All project work is uncertain. Uncertainty comes in two types - Reducible (Epistemic) and Irreducible (Aleatory). These uncertainties create the risk to the success of all projects. Without managing in the presence of risk, the probability of project success is significantly reduced, most likely reduced to zero.
First a definition
A risk is an issue or event that could prevent a program or project from meeting its technical, schedule, cost, or safety objectives.
Management in the presence of risk has the following steps: [1]
- Identification - is the process of transforming uncertainties about an event or task into distinct risks that can be described, measured, and acted upon. A risk statement is prepared to describe the risk context, condition, consequence, and general time-interval. The context section provides the what, how, when, where, and why of the risk statement. The condition is a single phrase that briefly describes the key circumstances and situations causing concern, doubt, or anxiety. The consequence is a phrase that describes the negative outcome(s) that may occur due to the condition. The identified risk is then submitted as a candidate and either accepted or closed by the program.
- Analyze -. includes assessing the likelihood and consequences of each risk, determining the timeframe needed to mitigate each risk, grouping or classifying each risk, and prioritizing identified risks. Likelihood assessments use specific criteria to score risks from 1 (very low likelihood of happening) to 5 (nearly certain to happen). Likelihood scoring criteria are described as:
- Plan - selects an appropriate risk owner who will be responsible for the risk and to apply one of four handling strategies – research, accept, watch, or mitigate.
- A research strategy seeks more information to determine the most effective way to reduce the risk’s likelihood or consequence.
- The accept strategy applies when the risk’s consequences are tolerable or the risk cannot be reasonably mitigated in a cost-effective manner. When a risk is accepted, the risk owner must document a complete acceptance rationale in the risk database.
- A watch strategy applies when the program chooses not to accept the risk or commit resources and requires a metric to indicate a change in conditions or scoring.
- Some mitigation plans may require a fallback plan in case the primary mitigation does not achieve risk reduction. A recovery plan may be established for a risk that has a high confidence of becoming a problem or that has a high consequence.
- The recovery plan is invoked should the risk actually occur and allows the program to plan for future problems proactively.
- Track - is a fundamental step in controlling risks. Data, including measures of actual versus planned progress, qualitative descriptions, and quantitative measures, is collected, compiled, and reported so that management can decide whether to update risk mitigation actions, adopt an alternative mitigation approach or handling strategy, analyze other risks, or initiate new risks. For example, management may track quantitative measures of the residual probability that a risk will occur and assess those measures periodically to decide whether to continue mitigation, change the mitigation approach, accept, or close the risk.
- Control - management evaluates risk mitigation tracking reports for progress (actual versus planned) and verifies that appropriate tasks and handling plans are in place. If actual progress differs significantly from planned progress, the risk owner should escalate the risk to the next higher review level. Typical decisions made during the step are: continue as planned; re-plan (develop a new or updated mitigation plan); change the primary plan to the fallback plan; accept the risk; or close. The appropriate management level must concur with the closure rationale before a risk is closed. If the residual risk has a score greater than 3, the risk should not be closed but undergo further mitigation or be accepted. Any risk with a score of 3 or lower is assumed to be sufficiently mitigated and may be closed without expending additional resources. Decisions are captured in a program’s risk database.
- Communication -Communication and documentation occur in all process steps and ensure risks are properly understood, all consequences are considered, and all options for action are identified and prioritized accurately. Risks are documented in the database appropriate to the risk priority. For example, Top Program Risks are documented in the Active Risk Manager database while lower-level risks can be documented in a database at the organizational level responsible for the risk. Each risk database has the ability to produce summary and detailed reports, which facilitate communication between program stakeholders and managers to enable risk-informed decisions.
For this process to work, each activity - in the presence of uncertainty - must be estimated.
So in the end, if we're going to be adults when managing projects, especially projects funded by other people's money, we need to act like adults and estimate. Without estimates of the uncertainties, the risks created by those uncertainties, the effectiveness of our risk handling processes - research, accept, watch, or mitigate in the NASA paradigm, the effectiveness of the controlling processes, and even the effectiveness of the communication processes - there will be little chance of success for our risk management process.
Let's change Tim Lister's quote and call it as it is
Estimating is how adults manage projects. No estimates No adult management
and the story in our neighborhood when our sons were in the Scouts...
what's the difference between our organization and the Boy Scouts? The Boy Scouts have adult supervision.
[1] NASA's approach to Continuous Risk Management, described in "NASA's Management of the Orion Multi-Purpose Crew Vehicle Program," September 2016