“All project
management is risk management”
Eric Verzuh
Eric Verzuh
1. Introduction
Many people who are doing project management don’t really do Risk Management. There are a couple of reasons such as they are not aware of it, they find it difficult to do, they don’t believe in it, and most importantly, they don’t understand it.
Not to cover all aspects of Risk Management, I write this article to put down some basic activities which people can start with Risk Management quickly.
2. Case study
| Son was assigned to be the
project manager (PM) for one software development
project. In this project, he took over one existing
application and implemented a list of change requests. The
project was estimated to be complete in 3 months with 3
developers, 1 BA and 1 tester. After transferring the existing application to the team, Son discovered a challenge which the team would be facing soon when they implemented the project. The challenge associated with a feature that imported data from a set of CSV files to the database. Son recognized that if data was stored in the CSV files incorrectly e.g wrong data types, wrong columns, etc. then the application would run unexpectedly. Moreover, he oversaw hundreds of cases having the similar situation as well. Therefore, he decided to add one risk into his list. |
| ID | Risk Description | Action | Priority |
| 1 | There are hundreds of cases which user can input data incorrectly to CSV files | To be review with the senior developer | 2 |
| After discussing with the
senior developer, Son came up with a strategy of data
validation and it would take 2 months to complete the full
validation. Obviously, this work was not defined in the
original change requests so Son decided to communicate to
client. In addition, the senior developer also raised a concern. For importing data, the existing system was using a 3rd party data layer library (3PDLL) which the team had not worked with before yet. Son identified this as another risk and the risk list became: |
| ID | Risk Description | Action | Priority |
| 1 | There are hundreds of cases which user can input data incorrectly to CSV files | Inform client: this is out of scope and suggest adding it to backlog for future enhancement. | 1 |
| 2 | Data importing is implemented using 3PDLL, but the team doesn’t have experience on it. | Let the team do research on it and will revisit after one week | 1 |
| Son informed client about the 1st risk and the client was happy to accept it. After one week, the senior developer discovered another challenge regarding 3PDLL. The existing application had been using 3PDLL without manipulating Transaction and Error Handling. As a result, the application just stopped working without any notification when errors occurred. As this was the way the existing application did, Son decided to add it into the risk list in order to be improved and then communicated to client. The risk list became: |
| ID | Risk Description | Action | Priority |
| 1 | There are hundreds of cases which user can input data incorrectly to CSV files | Inform
client: this is out of scope and suggest adding it to
backlog for future enhancement. Client has accepted the data validation to be implemented in the future. |
3 |
| 2 | Data importing is implemented using 3PDLL, but the team doesn’t have experience on it. | Let the team do research on it and will revisit after one week | 3 |
| 3 | The current system is using 3PDLL without Transaction and Error Handling. They may cause strange behaviors when importing data. | Propose to client on applying Transaction and Error Handling to 3PDLL. | 1 |
3. Let’s start doing Risk Management
According to PMBOK or CMMi Standard, PMs will need to plan for things like risk sources, risk categories, impacts, probabilities, etc. Risks should be analyzed qualitatively and quantitatively. Then, PMs should have strategies such as Mitigation, Avoid, Accept, Transfer etc to deal with the identified risks.
It sounds complicated, doesn’t it?
Now, let’s just ignore the above paragraph. All I want to say is that let’s start with a list and cover some regular activities as follows.
• Identifying risks
• Defining actions for risks
• Monitoring risks regularly
3.1 Risk list
As seen in the case study, my list has four columns which are ID, Risk Description, Action and Priority. You may need more basic columns (or risk properties) like Status, Open Date, Owner, Closed Date etc. and advanced columns like Impact, Probability, Exposure, Source, Category, Strategy, etc. But I suggest that if you’ve never done with Risk Management before, you should start with a simple list first.
3.2 Identifying risk
I like one question of SCRUM daily meeting, “Do you have any obstacle?”. Keep asking this question weekly, daily, hourly, … or whenever possible will help to identify uncertain things which the team is facing. Risks come from uncertain things.
One important thing I want to mention here is that risks should be identified by every project team members. Keep asking and communicating with the team, PMs will see and find the risks which he can’t figure out by himself.
3.3 Defining actions for risks
Actions for risks must be as specific as possible. By answering the two questions below, you will find the corresponding actions.
1. What can we do not to let the risk happen?
2. What should we do if the risk happens?
The answers should not only come from PMs but also come from relevant project team members.
3.4 Monitoring risks regularly
Risks and actions must be revisited regularly, at least once a week. If you really do risk management (continuously looking for risks), there will be always many risks in your list. However, you only need to focus on the top prioritized risks.
4. Misthoughts about risk management
I used to think about risk management incorrectly, I also often see many PMs misunderstanding about risk management. So, I put here something called misthoughts.
My project has no risk: This PM doesn’t do risk management.
Risk management is complicated: It seems to be with huge projects like building an airport station, constructing a national park, etc. In software development, you can start with my simple steps and when you get familiar with it, you can do more.
I have no time to find risks: PM should encourage project team members to tell their concerns and worries about their tasks and project. Risks are principally identified from that.
My company doesn’t require me to do risk management: what do you think?
5. Conclusion
| The risks and the corresponding actions which I presented in the case study looks quite obvious. However, I’ve changed it a bit when writing this article. In reality, risks were not managed and the team spent too much time on fixing defects caused by CSV files and 3PDLL. When these two issues were discovered, client accepted these two issues to be out of scope and can be considered in the future. Even of that, the project was delayed three weeks and effort was over budget nearly 50%. |
I would say that you pay one cent for risk management not to lose a hundred dollars or more later.
