plan should be maintained with a revision history that includes version number, date, and description of change.
In this chapter, I explain the contents of a comprehensive risk management plan.
This chapter answers the following questions:
What are the contents of a comprehensive risk management plan?
How can you delegate responsibility and authority for risk management?
What is the most effective approach for a risk management plan?
15.1 Outline the Risk Management Plan
The risk management plan maps human resources to project requirements for risk management. An outline for a risk management plan contained within a project management plan (PMP) is shown in Table 15.1. The PMP describes the budget, schedule, and staffing aspects of project planning for risk management requirements. Section 1.0, Goals, explains why the project needs risk management, what the project expects to gain from use of risk management, and how the risk management plan responds to risk management requirements. Section 2.0, Strategy, contains the philosophy and guiding principles of risk management, as well as how people will organize to manage risk. Section 3.0, Process, describes a tailored version of the standard risk management process. Section4.0, Verification, shares the evaluation criteria for practice compliance. Section5.0, Mechanisms, describes examples of the methods the project team will use to execute the risk management process.
15.2 Define Risk Management Goals
The risk management goals are the driving requirements for risk management on the project. Goals should provide direction and focus for the project team members. Purpose describes what you hope to achieve by following the risk management plan. The statement of purpose provides the motivation and expectation for risk management results. Objectives are specific actions that help achieve a goal. The objectives may be listed in order of priority and may be written as quantitative targets, such as “100 percent award fee” or “zero defects.” Scope describes an overview for the major sections of the plan. A few sentences for each major section is sufficient to provide a synopsis of the risk management plan contents.
Table 15.1 Risk Management Plan Outline
15.3 Define the Risk Management Strategy
The risk management strategy is the manner in which the people will implement the plan. The risk management plan should comply with a written organizational risk management policy. You can reference the policy without duplicating the contents of the policy. Approach defines the principles by which people will manage risks. Projects may share a similar process but have a diverse approach, which yields different results. The recommended risk management approach is proactive, integrated, systematic, and disciplined.
Proactive risk management means actively attacking risks [Gilb88]. The proactive approach is favorably causing action or change. A proactive approach is for action, not reaction [Hall95]. The plan should describe a proactive approach for acting to assess and control risks. Your project plan can be proactive by establishing a system of rewards for early identification of risks.
Integrated risk management means incorporating awareness of risk into routine work activities. One way to integrate risk management into regular activities is to centralize a database for recording issues and actions associated with risk. We need routine risk management due to turnover and growth in staffing, an increase in awareness of project issues, and a different life cycle focus. Because risks are dynamic, risk management must be routine. Routine risk management is possible when it is integrated into regular project activities [Hall97].
Systematic risk management means establishing a set of checks and balances that perpetuate the process. A system of checks and balances, such as procedures for verification and improvement, helps to continue the process. Mechanisms that help address issues systematically are the risk checklist, risk management form, and risk database. One way to improve risk management systematically is to assign a risk manager and facilitator role on every project and import-export lessons learned.
Finally, disciplined risk management means growing in capability through knowledge and experience in six basic disciplines: Envision, Plan, Work, Measure, Improve, and Discover. The ability to manage risk has a developmental path from novice to expert for acquiring certain skills. We develop proficiency through the study and practice of risk management principles, methods, and tools [Hall94]. One technique that can help you develop a more disciplined risk management capability is root cause analysis.
A project role determines how to delegate responsibility and authority for managing risk. For each function on the project organization chart, clearly define the roles and responsibilities, as shown in Table 15.2. People inherit risk by assuming one of the project roles. Each role has internal and external interfaces where known risk must be communicated. When a role is filled by several people, individuals should designate a leader to coordinate the group. It is difficult to hold people or groups accountable for managing risk when there is ambiguity in their responsibilities. Authority should be granted explicitly to handle risk information among interpersonal interfaces, even though the hierarchical organization chart does not show the relationship.
Table 15.2 Delegate Authority for Managing Risk
15.4 Define the Risk Management Process
The risk management process is a systematic and structured way to manage risks that includes the activities and mechanisms used to transform project knowledge into decision-making information. The risk management plan can point to a documented risk management process. Whether by hard copy reference or soft copy linkage, the separation of process and plan enables the flexibility for change. You can define the risk management process by tailoring a standard risk management process. (A risk management process is provided in Part II. Chapter 16 describes how to tailor a standard process to the needs of a project.)
