Depending on the type of project you’re involved with you could have several different risk management models to consider as the project manager. However, the over-riding issue regarding any risk management exercise that you undertake or supervise is, having established a risk within the project – are you prepared to make the decision whether to accept or reject the risk and then accept responsibility for your decision? If you are, then you are displaying one of the qualities necessary for a successful project manager, namely assessing risks and taking your chances with them. Of course an inherent risk in any aspect of a project shouldn’t result in you feeling isolated in having made your decision, in identifying the risk it then becomes part of your job to ensure that resources are deployed to minimize it.
What is meant by a risk management model?
If you were to ask the same question regarding project management in general, then there would be a reasonably concise number of models to which you could refer to as illustrative models. For example: GANTT, PERT, PRINCE, CCPM and CMMI – all of which can be applied generically to most projects. However, the situation with risk management is very different. It should not need stating that the likely risks for someone working in healthcare will be significantly different to someone working in construction, and as different again to someone else working in finance. So, imagine that you are the project manager building a new hospital – you would need access to and knowledge of all three those models. The simple fact is that risk management models are created to fit each unique project that arises. So, as the project manager you must be prepared to create a new model when planning the project and make a provisional assessment of the risk. The adjoining grid might help you in assessing those risk management actions. When doing this you will find that there are very few internationally accepted risk management models such as RBCA – Risk based Corrective Action for human and environmental receptors in water pollution. The vast majority of risk management models are known as Limited Models and are really exclusive models to companies and groups with a special interest. For instance; CalTOX, California Department of Toxic substance control assesses the risks posed by waste hazardous materials in the environment. Another one would be DREAD, which is used inside the Microsoft Corporation to assess computer security threats – Damage, Reliability, Exploitability, Affected users and Discoverability.
Creating a risk management model.
The question that may well be going through your head right now is – OK, so how do I create a risk management model? Well, hopefully you’ll find the following ideas and suggestions will at least get you started on that task. Risk management modeling is simply one of the tasks you need to do at the planning stage, considering what are likely to be the major problems in the project and then what can you do to reduce them. The number and complexity of these likely problems will undoubtedly vary according to the size and complexity of the project you’re managing. However, the principles for your risk management model are the same whether you’re assessing the risk for someone injuring themselves on a construction site, or the risk of a global financial crash on the day you launch a new finance facility. So, just how should you create a risk management model?
A model for risk management modeling.
At its highest level risk management modeling is a discipline in its own right that requires various factors to be statistically analyzed in order to quantify the risk(s). The following sets out what you can do by way of first identifying what risks your project faces, assessing those risks, identifying responses and solutions to the risks and finally communicating the risks to the people likely to be affected by them. When identifying the risks always take the time to reflect on any assumptions you make. The risk will be a fact but your assumptions about that risk, even if backed up with data from previous similar risk assessments – are still assumptions. You need to make it very clear as and when you are making an assumption, rather than stating a fact or something that can be quantified. There’s an old carpenter’s saying “measure twice – cut once” – you’ll do well to think twice before committing your self to a risk management statement. This will help you when you’re deciding exactly what the chances of each of the risks actually occurring is. After all, they are risks – not certainties! Also, don’t forget to add in any external factors associated with the risk(s) over which you have little or no control. Whilst they should already have been clearly defined in aims and objectives to meet in the general project plan, identifying them also as risks will be useful for you in the event of these external agencies defaulting on delivery of their products/services. Finally, in terms of assessing risks, what will be the likely risk to the whole project if one risk should actually manifest itself? Let’s use an example to explain that. Suppose you’re project managing a construction site, your risk assessment includes injury to building workers. What might happen to your project schedule in the event of a serious injury and Health and Safety insisting on the project halting until they’d investigated the circumstances of the injury? In other words, have contingency plans built in to the model so that you can, literally, manage the risks. Then you can move on to identifying the measures you can take to prevent the risks actually occurring or at least reduce the impact of them should they occur. Here you need to have a clearly set out plan of action that will quickly get your project back on track. This means identifying who you are delegating responsibility to in order that the problem arising from the risk is solved or removed with utmost efficiency.
What to do with your risk management model.
Whether your risk management model is on one sheet of A4 paper or fills a hard-disk on a computer doesn’t matter. Having a nice shiny copy of it in your office is of no use to anyone. All of the staff involved in the project need to be informed where they can access a copy of it, should they need to. However, even more importantly is the need for you to communicate the risk management model(s) that you have drawn up to the managers to whom you are delegating specific responsibilities. Even then, you cannot sit back and think “Ah – a job well done”; as your risk assessments are still of no use at all if they’re not communicated to the relevant individual workers under the managers responsible to you. Returning to the example of a construction project, only when you’re satisfied that all workers are cognizant of the risks in the areas that they are working in can you start to think that you have a risk management model in place. Remember, risk management isn’t about you taking risks to get a job done; it’s about planning for those risks that could risk your whole project. Don’t forget to ensure the project sponsor receives a copy of your risk management model too, this isn’t so you can say “I told you so”, if something goes wrong – but it will demonstrate to them that you are doing your utmost to over all the angles.