CMMI - L 3 - Defined - Risk Management

The purpose of Risk Management is to identify potential problems before they occur so that risk-handling activities can be planned and invoked as needed across the life of the product or project to mitigate adverse impacts on achieving objectives

The goals of this process area are:

1. Prepare for Risk Management
2. Identify and Analyze risks
3. Mitigate risks
------------------------------------------------------------------------------------

A CEO of a leading company was once asked what single characteristic was most important while selecting a project manager.

He responded: “A person who has the ability to know what will go wrong before it actually does” .

This in essence highlights the importance of Risk Management. We live in a world of uncertainty. Understanding the risks involved and taking mitigation steps is of paramount importance to ensure success of the project.

Robert Charette, in his book, Software Risk Analysis and Management gives a definition of risk. Risk concerns future happenings. Whatever happened today and yesterday are out of scope of risk analysis. The question is how to adjust our actions today so that we are better prepared for tomorrow . Risk Mitigation is like insurance premium. To protect our family, and ourselves we pay a premium. This premium is calculated based on the probability of occurrence of any event.

To do an effective risk management, project managers need to do the following:

1. Risk Identification: Identify all risks in the project. Look at project objectives and goals and see what are all the reasons that you may give if you don’t meet them. All these are potential risks in your project!

2. A use of a risk item checklist is very important, since it gives visibility to things (risks) unknown to you.

3. Risk projection is the next step. That is, identifying the probability of occurrence of the risk, and the consequences or impact of the risk, should it occur. This serves to highlight the visible impact of the risk.

“We will see when it happens” – This type of statement may be true for politicians or super characters like James Bond. It seldom works for project managers. A proactive risk management strategy identifies risks at project initiation stage itself. The risks are continuously monitored and mitigation steps planned. I present below a case from one project. In this maintenance project, the customer manager changed. The project manager did not have an idea how the new manager would be. Customer response time was put as a risk that would impact schedule. Similarly, quality of issue resolution was put as another risk that would impact delivered quality. The project manager took effective mitigation steps. In this case, it included buffering in time for issue resolution and an extra review of the issues. One thing to remember is that mitigation steps require time (cost). But that is the premium we have to pay.

Things, which are already known, are not risks. For example, if you know that the team is new to that domain - it is not a risk. Many times, in project plans, it is seen that events, which have happened, or happening are put as risks. This should not be the case. Known facts are no longer risks. These are called constraints and should be handled right away in the plan. We should also be able to see the final impact of the risk. That is, if this risk materializes, what parameter in my project will go wrong – cost? or schedule? or defect levels? or performance of application etc.

A Chinese proverb said it well: Risk is project managers enemy. If you know your enemy, half the battle is won.


Next - CMMI - L3 - Defined - DAR, OPF, OPD

For questions, write to know.cmmi@gmail.com or leave a comment here.