Risk Management 101

In honor of the our upcoming release of a basic Risk Management Module for dotProject, I thought I'd share a simple Risk Management 101 session.

Risk is simply: The possibility of suffering a harmful event.

Pretty straightfoward, huh? It can get more complicated if you have to deal with SOX (Sarbanes-Oxley Compliance), but that is a whole other topic worth discussing at another time.

Regardless,there are two primary ways of dealing with risk: reactively and proactively. If you wait until the project is late, defects are increasing, morale is low, and frustration is high, congratulations, you're reacting to risk. This is a deadend path and there's not much to do other than minimize further damage.

I hope that once someone gets burned that way once or twice, they'd move onto more proactive actions, but most developers and managers and a thick-headed lot and believe in avoiding anything that doesn't specifically address line items on the project plan. This seems like a good idea… until you realize that the Project Plan is never a complete document.

Here are 4 quick steps for Risk Management:

1. Create a checklist that identifies each risk. This should entail issues such as “Lead developer finds a new job” and “Project funding is delayed”, but not things like “Earth hit by Extinction Level Event”.

2. Calculate the odds of it happening and the impact to the project. This doesn't require the precision of 22.3%, but a simple 5% (possible, but highly unlikely), 25%, 50%, 75%, and 95% (almost inevitable) is sufficient. The impact can be anything like “2 weeks” to “The project will be cancelled.”

3. Look at each risk and figure out if there is a way to mitigate/avoid it. This could be as simple as “Make sure vacation time is accounted for in the project plan.” It doesn't take a great deal of effort, just a bit of thought.

4. Finally, prioritize each risk. Murphy says that when one of these things happens, others will quickly follow and you MUST know which one to deal with first.

Also keep in mind that Risk Assessment and Risk Management are not a one-time events. They are ongoing processes that should be regularly reviewed and revised during the project lifecycle.

Finally, remember that there is a difference between improbable and impossible. While the Earth getting hit by an asteroid might be near impossible to predict and avoid, the entire team commuting in a single vehicle together might be something worth addressing.