Firstly, we need to consider that doing risk assessment is our attempt as project managers to minimize the possibility of failure. We define failure as one of three things:
- Exceeding the time allocated to complete the project
- Spending more than the budget allocated for the project
- Not meeting our client’s requirements
Secondly, we can generalize that projects fail for two reasons:
- External events negatively impact the project – such as having insufficient resources, uncontrolled scope changes, and unanticipated events
- An overly optimistic plan requires the team to hit pre-set targets – sometimes due to having these targets dictated by others without sufficient insight into what it takes to get the project done, and at other times due to failure to properly scope the project, or blithely expecting that all targets will be met in a timely way and technical problems will be minimal – in the name of being a good team player.
We would maintain that part of planning for risks consists not only of expressing time and budget estimates as ranges at the beginning of the project (which allows for the actual risks that may occur) but using those ranges and estimates to establish contingency percentages for the project (most effectively done for the project as a whole rather than at the task level). However, although contingency planning is necessary, it is not sufficient. The part that is often left out is that a full risk assessment should be done once the project team has been fully assembled and has started to work on the project – around the 20% completion mark.
Performing an assessment at this point allows the team to determine how realistic the original risk assessments were and also to add to (or subtract from) the list of possible project risks. Any assessment of this type needs to involve the key members of the team (Project/program manager, Lead Business Analyst, Lead Technical Architect, Business sponsor, senior program and QA leads, etc.) to get a true picture of all the risks impinging on the project. This type of assessment should be done one-on-one with each individual for larger programs/projects and/or using a survey instrument for smaller projects and needs to include both a quantitative assessment (What level of risk, on a numeric scale, does a particular risk represent to the project and/or to the business as well as the probability, on a numeric scale, of the risk actually coming to pass) AND in addition, a qualitative assessment.
Many organizations often ignore or downplay the need for the qualitative assessment. However, as has been proven many times with techniques like Six Sigma, your staff is usually very aware of the issues that are occurring or likely to occur, and can pinpoint them and suggest possible solutions. Our experience in doing this type of assessment for companies has shown that this type of risk assessment is best led by individuals not involved in the project being considered to avoid conflicts of interest in reporting what is actually happening within the project.
Performing this type of assessment and covering both the quantitative and qualitative issues will insure a higher likelihood of risk assessment accuracy and result in more successful projects over time.