24 A Introduction to Risk Management

The following three lectures define risk, outline a risk management process and provide examples of templates useful for risk management.

Risk is the consequence of things happening that negatively impact the performance of an organization’s planned activities. Risks arise from events that occur inside and outside an organization. The consequence of the event can impact the quality, cost or schedule of an activity, or some combination of these effects. There is risk in any activity but there are usually more risks associated with activities that are new to the organization. New activities include the introduction of new products or services or changes to the processes, people, materials or machines used to produce existing products or services. Risks to stable products and services arise from unplanned changes to the internal environment or changes in the external environment, such as the economy, costs of materials, labor market, customer preferences or actions by a competitor, a regulating body or a government agency. An effective manager faces up to risks and manages risks so that the negative impacts are minimized.

Definition of Risk

There is an operational definition of risk that aids in managing risk. This definition is:

Risk R is The Probability p of an Undesirable Event Occurring; Multiplied by The Consequence of the Event Occurrence measured in $, or R=p x $.

This definition allows risks to be quantified and ranked in relative importance so that the manager knows which risks to address first and to evaluate how much investment is reasonable to eliminate or reduce the consequence of the risk. The definition measures risk in dollars. Thus impacts to the quality of a product or service or to the schedule of delivering the product or service are converted to costs. Impacts to quality are converted to dollar costs via estimated warranty costs, cost of the anticipated loss of customers or loss of revenue due to anticipated levels of discounting prices. Schedule delays are converted to dollar costs by estimating the extra costs of labor during the delays and/or the loss of revenue due to lost sales caused by the schedule delays.

The key to good risk management is to address the highest risk first. There are three reasons to address the highest risk first. First is that mitigating a high risk can result in changes to plans, designs, approaches or other major elements in an activity. The earlier these changes are implemented the lower the cost of the overall activity because money and people resources are not wasted on work that has to be redone later. The second reason is that some activities may fail due to the impossibility of mitigating an inherent risk. The earlier this is determined the fewer resources are spent on the failed activity thus preserving resource for other activities. The third reason is that any activity is continually competing for resources with other activities. An activity that has mitigated its biggest risks has a better chance of competing for continued resource allocation than an activity that has gone on for some time and still has high risks.

Managing Risk

Managing risk is accomplished by taking actions before risks occur rather than reacting to occurrences of undesirable events. The steps in effective risk management are:

1.     Listing the most important requirements that the activity must meet to satisfy its customer(s). These are called Cardinal Requirements

2.     Identifying every risk to an activity that might occur that would have significant consequence to meeting each of the Cardinal Requirements

3.     Estimating the probability of occurrence of each risk and its consequences in terms of dollars

4.     Ranking the risks by the magnitude of the product of the probability and dollar consequence (i.e. by the definition of risk given above)

5.     Identifying proactive actions that can lower the probability of occurrence and/or the cost of occurrence of the top five or ten risks

6.     Selecting among the identified actions for those that are cost effective

7.     Assigning resources (funds and people) to the selected actions

8.     Managing the selected action until its associated risk is mitigated

9.     Identifying any new risks resulting from mitigation activities

10.  Replace mitigated risks with lower ranking or new risks as each is mitigated

11.  Conduct regular (weekly or biweekly) risk management reviews to:

·       Status risk mitigation actions

·       Brainstorm for new risks

·       Review that mitigated risks stay mitigated

In identifying risks it is important to involve as many people that are related to the activity as possible. This means people from senior management, your organization, other participating organizations and supporting organizations. Senior managers see risks that workers do not and workers see risks that managers don’t recognize. It is helpful to use a list of potential sources of risk in order to guide people’s thinking to be comprehensive. Your list might look like that shown in figure 7.

Figure 7 An example template for helping identify possible sources of risk to the customer’s cardinal requirements.

It also helps ensure completeness of understanding risks if each risk is classified as a technical, cost or schedule risk or a combination of these categories.

Risk Summary Grid and Risk Register

Two useful templates used in risk management are the risk summary grid and the risk register. The risk summary grid is a listing of the top ranked risks on a grid of probability vs. impact. The risk summary gird is excellent for showing all top risks on a single graphic and grouping the risks as low, medium or high. Typical grids are 3 x 3 or 5 x 5. An example 5 x 5 template is shown in figure 8.

