Herding Cats: "Doing" Risk Management

April 26, 2010

"Doing" Risk Management

Pat Weaver posted a response to Michael Hatfield's PMI Blog saying

Where we do agree is on the mumbo jumbo of statistical paralysis many so called risk management systems bog down in. The purpose of risk management is to identify opportunities and threats and then actually do something about them. Recording risks in a risk register and then qualitatively and quantitatively analyzing them is a complete and total waste of time unless someone actually takes action.

While there might be projects that record risks in a registry and move on, this of course is not the same as doing risk management.

One place to start is the download the Risk Management processes at Mitre Corporation's Risk Management processes. There is a handbook and a tool to manage the risk.

The next step is to connect the risks to the Integrated Master Schedule in the following way. Each Risk

Needs a risk code that is traceable in the IMS. This code is immutable, connecting the elements in the IMS to the risk registry. This is also the connection to the cost baseline, WBS, Control Accounts and all other cross reference items in the Performance Measurement Baseline
Has each risk is recorded in the IMS as a planned activity, with either a retirement plan or a mitigation plan placed on baseline. This connects the risk management process with the project management process - they are inseparable.
Has a risk "buy down" or "retirement plan" - that moves the risk from RED to YELLOW to GREEN at a planned time defined in the IMS, so everyone can see wen these planned reductions in risk are being made. This time may not take place as planned, just like other work in the IMS. But without a planned deliverable for risk reduction, it'll never happen.
Has a budget set aside for mitigation, or budget allocated to retirement. No budget means when the risk comes true - becomes an issue - there is no money to cover the issue.
Has an assigned Control Account Manager for all the risk management activities in that CA. No single accountability means no one is really looking after the risks.
Each technical Control Account Manager (CAM) has risk management as part of the Performance Measurement Baseline. Without integrating the risks and the planned work, when something goes wrong there is no way to assess the impact on the overall program.
Is part of the program "mindset" described in the Project Breathalyzer chart posted on the wall of every work area. If you don't talk the talk as well as walk the walk, no one knows why you're doing risk management

If you're not doing these things and the dozens of other risk related things, then you're not doing risk management - period. You're giving it lip service.

If this is too deep for now, start with Five Easy Pieces of Risk Management. But start somewhere. Move beyond reading about the problem, and start working toward the solution to risk management.

By the way, when you hear about the so called "mumbo jumbo" of risk management, It's not true. It's BS. Probabilistic risk management is how adults manage risk. Start with Tom DeMarco and Tim Lister

NASA, DoD, DOE, FAA, DHS do this everyday. Don't buy the idea that risk management methods are mumbo jumbo - learn how to do this right and ignore the suggestion that it's all a bunch of fancy numbers - it's not, never has been.

Listen to Tim Lister and then tell me its mumbo jumbo.

Risk Management is Project Management for Adults

Posted at 03:29 PM in Risk | Permalink

Comments

Pat Weaver posted a response to Michael Hatfield's PMI Blog saying

Where we do agree is on the mumbo jumbo of statistical paralysis many so called risk management systems bog down in. The purpose of risk management is to identify opportunities and threats and then actually do something about them. Recording risks in a risk register and then qualitatively and quantitatively analyzing them is a complete and total waste of time unless someone actually takes action.

While there might be projects that record risks in a registry and move on, this of course is not the same as doing risk management.

One place to start is the download the Risk Management processes at Mitre Corporation's Risk Management processes. There is a handbook and a tool to manage the risk.

The next step is to connect the risks to the Integrated Master Schedule in the following way. Each Risk

Needs a risk code that is traceable in the IMS. This code is immutable, connecting the elements in the IMS to the risk registry. This is also the connection to the cost baseline, WBS, Control Accounts and all other cross reference items in the Performance Measurement Baseline
Has each risk is recorded in the IMS as a planned activity, with either a retirement plan or a mitigation plan placed on baseline. This connects the risk management process with the project management process - they are inseparable.
Has a risk "buy down" or "retirement plan" - that moves the risk from RED to YELLOW to GREEN at a planned time defined in the IMS, so everyone can see wen these planned reductions in risk are being made. This time may not take place as planned, just like other work in the IMS. But without a planned deliverable for risk reduction, it'll never happen.
Has a budget set aside for mitigation, or budget allocated to retirement. No budget means when the risk comes true - becomes an issue - there is no money to cover the issue.
Has an assigned Control Account Manager for all the risk management activities in that CA. No single accountability means no one is really looking after the risks.
Each technical Control Account Manager (CAM) has risk management as part of the Performance Measurement Baseline. Without integrating the risks and the planned work, when something goes wrong there is no way to assess the impact on the overall program.
Is part of the program "mindset" described in the Project Breathalyzer chart posted on the wall of every work area. If you don't talk the talk as well as walk the walk, no one knows why you're doing risk management

If you're not doing these things and the dozens of other risk related things, then you're not doing risk management - period. You're giving it lip service.

If this is too deep for now, start with Five Easy Pieces of Risk Management. But start somewhere. Move beyond reading about the problem, and start working toward the solution to risk management.

By the way, when you hear about the so called "mumbo jumbo" of risk management, It's not true. It's BS. Probabilistic risk management is how adults manage risk. Start with Tom DeMarco and Tim Lister

Listen to Tim Lister and then tell me its mumbo jumbo.

Risk Management is Project Management for Adults

Herding Cats

Performance-Based Project Management^®
Principles, Processes, & Practices to Increase Probability of Cost, Schedule, & Technical Success

April 26, 2010

"Doing" Risk Management

Comments

Categories

Search

Recent Posts

Recent Comments

Herding Cats

Performance-Based Project Management® Principles, Processes, & Practices to Increase Probability of Cost, Schedule, & Technical Success

April 26, 2010

"Doing" Risk Management

Comments

Categories

Search

Recent Posts

Recent Comments

Performance-Based Project Management^®
Principles, Processes, & Practices to Increase Probability of Cost, Schedule, & Technical Success