Controlling Uncertainty

How to Manage Risk on a Compliance Project

NOTE: This article originally appeared in the April 2008 issue of Flawless Compliance, under the "Hello Rubber, Meet the Road" section. The link to the actual issue is at the bottom of this article.

When auditing other projects, risk management is one of the key things that I often see completely missing. Failure to identify and manage risk in a project will almost certainly cause your project to overrun. Addressing risk is easy when you follow some easy steps.

But first of all, let’s understand what risk is. Simply stated, risk is uncertainty. It’s something that might or might not happen. All risk has a probability of occurrence, and an impact. The probability of occurrence is a percentage (between 0 and 100 ), and represents the chance that a risk event will occur. A 0 percent probability means the risk event will never occur, and a 100 percent probability means the risk will certainly occur. In both of these extreme cases, the event is no longer considered a risk, as there is no uncertainty left.

The impact of a risk is how the risk event will affect your project if the risk event occurs. Impact should be evaluated in manner consistent with rebalancing the project, so scope, time, and cost considerations all play a part of risk impact. Contrary to popular belief, not all risk impact is negative. There is a concept of positive risk, in which an uncertain event has a positive impact on your project.

To absorb risk, you should setup a risk reserve. Usually, a risk reserve is tracked by cost, however if cost is not a concern, you can use time, scope, or any combination of the three. There are two types of reserves; contingency reserve and management reserve. Contingency Reserves are allocated for risks that you have identified, or known risks. Management Reserves are allocated for risks that you have not identified. Management reserves represent a respect for the reality that you cannot anticipate all types of uncertainty.

So when you setup your compliance project plan, be sure to follow these 12 steps for Risk Management:

1. Brainstorm with your team, all the possible things that could go wrong ( or right ) with your project. You are looking for anything that could cause an overrun ( or under run ) in cost, time, or possibly scope. A good technique is to use Post-It notes on a whiteboard.
2. Create an Affinity Diagram of the results. An Affinity Diagram is a grouping of like items. Create headings on the whiteboard, and organize all the Post-It notes into logical groups.
3. Revisit each group, doing another brainstorm on each individual group. The grouping should trigger more insights on additional risks. When you are done, you should have at least 50 - 75 risks. The more the better.
4. Compile the list of risks onto a spreadsheet, an assign probabilities and impact to each risk.
5. Normalize both the probability and impact to a scale from 1 to 10. Probabilities should be pretty easy; you can divide by 10 and round. Impact ratings must be subjective. Low impact risks will get a 1, and high impact risks will get a 10.
6. Separate out all the risks that have a 80-100% probability of occurrence ( score of 8 – 10 ). Since the certainty is so high on these tasks, it’s better to just assume they will happen. Record them as normal tasks on your project plan.
7. Perform a Qualitative Risk Analysis. Create a 100 square matrix with probability in columns ( from 1 to 10 ), and impact in rows ( from 1 to 10 ). Now shade in ( starting from the 10, 10 coordinate ), all the squares you will consider important enough to deal with. The (1, 1) square should not be filled in, and the ( 10, 10 ) square should be. The rest of the puzzle depends on your tolerance for risk. If you are risk averse, most of the squares should be shaded. If you are risk inclined, only a few should be shaded.
8. From your comprehensive risk list, pull out only the risk items that have the probability / impact combinations that you deem important.
9. Go back through the “unimportant” list, and have a project meeting with all necessary stakeholders, to determine what else should go on the “important list”. Do not skip this step! This is where common sense prevails over methodology.
10. With the field of risk thinned out, perform a Quantitative Analysis. Assess impact in terms of cost ( in dollars ) and time ( in days ). Then multiply both by the probability of occurrence, and record these numbers as “expected cost” and “expected time”.
11. Sum up the total of your “expected cost” and “expected time” for your entire project. This is what you should allot for your Contingency Reserve. Add your contingency reserve to your total project cost and time.
12. Set up a Management Reserve to accommodate the “unimportant” risks, and anything else you might not have caught. The amount you choose is based on your level of overall risk comfort for the project, and your experience. A general rule of thumb is 10% of the new project time and cost ( after the Contingency Reserve is added in ), however in the case of very risky types of projects ( i.e. technology ) or environments ( i.e. overly political and / or dysfunctional organizations ), you may need to 100% Management Reserve, or more!

As the project executes, make sure to track the risks as they occur, and adjust the project plan and the reserves as appropriate. It’s very important to keep track of all these facts, so you can demonstrate to stakeholders how risk is affecting your project. In many cases, this aspect is overlooked and never communicated to the stakeholders. As mentioned earlier, this invariably causes an uncomfortable disclosure regarding project overruns.

Keeping risk under control is the sign if a prudent and responsible project manager. Don’t let risk get out of control on your project. Following these simple 12 steps can make the difference between happy and irate stakeholders.