Figure 8 An example of a 5 x 5 risk summary grid

The 5 x 5 risk summary grid enables risks to be classified as low, medium or high; typically color coded green, yellow and red respectively, and ranked in order of importance. Note that the definitions for low and medium are not standard. The definition used in figure 8 is conservative in limiting low risk to the six squares in the lower left of the grid. Others, e.g. the Risk Management Guide for DOD Acquisition (An excellent tutorial on risk management that is available as a free download at http://www.dau.mil/pubs/gdbks/risk_management.asp) define the entire first column plus six other lower left squares as low risk.

Relative importance is the product of probability and impact. Identified risks are assigned to a square according to the estimates of their probability of occurrence and impact to the overall activity. In figure 8 there is one medium risk, shown by the x in the square with a probability 0.3, impact 7 and therefore having a relative importance of 2.1. The numbers shown for impact are arbitrary and must be defined appropriate to the activity for which risk is being managed.

A typical approach is to construct a four column by six row table with Impact being the heading of the first column and the numbers 1,3,5,7,9 (or whatever five numbers or letters you choose) in each succeeding row of the first column. The remaining three columns are labeled Technical, Schedule and Cost. Each box in the rows under the Technical, Schedule and Cost headings is defined appropriately for the activity at risk. For example, costs could be defined as either percentage of budget or in actual monetary units. Similarly schedule can be defined as percent slip or actual time slip.

The process using a 3 x 3 risk summary grid typically assigns risks as 0.1, 0.3 or 0.9 and impacts as 1, 3 or 9. There are three squares for each of the low, medium and high risk classifications with relative importance values ranging from 0.1 to 8.1 according to the products of probability and impact. Specific processes or numerical values are not important. What is important is having a process that allows workers and managers to assess and rank risks and to communicate these risks to each other, and in some cases to customers. The simple risk summary grids are useful tools for accomplishing these objectives and are most useful in the early stages of the life cycle of an activity and for communicating an overall picture of risks. The risk summary grid can be used as a tool in risk management meetings but a better tool is the risk register discussed in the next lecture.

If you find that the pace of blog posts isn’t compatible with the pace you  would like to maintain in studying this material you can buy the book “The Manager’s Guide for Effective Leadership” in hard copy or for Kindle at:

http://www.amazon.com/Managers-Guide-Effective-Leadership-Organizations/dp/1449000673/ref=sr_1_2?ie=UTF8&qid=1346946310&sr=8-2&keywords=Joe+Jenney

or hard copy or for nook at:

http://www.barnesandnoble.com/s/Joe-Jenney?keyword=Joe+Jenney&store=book

or hard copy or E-book at:

http://bookstore.authorhouse.com/Products/SKU-000269270/The-Managers-Guide-for-Effective-Leadership.aspx

Constructing a Risk Summary Grid

10.3 Tools for Risk Management

Standard tools for risk management include risk matrices; also called risk summary grids, and risk registers. There are also tables of definitions and guidelines that aid in using the matrices and registers. A methodology useful for reducing risk through proactive and planned build and test steps is called design iteration. These tools and design iteration are described in this chapter. Other tools aiding or supporting the identification of risks include fault trees, worst case analysis and failure modes analysis. Risk burn down charts that display how the total expected value of all identified risks is reduced with time as mitigation actions are completed are useful in monitoring the overall progress of risk mitigation and the effectiveness of budgeting for risk management.^10-1 

10.3.1 Risk Summary Grid - The risk summary grid is a listing of the top ranked risks on a grid of probability vs. impact. The risk summary gird is excellent for showing all top risks on a single graphic and grouping the risks as low, medium or high. Typical grids are 3 x 3 or 5 x 5. An example 5 x 5 template is shown in Figure 10-2.

 Figure 10-2 One example of a 5 x 5 risk summary grid template

The 5 x 5 risk summary grid enables risks to be classified as low, medium or high; typically color coded green, yellow and red respectively, and ranked in order of importance. Relative importance is the product of probability and impact. Note that the definitions for low and medium are not standard. The definition used in Figure 10-2 is conservative in limiting low risk to the five squares in the lower left of the grid with risk values of 0.5 or less. Medium risks have values of 0.7 to 3.5 and high risks have values from 4.5 to 8.1. Others, e.g. the Risk Management Guide for DOD Acquisition^10-2 (An excellent tutorial on risk management), define the entire first column plus six other lower left squares as low risk.