15.5 Define Risk Management Verification
Risk management verification is the method to ensure that project practices adhere to the documented risk management plan. Review criteria are specified to set expectations for compliance. The purpose of the review is to understand the activities, agents, and artifacts of the risk management plan to prepare for a compliance audit. An audit procedure verifies whether planned activities are conducted and participants are trained, and whether there is adherence to the risk management plan. The audit report is generated to summarize implementation performance and detail any discrepancies against the plan. The report should show if requirements have been achieved and the nature of any nonconformance. (Chapter 12 describes how to verify compliance of risk management activities through an independent audit.)
15.6 Define Risk Management Mechanisms
The risk management mechanisms are the techniques and tools used by a process to transform inputs to outputs. Mechanisms can be included in the risk management plan to help people visualize the organization of risk information. Three important mechanisms of risk management are the risk checklist, risk management form, and risk database structure.
Risk checklist. A risk checklist organizes areas of concern into categories to understand the nature of the risk. Risk checklists help us to identify risks in a given area completely. For example, items on the critical path create a checklist of schedule risks that should be managed. (I describe several risk checklists in Chapter 4.)
Figure 15.1 Risk management form. This form captures essential risk information in a standard format.
Risk management form. The risk management form documents risk information essential for managing risk. One way to record risk information systematically and track it to closure is a risk management form. Anyone can use the form at any time to identify an issue—and may use it anonymously. Figure 15.1 shows a sample risk management form for an active risk.
Risk database structure. The risk database structure shows the organization of identified risks and associated information. It organizes risk information to support queries, status tracking, and report generation. A simple spreadsheet tool can implement the risk database, useful for its ability to sort and report automatically. Actual contents of the risk database are not part of the plan because risks are dynamic1 and change over time.
1 The half-life of a risk may be six months or less.
15.7 Summary
In this chapter, I explained the contents of a comprehensive risk management plan:
Goals.
Strategy.
Process.
Verification.
Mechanisms.
You can delegate responsibility and authority for risk management by clearly defining project roles. People can be held accountable for managing risk only when there is no ambiguity in their responsibilities. Project organization charts are not sufficient to convey people’s responsibilities or their interpersonal interfaces, which are known sources of risk. Risk is a function of a project role, not an individual person. People inherit risk when they are assigned a project role.
The most effective approach for a risk management plan is proactive, integrated, systematic, and disciplined.
15.8 Questions for Discussion
1. In what ways can the risk management plan provide an approach for performing risk management cost-effectively?
2. Discuss the advantages and disadvantages of a proactive approach to managing risk.
3. List five responsibilities associated with the role of project manager. For each responsibility, provide a risk that might occur. Identify the associated interfaces for communication regarding each risk.
4. List five responsibilities associated with the role of quality manager. For each responsibility, provide a risk that might occur. Identify the associated interfaces for communication regarding each risk.
5. List five responsibilities associated with the role of system engineer. For each responsibility, provide a risk that might occur. Identify the associated interfaces for communication regarding each risk.
6. List five responsibilities associated with the role of software engineer. For each responsibility, provide a risk that might occur. Identify the associated interfaces for communication regarding each risk.
7. Do you think the separation of process and plan enables flexibility for change? Discuss why you do or do not think so.
8. Discuss the advantages and disadvantages of an independent quality audit of the risk management practices to ensure adherence to the risk management plan.
9. Discuss the difference between the goal of minimizing risk and the goal of maximizing opportunity.
10. Do you agree that success or failure is often determined on the drawing board? Discuss why you do or do not agree.
15.9 References
[Gilb88] Gilb T. Principles of Software Engineering Management. Reading, MA: Addison-Wesley, 1988.
[Hall97] Hall E, Gorsuch T. A sixth discipline for future awareness. Proc. Seventh International Symposium of the International Council on Systems Engineering, Los Angeles, August 1997.
[Hall95] Hall E. Proactive Risk Management Methods for Software Engineering Excellence. Doctoral dissertation, Computer Science Department, Florida Institute of Technology, Melbourne, FL, April 1995.
[Hall94] Hall E. Evolution of essential risk management technology. Proc. 3rd SEI Conference on Software Risk, Pittsburgh, PA, April 1994.