Once you've created the list of schedule risks, the next step is to prioritize the risks so that you know where to focus your risk-management efforts. Projects typically spend 80 percent of their money fixing 20 percent of their problems, so it's useful to be able to focus on the most important 20 percent (Boehm 1989).
While it is futile to try to eliminate risk, and questionable to try to minimize it, it is essential that the risks taken be the right risks. | ||
| --Peter Drucker | ||
Once again, the job is easier if you're focusing solely on schedule risks than if you're concerned with all kinds of risks. After you've computed the risk exposure by multiplying the probability of the loss by the size of the loss, sort the risks in your risk-assessment table by the risk exposure and see what you've got. Table 5-5 is an example of a risk-assessment table sorted by risk exposure.
Table 5-5. Example of a Prioritized Risk-Assessment Table
Risk | Probability of Loss | Size of Loss (weeks) | Risk Exposure (weeks) |
|---|---|---|---|
Additional features added by marketing (specific features unknown) | 35% | 8 | 2.8 |
Overly optimistic schedule | 50% | 5 | 2.5 |
Inadequate design—redesign required | 15% | 15 | 2.25 |
New programming tools do not produce the promised savings | 30% | 5 | 1.5 |
Addition of requirement to fully support automated updates from the mainframe | 5% | 20 | 1.0 |
Unstable graphics-formatting subsystem interface | 25% | 4 | 1.0 |
Project approval takes longer than expected | 25% | 4 | 1.0 |
Late delivery of graphics-formatting subsystem by contractor | 10–20% | 4 | 0.4–0.8 |
Facilities not ready on time | 10% | 2 | 0.2 |
Management-level progress reporting takes more developer time than expected | 10% | 1 | 0.1 |
Sorting the table in this way produces a list of risks that are ordered roughly by priority. If you were to successfully address the top five risks in the table, you would expect to avoid 9.8 weeks of expected schedule overruns. If you were to successfully address the bottom five risks, you would avoid only 2.7 to 3.1 weeks of expected schedule overruns. On average, your time is better spent addressing the risks toward the top of the list.
The reason that the list is ordered only "roughly" is that you might want to prioritize some of the larger-loss risks higher than their position in the rough ordering implies. In Table 5-5, the risk "Addition of requirement to fully support automated updates from the mainframe" is only 5 percent likely, but the 20-week impact if it occurs is larger than any other risk. If a 20-week loss would be catastrophic to your project, you should manage risks of that size to ensure that none of them occur even if they have low probabilities.
Likewise, you might want to prioritize a pair of synergistic risks higher than you would prioritize either risk individually. In the example, the instability of the interface to the graphics-formatting subsystem is a risk, and so is the contractor's schedule for its delivery. The combined risk of using a contractor and having the contractor develop code to an unstable interface is likely to be larger than either of the risks individually.
The priority ordering is only approximate for another reason: the numbers that you used to create it were all estimates. The accuracy of the risk-exposure numbers and the priority ordering that comes from them is limited by the accuracy of the probability and size estimates. Converting the estimates into a hard risk-exposure number can make it seem as though the prioritization is precise. But the prioritization can only be as accurate as the input, and because the input is subjective, the prioritization is subjective too. Your judgment is a necessary part of every aspect of risk management.
After you've identified the high-risk items, risk prioritization is also useful for the risks it tells you to ignore. There's no point in managing a low-loss risk that also has a low likelihood of becoming a problem. In the example, you could easily spend more time managing the risk of facilities not being ready on time than you would expect to lose by not managing it at all. Risk prioritization is critical to not becoming overwhelmed by the risk-management activity itself.