This week’s Sidewise Thinking post is hardcore project
management, for those of you who are interested in that sort of thing. The
chart and approach to qualitative risk analysis comes from my recent AMACOM self-study
sourcebook,
Project Risk and Cost Analysis,
but the words are original to this blog piece.
Qualitative risk analysis as expressed in the PMBOK® Guide has always given me a headache.
The definition is confusing and badly written. That’s not just my opinion, it’s
the common experience of lots of people taking project management seminars.
(Certainly it's true of my seminars, but I’ve seen many other trainers struggle with this
as well.) The problem isn’t with the individual tools. They are easy enough to
understand and apply, and the utility is reasonably obvious. But when you look at the
similarities and difference between qualitative and quantitative risk analysis
using the official PMBOK® (11.3, 11.4) definitions, some problems arise.
·
Qualitative
risk analysis is the process of prioritizing risks for further analysis by
assessing and combining their probability of occurrence and impact.
·
Quantitative
risk analysis is the process of numerically analyzing the effect of
identified risks on overall project objectives.
When people first encounter this, the response is a great big "Huh?" I don't really blame them. Here's why.
To see the problem in PMBOK, start with the most obvious difference between the two types: quantitative risk analysis uses numbers and qualitative risk analysis uses "prioritization." In practice, these amount to the very same thing.
How do you value a risk? According to the book, you multiply its probability
of occurrence by the impact should it occur, expressed by the formula R = P x I. For example, a ten percent risk of losing
a thousand dollars turns into 0.1 x $1,000, or $100. If the cost of dealing with that
risk is less than $100, it’s clearly a good investment. (It’s always worth
noting that the reverse isn’t necessarily true. Spending more than $100 may
well be a good idea, but you may have to prove it.) That's the quantitative way.
In the qualitative approach, according to PMBOK, you might say the probability is LOW and the impact is, say, MEDIUM (depends on the size of the project). You look on a grid to see where the terms intersect (usually LOW). But that's the same thing as saying LOW x MEDIUM = LOW, or P x I again.
In other words, the “numerical analysis of effect” and “combined probability
and impact” are, for all practical purposes, synonyms — the very definition of
risk says so. That creates a lot of blurring between the two
processes, especially in terms of their utility. No matter which technique you use, you end up
with a priority ranking of your project’s risks. (You also get analytical data
about those risks.) Then you move on to risk response planning.
Prioritizing risks gives you only a two-dimensional sort:
higher or lower. That’s quantitative risk
analysis — whether you use actual dollars and percents, or whether you use a
scale of high, medium, and low. You rank the risks into a numerical hierarchy. And that's it.
Prioritizing risks isn't nearly all you need to be doing. In this post, I want to give you a new way to think the two kinds of risk analysis.
You need to organize your list of identified risks in three dimensions, based on the initial choices you must make. Some risks require more rapid response than others, severity notwithstanding. Some risks affect the project but aren’t yours: they may belong to the customer, your boss, or other departments in the organization. If you’re running an IT project and you identify legal risks, you probably should route those risks to the general counsel rather than deal with them yourself. Some risks have solutions — and others have no solution at all.
Using the accompanying chart, let’s look at those choices.
IMPACT: The first gateway is to examine a risk’s impact. Forget
probability: if the impact is low enough, you’re done with the risk. If the
cost of the risk if $50 and the project is $5 billion, it’s irrelevant whether
it happens or not. Granted, first impressions can be deceiving and the impact
of a given risk can change over the lifespan of the project, so you don’t want
to throw this list away.
PROBABILITY: Only then should you think about the probability of
occurrence. If you are lucky enough to have real numbers, good for you. More
often, you’ve got a vague idea (it’s pretty likely to happen, or maybe it’s
very unlikely) or you don’t have any idea at all about the probability.
Here’s where you deal with the R = P x I formula, whether
you’re using 0.1 x $1000 or a high, medium, and low scale from a table (Low x
Medium = Low). And yes, when determining impact, you have to extend your vision
from the impact on the work package to the impact on the project as a whole,
and from there to the impact on outside people and organizations.
At the end, you put more risks on the parking lot. Perhaps
the impact is serious enough to be noticed, but the probability is ridiculously
remote. You make sure that the risks that get further action are the ones with
the highest net value.
According to PMBOK, you're done — but you aren't.
URGENCY: Risk responses follow the Godzilla Principle: baby problems
are easier to deal with than full-grown problems. The available set of
responses to a given risk tends to deteriorate over time. Even if some risks
have higher value, you need to move urgent risks to the front of the queue.
It’s less important whether the risk event is coming up soon; the key question is
when your solutions expire. So we’ve already violated the priority order we
established in the previous step — another tip-off that prioritizing risks by
probability and impact isn’t nearly enough to do the job.
OWNERSHIP: If there’s no reason for a risk to jump to the head of the
line, we go back to the prioritized list of risks, but with another question:
do these risks fall under the jurisdiction of the project manager or team? As
we noted, legal risks usually belong to the legal department, rather than, say,
IT. Other risks may fall generally into our project, but if the impact is great
enough, higher levels of the chain of command usually get the final say-so.
Transferring risk, in other words, often doesn’t wait until
risk response planning — when we need to pass the buck, we pass it early in the
process. Of course, we’re often responsible for providing information and
options to the people who own the decision, and sometimes responsible for
implementing the solutions they devise, but the key question of ownership has
already been settled.
ACTIONABLE: Our remaining pile of risks shrinks with each step, but
before we start on the process of planning our risk responses, there’s still
one more sort that needs to be done. Do these risks have answers? In other words, can we find a potential proportionate and
cost-effective response to the risk that doesn’t create serious negative
consequences as a side effect?
If the answer is yes, we have our tentative risk solution. We
accept the risk and move forward to risk response planning.
ACCEPTABLE: If the answer is no, we have a decision to make. We can
decide to accept the risk
Maybe we add something to the contingency allowance for
dollars or time. Maybe we come up with a recovery plan. But either way, we move
forward.
But if the risk is too serious, moving forward may be a very
bad idea indeed. We have to re-think the project. Maybe we modify it. Maybe we
cancel it. Either way, we’re no longer going ahead with the original vision.
* * *
No matter what approach we use, we plan risk responses for some risks, but not all of them.
In the PMBOK model, we plan risk responses based on the priority of the risk.
As you’ve seen, however, that’s not enough. Think of qualitative risk analysis as the overall process of sorting risks not merely by P x I, but by the nature of the initial actions you should take.
Is it SERIOUS? If not, accept it.
Is it LIKELY? If not, accept it.
Is it URGENT? If it is, act on it now.
Is it MINE? If not, transfer it.
Is it ACTIONABLE? If so, act on it.
If not, is it ACCEPTABLE? If not, rethink the project.