proje ve riskler

Risk Management


Why, What, How?

Risk is inevitable in everything we do. There may be commonplace risks that are almost inevitable, for example, the risk that a member of the team is sick for part of the project. There may be some unlikely but high impact risks, for example, the risk that the solution could cause the destruction of the organisation (see the case studies below).

The good Project Manager will constantly assess the risks and take action as needed. There are three possible outcomes for each risk:

  • take action now to avoid the risk, to reduce its likelihood, or to reduce its impact,
  • make contingency plans so that the team is ready to deal with the impact and mitigate the risk should it occur,
  • agree that it is an acceptable business risk to take no action and hope that the risk does not occur.

The process for managing risks is:

  • identify all realistic risks
  • analyse their probability and potential impact
  • decide whether action should be taken now to avoid or reduce the risk and to reduce the impact if it does occur
  • where appropriate, make plans now so that the organisation is prepared to deal with the risk should it occur
  • constantly monitor the situation to watch for risks occurring, new risks emerging, or changes in the assessment of existing risks.

Risk Management - available as a PowerPoint slide


Why is it hard to believe you could personally destroy the organisation?


Case Study

A European retail and wholesale bank replaced its core operational systems following their "Rapid Implementation Plan" (RIP). Their previous systems were obsolete and inadequate. As they needed the space for the new hardware when it was ready, they physically removed and scrapped the old hardware to switch over immediately to the new system.

Very soon, major problems were found with the new system. It did not correctly calculate interest and consequently was misstating customers' balances. Very large amounts of money were vanishing in the accounts. There was no possibility of reverting to the previous system.

Our review identified the problems and external teams were brought in to fix the system and to correct the accounts. The one thing we could not fix was their reputation. The bank was no longer a viable profit-making entity, but, thanks to our work, it was able to cease retail trading in an orderly fashion.


Case Study

A global telecomms service provider had built new customer and billing systems. To save time and cost, no one had bothered to document the system. Some time later they realised that this was causing operational difficulties in running the system.

Our work was to retro-document the systems. As no one knew any of the detail we did this by examining the code and deciphering what it did. One element of the billing algorithm was particularly strange. When we explained it to the Finance Director he said "no it can't work like that - if it did we'd be bankrupt". It did, they were.


Assessing risks

Statisticians love to play with the mathematics of risk. The basic formula is simple:

probability of the risk times costs if it happens equals expected cost from this risk

Equally simple is the rationale to apply when considering avoiding actions: if the cost of the avoiding action is less than the reduction in the expected cost of the risk then it is worthwhile.

  Quantifying Risks and Justifying Avoidance Actions  


x Financial impact  


= Expectation of losses  




  Cost of avoidance or risk reduction  




  Probability after effect of avoidance / reduction actions  


x Financial impact after effect of avoidance / reduction actions  


= Revised expectation of losses  




  Net benefit from actions      



Note that you can reduce the expected cost of a risk either by reducing its probability, or by reducing its impact.

This guidance is mathematically sound, but there are several practical problems with relying solely upon such logic, for example:

  • The expected cost of a risk is, in effect, an average cost over a large number of projects, but in any one project a given risk either occurs or it does not. You either lose £10,000 or nothing - you never lose the "expected" £5,000.
  • How much value do we place upon such things as survival of the business, visible quality of the solution, and the reputation of the organisation?
  • How do we value human life and suffering (some of you will be building systems that keep aircraft in the sky, or patients alive)?
  • What if the risk does not affect you but affects someone else such as a third party contractor?
  • How do we deal with very big and very small numbers?

Suppose you tell the Project Sponsor that there is a 1 in 10,000 chance that you might destroy the organisation. Assuming you are not fired immediately, how much would it be worth to reduce that risk to 1 in a million? How much would they pay to reduce it to zero (assuming that could ever be possible)?

Suppose that the risk would not damage the project or its planned benefits but it would damage your third party contractors. This is not uncommon where a fixed price contract has been agreed. The risk might be that the availability of departmental resources fails to meet the planned level. When the contractor runs late and has to put in more resources - it is probably the organisation's fault but it may be the contractor's risk and to the contractor's cost.

Suppose there is a minute risk of with an enormous consequence. Think about this bizarre example:

How does the chance of the Project Sponsor being run over by a bus compare with the chance of their being killed by an asteroid strike? Bus accidents happen every day, so you would assume that was the more common risk even though they usually only harm one person at a time. Asteroid strikes are extremely unusual, say one case in every 500,000 years, but when they occur they might kill say a quarter of the world's 6 billion people. If you work out the statistics, the chance of being killed by an asteroid strike is only 25,000 to 1. Some claim that is more probable than a bus accident. It is in the same ballpark as dying in an aircraft accident and it is much more likely than winning the top prize in a lottery

Now trying telling your boss that you have calculated it is worth spending £1.5 billion on asteroid risk avoidance and see what the response is. You would be crazy unless, maybe, your boss is the President of the United States.

There is no easy answer to any of these difficulties. The bottom line is that the Project Manager needs to discuss and agree the appropriate response to all significant risks that have been identified.


Assessing risks at the start of the project

During the Project Definition, the headline risks should be considered as part of the overall benefit model. At this stage, you will not be dealing with a full catalogue of risks, consequences and actions. You will focus on the main areas that affect either the justification of the project or the manner in which it will be carried out.

Alt sayfalar (1): project-definition