Part 7: Steps to manage risk

Primary tabs


Risk Identification

Risk Analysis

Risk Planning

Risk Tracking

Risk Control

Risk Communication

Risk Identification: 

Risk is an undesirable situation or circumstance, which has both a
probability of occurring and a potential consequence to project success.
Risk has an impact on cost, schedule, and performance. Risk identification
is the process of identifying uncertainty within all aspects of a project.
In other words: what might go wrong and what happens if it does. For most
information system projects, these risks may be grouped in the following

- Technical. Risk associated with creating a new capability or capacity

- Supportability. Risk associated with implementing, operating, and
maintaining a new capability

- Programmatic. Risk caused by events outside the project's control, such as
public law changes

- Cost and Schedule. Risk that cost or schedule estimates are inaccurate or
planned efficiencies are not realized

Risks should be identified continuously by project participants (at all levels)
and the project management team should capture these risks in definitive
statements of probability and impact. Lessons-Learned from previous projects may
be a significant source for identifying potential risks on a new project.

Risk identification process goals

Encourage input of perceived risk from the team

Identify risk while there is time to take action

Uncover risk and sources of risk

Capture risk in a readable format

Communicate risk to those who can resolve it

Prevent project surprises

checklist, interview,meeting, review, routine input, survey, working group.

Risk Analysis

Risk Analysis quantifies the identified risks and conducts detailed
sensitivity studies of the most critical variables involved. The outcome of
these analyses may be a quantified list of probabilities of occurrence and
consequences that may be combined into a single numerical score. This single
score allows project risks to be prioritized.


Risk analysis process goals

Analyze risk in a cost efficient manner

Refine the risk context

Determine the source of risk

Determine the risk exposure

Determine the time frame for action

Determine the highest-severity risk


Analysis process activities

Groups similar and related risk

Determine risk drivers

Determine the source of risk

Use risk analysis techniques and tools

Estimate the risk exposure

Evaluate risk against criteria

Rank risks related to other risks


Risk exposure(RE) =
Probability x Cost

Risk Planning

Risk planning decides what to do about a project risk. Available actions are:

- Avoid the risk.

- Assume the risk

- Transfer the risk

The action selected for each risk will depend on the project phase, the options
that are available, and the resources that can be used for risk management. A
majority of project activities involve tracking and controlling the project


Risk planning process goals

Provide visibility for key events and conditions

Reuse successful risk resolution strategies

Optimize selection criteria

Understand the next action for each high severity risk

Establish automatic triggering mechanisms

Risk planning process activities

Develop risk scenarios for high severity risks

Develop risk resolution alternatives

Select the risk resolution approach

Develop a risk action plan

Establish thresholds for early warning

Risk Tracking

Risk tracking involves gathering and analyzing project information that measures
risk. For example, test reports, design reviews, and configuration audits are
risk tracking tools used by project management to assess the technical risk of
moving forward into the next life cycle phase.


Risk tracking process goals

Monitor the events and conditions of risk scenarios

Track risk indicators for early warning

Provide notification for triggering mechanism

Capture results of risk resolution efforts

Report risk measure and metrics regularly

Provide visibility in risk status

Risk Control

Risk control takes the results of risk tracking and decides what to do and then
does it. For example, if a project design review shows inadequate progress in
one area, the decision may be made to change technical approaches or delay the

Risk Mitigation Techniques

Risk mitigation techniques are used to control or transfer risk until an
acceptable risk level is reached. The most common techniques are inherent in
good management and engineering practice:

- Budget management reserve - mitigates cost risk

- Schedule slack - mitigates schedule risk

- Parallel development - mitigates technical risk

- Prototyping - mitigates technical

Incentive fee and incentive-firm contract

types - mitigates cost risk

Incremental deliveries mitigates …

- Entrance and exit criteria for major design reviews - mitigates cost, schedule
and technical risks

Risk resolution process goals

Assign responsibility and authority to the lowest possible level

Follow a documented risk action plan

Report results of risk resolution efforts

Provide for risk aware decision making

Determine the cost effectiveness of risk mgmt

Is prepared to adapt to changing circumstances

Take corrective actions when necessary

Improve communication within the team

Systematically control the software risk


Risk resolution process

Respond to notification of triggering event

Execute the risk action plan

Report action against the plan

Correct the deviation from the plan


Risk information should be communicated to all levels of the project
organization and to appropriate external organizations. This ensures
understanding of the project risks and the planned strategies to address the
risk. Risk information then feeds the decision processes within the project and
should establish support within external organizations for mitigation
activities. For example, an agency comptroller who understands the project risks
is more likely to allow the project manager to have a management reserve within
the project budget.

Communicating risk information in a clear, understandable, balanced, and useful
manner is difficult. The ability to state the problem at hand clearly,
concisely, and without ambiguity is essential.


Force field analysis

Is a technique to help people to understand the positive and negative aspects of

Force field analysis provides motivation to overcome the barriers. Compelling
reasons that change is needed to provide motivation for the use of risk

Force field for Risk Management adoption

Driving forces

Restraining forces

Provides a focus on goals

Management lacks commitment

Satisfies customer requirement

People are resistant to change

Increases visibility for high
risk areas

The team has no time for training

Promotes communication of risks

The process levies extra work

Provides a risk-aware decision

There is lack of available tools

Helps resolve difficult issues

Attitudes towards risk is

Contributes to a more realistic

People are already to busy

Helps avoid surprises

Staff support is lacking

Helps prevent problems

Individuals fear retribution

Reduces work

People fear failure

The power pyramid


Admit weakness

Eliminate waste

Discuss failures

Expand knowledge

Show appreciation

Take chances


Any questions?

Join Forums at