Over the past weeks there have been several discussions on the forums and Blogs amount risk and risk management. Here's a short post on those topics and their impact on project performance.
Risk Comes from Uncertainty
Risk does not exist by itself. Risk is created when there is uncertainty. If I am certain that it is going to rain this afternoon, then there is no risk of rain. It's going to rain with 100% probability. There is no uncertainty about the forecast of rain.
So first we need uncertainty to have a risk. But there are two classes of uncertainty:
- Aleatory uncertainty - is uncertainty that comes from a random process. Flipping a coin and predicting either HEADS or TAILS is aleatory uncertainty. In other words, the uncertainty we are observing is random, it is part of the natural processes of what we are observing.
Aleatory uncertainty refers to the inherent uncertainty due to the probabilistic variability.
This type of uncertainty is Irreducible, in that there will always be variability in the underlying variables.
These uncertainties are characterized by a probability distribution.
The parameter that is being measured - duration, RPM, discharge from a river flow, is stochastic and cannot be reduced.
- Epistemic uncertainty - is uncertainty that comes from the lack of knowledge. This lack of knowledge comes from many sources. Inadequate understanding of the underlying processes, incomplete knowledge of the phenomena, or imprecise evaluation of the related characteristics are common sources of epistemic uncertainty. In other words we don't know how this thing works so there is uncertainty about its operation.
Epistemic uncertainty refers to limited knowledge we may have about the system (modeled or real). This type of uncertainty is reducible.
If we have more information, we can take more measurements, conduct more tests, "buy" more information. This type of uncertainty can be reduced.
The parameter being measures is usually a characteristic of the material or the physical process. The uncertainty is related to the "lack of knowledge," about this parameter.
Handling Risks Created from Uncertainty
- Aleatory risk is not a lack of information. It is a naturally occurring process. We cannot buy more information, so we have to provide margin for this type of risk. Schedule Margin to cover the naturally occurring variances in how long it takes to do the work. Cost Margin to cover the naturally occurring variances in the price of something we are consuming in our project.
Aleatory uncertainty and the resulting risk is modeled with a Probability Distribution Function. This PDF describes all the possible values the process can take and the probability of each value. For a single toss of a coin, there is a 50% probability it will be either heads or tails. For multiple tosses of a fair coin the probability distribution of the total number of heads or the total number of tails is a binomial distribution that looks like this for the numbers of HEADs from fair coin being tossed 20 times.
The PDF for the possible durations for the work in the project can be determined in several ways. It turns out we can buy knowledge about aleatory uncertainty through Reference Class Forecasting and past performance modeling. This new information then allows us to update - adjust - our past performance on similar work will provide information about our future performance. But the underlying processes is still random, and our new information simply created a new aleatory uncertainty PDF.
- Epistemic risk comes from the lack of knowledge. Epistemology is the branch of philosophy concerned with the nature and scope of knowledge. Lack of knowledge is epistemic uncertainty.
Epistemic risk is modeled by defining the probability that the risk will occur, the time frame in which that probability is active, and the probability of an impact or consequence from the risk when it does occur.
Risk statements are used to define and model these event based risk:
- IF-THEN - says if we miss our next milestone then project will fail to achieve its business value during the next quarter.
- CONDITION-CONCERN - our subcontractor has not provided enough information for us to status the schedule, and our concern is the schedule is slipping and we don't know it.
- CONDITION-EVENT-CONSEQUENCE - our status shows there are some tasks behind schedule, so we could miss our milestone, and the project will fail to achieve its business value in the next quarter.
For these types of risks we can have an explicit or an implicit risk handling plan. I use the work handling with special purpose. We handle risks in a variety of ways. Mitigation is one of those ways. But the risk handling work is actual work. It is in the schedule. We are doing work to mitigate the risk. We are buying down the risk, or we are retiring the risk. In all cases, we are spending money, and consuming time to reduce the probability that the risk will occur. Or we could be spending money and consuming time to reduce the impact of the risk when it does occur. In both cases we are taking action to address the risk.
The second approach to handling an epistemic risk is the have Management Reserve to cover the cost of the consequences when the risk occurs. Sometimes the term contingency is used. Both Management Reserve and Contingency may be used together. In both cases, money is set aside to handle the risk. We also need time as well, so we may have schedule reserve. But this gets confused many times with schedule margin, but it is still needed.
Risk Management is how Adults Manage Projects
One of the posters stated what would be considered a Lame response to the processes and seeming conplexity of managing risks on non-trivial projects, by stating you're making this to complex - Just Do It. It was lame. Here's the response to those who objective in what ever way to doing risk management.
First answer the question what is the value at risk for your project? Don't know? Go find out. Then ask the project sponsor or the person giving you money to manage the project, if they would be willing to lose that money outright. Just write it off when the risk comes true. Probably not would be the answer. So go do the risk management process.
Here's Tim Lister's advice. The section title is Lister's quote and should be used every time some lame response comes back about risk management.
