Risk is inevitable in everything we do. There may be commonplace risks that are almost inevitable, for example, the risk that a member of the team is sick for part of the project. There may be some unlikely but high impact risks, for example, the risk that the solution could cause the destruction of the organisation (see the case studies below).
The good Project Manager will constantly assess the risks and take action as needed. There are three possible outcomes for each risk:
The process for managing risks is:
Statisticians love to play with the mathematics of risk. The basic formula is simple:
Equally simple is the rationale to apply when considering avoiding actions: if the cost of the avoiding action is less than the reduction in the expected cost of the risk then it is worthwhile.
Note that you can reduce the expected cost of a risk either by reducing its probability, or by reducing its impact.
This guidance is mathematically sound, but there are several practical problems with relying solely upon such logic, for example:
Suppose you tell the Project Sponsor that there is a 1 in 10,000 chance that you might destroy the organisation. Assuming you are not fired immediately, how much would it be worth to reduce that risk to 1 in a million? How much would they pay to reduce it to zero (assuming that could ever be possible)?
Suppose that the risk would not damage the project or its planned benefits but it would damage your third party contractors. This is not uncommon where a fixed price contract has been agreed. The risk might be that the availability of departmental resources fails to meet the planned level. When the contractor runs late and has to put in more resources - it is probably the organisation's fault but it may be the contractor's risk and to the contractor's cost.
Suppose there is a minute risk of with an enormous consequence. Think about this bizarre example:
Now trying telling your boss that you have calculated it is worth spending £1.5 billion on asteroid risk avoidance and see what the response is. You would be crazy unless, maybe, your boss is the President of the United States.
There is no easy answer to any of these difficulties. The bottom line is that the Project Manager needs to discuss and agree the appropriate response to all significant risks that have been identified.
During the Project Definition, the headline risks should be considered as part of the overall benefit model. At this stage, you will not be dealing with a full catalogue of risks, consequences and actions. You will focus on the main areas that affect either the justification of the project or the manner in which it will be carried out.