Risk Management starts with a collection of risks. Their probability of occurrence, the probability the risk will unfavorably impact the project. Then some risk handling process is needed to reduce the impact of the risk, or reduce the probability that the risk will occur.
This is the standard PMI approach to Risk Management, along with the 5 by 5 chart showing Red, Yellow, Green squares for the intersection of the probability of occurrence and probability of impact.
On actual projects, this approach is naive at best and produces more risk at worse
First, all risk is the result of uncertainty. Uncertainty comes in only two forms.
- Reducible Uncertainty - Epistemic.
- Irreducible Uncertainty - Aleatory.
Here are some previous blogs on the topic of Aleatory and Epistemic Uncertainty
- Both Aleatory and Epistemic Uncertainty Create Risk
- Aleatory Uncertainty Creates Irreducible Risk
- Epistemic Uncertainty Creates Reducible Risk
Without separating the uncertainties that create the risk into reducible and irreducible, any model of the impacts of the risk created by these two sperate classes of uncertainty will fail to properly model the impacts of the risks on the probability of the project's success. Research shows that project shortfalls come mostly from the risk created by irreducible uncertainty. The only handling strategy for irreducible uncertainty is margin. Cost margin, schedule margin, and technical margin.
Secondly, all risks are driven by other risks and all risks drive other risks. Here's a simple example. Note that most of the risks below drive other risks. But Risk-4 drives Risk-3 and in turn, Risk-3 drives Risk-4. This looping structure of common on all projects.
Risk Propagation is a critical source of failure for traditional risk management processes. Here's a risk propagation map for a spacecraft. Notice the multiple loops of risk driving risks.
The Design Structure Matrix used to model this spacecraft looks like this
The principles and processes of Design Structure Matrix for modeling complex systems is another topic, but here are some resources
- The book to start with Design Structure Matrix Methods and Applications
- Tyson Browning is my go-to source for DSM
- Google Design Structure Matrix to get everything you need to get started, including free tools
The key here is
- Simple (PMI) risk management is a start
- Modeling the drivers of risk is the next step
- Modeling the propagation of risk through DSM is the step after that
- With a DSM tool, you can perform a Monte Carlo Simulation of this risk propagation in the DSM network to determine the REAL risk to your project
For the next level dive into DSM and its use on risk management look to this DSM Technical Tutorial
And Of Course, the Final Wrap Up
- All risk comes from Uncertainty in its two forms
- Making decisions in the presence of uncertainty requires making estimates of the probabilistic and statistcal attributes of those uncertainties the impacts of the risks they create on the probability of success of the project
Risk Management is How Adults Manage Projects - Tim Lister
So if you're going to manage how your customer's money is spent in the presence of uncertainties that are present on ALL projects, you're going to have to estimate. Anyone suggesting that those decisions can be made without estimating is simply (willfully) ignoring the immutable principles of probabilistic decision making.