John Goodpasture has a nice post, that I'll repeat here for effect.
The Korean War was planned to last only a few days so we did not plan anything in case things might go wrong. If you plan a war without planning for failures then you are asking for trouble
- Do you have a register of all the risks that have even been thought of on your project?
- Do you analyze these risks and determine which ones are really going to cause you grief?
- Do you keep all the other just in case they might turn into a bad boy some day?
- Do you have an actual for real risk management process? This means a process that was copied from another no kidding real risk management process? Like one you would find at NASA, DoD, DOE, or other places that when risk happen people die, crap blows up, and billions of dollars go up in smoke.
- No? Then stop rigth here and go get one.
- Do you have risk review meetings month?
- Does you risk management process address the following?
- The probability of occurance of the risk
- The impact of the risk if nothing is done about it. That is the risk comes true and turns into an issue - how much will that cost in tiime and money?
- The cost needed to "retire" the risk, that is make it go away. Care is needed here, beacuse many peopl use the term mitigate. Instead use retire. That says what done looks like for the risk - it is gone. How much does that cost.
- The probability that once you spend that money, there will still be some residual risk? What is the cost and schedule impact of this residual risk?
- Take each retirement plan, and monetize it. You can have plans that don't retire the risk. No problem. You can ignore the risk, transfer it to someone else, handle it when it comes true. You have to decide this.
- But for each risk that you are going to retire you need a schedule for doing that. You need resources, time, a plan.
- Then what happens is the risk doesn't come true, expect with the probability remaining after you have retired it.