Table of Contents

Risk Management

We subscribe to the approach proposed by Dr Eddie Obeng.

Don't confuse unfamiliarity with risk. (If other people do it OK then it is OK e.g. foreign food)

Don't confuse familiarity with low risk. (50 people a year are killed by their underpants)

Don't confuse perceived risk with real risk (eg house with swimming pool and shot gun. Your child can die by both, but one is perceived as being a risk and one is a real one)

Don't confuse real risk with a risk log (risk often left off due to politics)

The risk log is where it all happens or not (as is too often the case). The risk log collects all the adverse events that might occur. It should not be a list of ill-defined difficult areas ("bad weather"), but defined events such as "supplier goes bankrupt", "key resource goes off sick". It should be a list of binary events that will or will not happen, each with a specific dis-benefit to the project. Though in reality this dis-benefit is often not straight forward, and usually takes a probability distribution (how many days the key resource is likely to be off sick). Details of a risk can be captured as:

1 Event: Description of the risk, the estimated likelihood of it happening, and an owner - usually the person who is going to be most upset by it.
2 Impact: The project objective the risk impacts (time - schedule, cost - WBS, or performance measure) and the estimated severity of its impact.
3 Actions: Actions to do something about it (reduce, transfer, or contingency plans for when it happens)

It has become popular to rank risks based on a using a product of probability/likelihood and impact. This ranking is used to provide a basis for considering the priority of the response. THIS IS WRONG!!! Risk requires consideration of both likelihood and impact.

The 5 step Alien Risk Management framework

Sci-fi films only work because the characters are such appalling risk managers (think about it).

1. Identify the danger

If you came across a crashed spaceship would you:

a) Identify that it was dangerous and hand it over to better equiped people?

b) Decide to take a look round the spaceship with your mates?

2. Fix it NOW (don't write it up and file it)

Upon discovering that there was an alien on board, would you:

a) kill it immediately and run like hell?

b) take it back home to study?

3. Contain it

Upon geting back home, would you:

a) put it in the toughest container you could find?

b) leave it lying on the kitchen table?

4. Monitor it

Would you:

a) get the most alert person to keep an eye on it

b) get the person most curious (mad scientist) or clueless trainee to keep an eye on it?

5. Have a plan B

Once it had escaped and was busy eating everyone, would you:

a) blow up/set fire to the house?

b) insist it was rare and must be captured without damage?

Frogs on a log

There are 5 frogs on a log and four decide to jump off. How many frogs are on the log?

Answer 5 because there is a big difference between deciding and doing (step 2 above).

Get the frogs off the log

The process

Simple. Do the 5 steps at the start and regularly with the team and stakeholders through out the project. Plan it in now.

Is it a risk or is it an Issue? Does it matter as long as they are being resolved?

Formal Risk process

This is usually broken down in two parts; Risk Analysis and Risk Management. Each of these is subdivided as follows:

If you can not identify the impact then you have not identified the risk fully. You need to explain the "why".


Some resources for risk capture and logging.

These are some access databases that can be developed to a format suitable for your organisation.

A database that includes risk, issue, action and meeting recording.

25 January 2009 (14)