Identified risks are assigned to a square according to the estimates of their probability of occurrence and impact to the overall activity. In Figure 10-2 there is one medium risk, shown by the x in the square with a probability 0.5, impact 7 and therefore having a relative importance of 3.5. The numbers shown for impact are arbitrary and must be defined appropriate to the activity for which risk is being managed.

Some risk management processes described on the web use letters rather than numbers to rank risk probability in constructing risk summary grids. The objective is to assign either a probability numbers or letter to each risk. To do this it is necessary to make a judgment of the likelihood that the risk occurs. The table shown in Figure 10-3 provides reasonable guidelines for such judgments. Thus, if the likelihood of an event occurring is judged to be remote then assign the probability of 0.1 or the letter A. If it is highly likely assign 0.7 or D. It may be argued that guidelines are needed for what is remote or likely. Unfortunately this wouldn’t help as there is always some guess work or judgment required. If several members of a team discuss the likelihood then they can probably reach agreement and this is adequate. It is important for the novice to understand that it isn’t essential that the probabilities are exact. The objective is to come close enough to compare the relative probabilities of several events so that the events can be prioritized in relation to their relative risk or relative probability of occurrence.

Figure 10-3 Guidelines for assigning probability numbers or letters to risk based on judgment criteria.

After assigning a probability to a risk it is necessary to make a judgment of the impact of occurrence of the risk. A risk event can cause an unexpected cost or cost increase, a slip in the schedule for achieving some related event or reduce the quality or technical performance of some design requirement. It is also possible for the risk to impact two or even all three of the cost, schedule or quality measures. The table shown in Figure 10-4 provides one set of guidelines for assigning impact numbers 1, 2, 3, 4 or 5 to a risk event.

Figure 10-4 Guidelines for assigning impact numbers to a risk event.

Costs can be defined as either percentage of budget, as shown in Figure 10-4, or in actual monetary units. Similarly schedule can be defined as percent slip, relative slip or actual time slip.

A risk summary grid template using the guidelines provided in Figures 10-3 and 10-4 is shown in Figure 10-5.

Figure 10-5 A less conservative risk summary grid template using the guidelines provided in Figures 10-3 and 10-4.

The process using a 3 x 3 risk summary grid typically assigns probability of risks as 0.1, 0.3 or 0.9 and impacts as 1, 3 or 9. There are three squares for each of the low, medium and high risk classifications with relative importance values ranging from 0.1 to 8.1 according to the products of probability and impact. An example of a 3 x 3 risk summary grid template is shown in Figure 10-6.

Figure 10-6 An example template for a 3 x 3 risk summary grid.

Specific process details or numerical values are not important. What is important is having a process that allows workers and managers to assess and rank risks and to communicate these risks to each other, and in some cases to customers. The simple risk summary grids are useful tools for accomplishing these objectives and are most useful in the early stages of the life cycle of an activity and for communicating an overall picture of risks.

The identified risks are collected in a list and the ten or so with the highest risk values are numbered or given letter identifications. The associated numbers or letters are then displayed in the appropriate square on the risk summary grid. In use the risk values of each square are either not shown in the square or made small so there is room for several risk identifiers in a square. The risk summary grid then provides a quick visual measure of the number of high, medium and low risks. In the early stages of a project it should be expected that there are more risks in the high and medium categories than the low and as risk mitigation progresses the number of high risks are reduced.

Having identified the risks and ranked them the team must decide what to do with risks that are assigned as Low, Medium or High. One set of guidelines is shown in the table provided in Figure 10-7.

Figure 10-7 Example guidelines for actions for each level of risk.

Again, the specific guidelines a team employs is not as important as it is for the team to have agreed upon guidelines appropriate to their work and organization and to follow them.

10-1 The Manager’s Guide for Effective Leadership by Joe Jenney, AuthorHouse, 2009

10-2  Risk Management Guide for DOD Acquisition, Sixth Edition (Version 1.0), Department of Defense, August 2006 http://www.dau.mil/pubs/gdbks/risk_management.asp