Risk Management

The overall purpose of risk management is to identify, analyze, respond to, and monitor risk factors throughout the project life cycle. Risk management requires understanding risk events, assessing their impacts on a project, determining the best way to deal with them, developing and executing a plan for managing them, and monitoring progress. It also includes the possible emergence/identification of unforeseen opportunities, and strategies to exploit them.

In an Adaptive/Agile Environment, use of frequent reviews of incremental work products and cross-functional project teams accelerate knowledge sharing and ensure that risk is understood and managed. Risk is considered when selecting the content of each iteration, and risk will also be identified, analyzed and managed during each iteration. Two areas comprise Risk Management: “ownership” of not only development/technical risks but of financial, business, operational, process and organizational risks and frequent “review” of potential risks are conducted during iteration(sprint) planning, daily stand-ups, release planning, retrospectives and demos.

Components

Risk Management Planning

This component is used to determine how to conduct risk management activities and defines the role of and steps for developing risk management plans.

Risk Identification

Risk identification involves determining which risks are likely to exert impacts on a project and documenting the characteristics of each risk. Tire main results of this process are listings of potential risk events and triggers.

Qualitative Risk Analysis

This component covers risk prioritization based on analyses that consider how likely a risk is to occur, how significant its impact will be, and what actions should be implemented to mitigate it.

Quantitative Risk Analysis

Risk quantification means evaluating risks and assessing the potential outcomes. It involves examining all identified risks; determining interactions, relationships, and implications to projects; developing probabilities of occurrence; determining which risks warrant responses; and assessing the range of possible project outcomes. The main product is a prioritized list of quantified risk events.

Risk Response Planning

Risk response planning involves defining the steps to managing identified risks. Planning determines how best to respond to risks and establish contingency plans, reserves, and agreements necessary to contain risks. Planning strategies are developed to avoid, transfer, mitigate, or accept risks. Risk response includes the development of risk management plans, maintenance of project reserves, and determining mitigation strategies.

Risk Response Implementation

This process covers the implementation of planned risk responses that were agreed upon during risk response planning, ensuring that those responses are executed according to plan.

Risk Monitoring

Risk control obviously involves controlling risks, deciding how to handle them, and deciding on and implementing corrective actions. Hie first step of risk control is identification of concerns. Risks are controlled in accordance with a risk management plan and established procedures. Hie main documentation products are: a risk register, corrective action data, and risk management plan updates.

Adaptive/Agile Environments: Ownership and Reviews

Ownership—Sharing risk means trusting in each team member’s abilities and intentions and owning risks as a team and not shifting as much risk as possible to others. A culture of shared owned risk and having the tools in place to manage risk is required for success.

Reviews—Tlie sprint review, the sprint retrospective, and the product owner’s involvement during each sprint provide constant product feedback which helps prevent deviations between product expectations and the completed product. Teams use existing agile artifacts and meetings to manage risk. Teams also wait until the last responsible minute to address risk, when they know the most about the project and problems that are more likely to arise.

Level 1: Initial Process

The organization recognizes the need for risk management but no established practices or standards are in place. Documentation is minimal and results are not shared. Risk response is reactive rather than planned and proactive.

Risk Management Planning

No risk management plan exists. Risk management is anecdotal and incidental. A project charter or other statement of purpose may be the only initiating documentation that references potential risks. The risks of failing to realize benefits are not considered by the project team. Opportunity costs of failing to capitalize on emerging opportunities are not considered.

Risk Identification

Risks are not identified routinely. However, individuals may discuss items of special interest to management or stakeholders, typically when a risk has become a current problem instead of a future possibility. To help identify risks, a project manager will generally have a scope statement and a WBS that details a basic set of milestones and perhaps deliverables. The project manager may also have a top-level milestone schedule. Risks revealed by project scope and milestone information are discussed only on an ad hoc basis.

Qualitative Risk Analysis

If risks are identified, the project manager may speculate on impacts on a project if the risks occur. Impromptu speculation without any analysis, planning, or standard process is the typical approach.

Quantitative Risk Analysis

Little or no quantitative analysis of identified risks takes place. Speculation typically involves no analysis, forethought, or standard approach.

Risk Response Planning

In large part, risks are addressed as they arise. Teams seldom determine mitigation strategies or plan for contingencies for future risk events. Not all risks have assigned owners.

Risk Response Implementation

Project teams do not always act after planning risk responses to known risks.

Risk Monitoring

Project teams perform more day-to-day problem solving when new risks occur. They develop work-arounds to address the events instead of working from a risk management plan and identifying additional risk response strategies. No historical database on typical risks encountered and related experiences; team members rely upon their own past experiences and discussions with the project team.

Adaptive/Agile Environments

Ownership—There is no ownership for financial, business, technical, operational, process and organizational risks.

Reviews—Frequent reviews (iteration planning, daily stand-ups, metrics and retrospectives) are ad hoc and lack focus on managing risks.