Here, we focus on what we can do in order to analyze risks and their impacts.
In sub-section Risk Management, we introduce the definition of the term risk:
Risk = probability (event with negative impact may happen).
For a given work package, identifying risks is about asking the question: what can happen that makes the achievement of that work package's results impossible or more difficult than usual? This leads to a list of risk events.
In the next step, we evaluate each risk event: what is the probability that it happens and what is its impact? This evaluation we call risk analysis.
In case data from earlier projects with similar work packages, and thus, similar risk events, are not available, we end up with simply doing guess work. Like in effort estimation, we can ask experienced experts who give us their best guess on probability (= risk) and impact of such an event. In order to make our guess work a little bit more reliable, we ask the experts for their best guess, normal guess, and worst guess in terms of both, probability and impact.
Work package: Delivery of 200 photovoltaic panels, 224 Watt and USD 1,800.-- each. One event could be: delay of that delivery by 4 weeks. Our experts give us their estimates of probabilities
p_best = 5%
p_normal = 10%
p_worst = 20%
i_best = 3,000.-- (lost interest, because the payment of that delivery 360,000.-- is delayed by 4 weeks)
i_normal = USD 30,000.-- (lost interest, because other work packages are also delayed, we miss a major payment milestone of USD 1'200,000.--, payment comes with the next milestone, 3 months later, assumed yearly interest rate of 10%)
i_worst = USD 90,000.-- (because the whole project gets delayed by 3 months, liquidated damages based on the contract are USD 1,000.-- per day, assumed yearly interest rate of 10%)
How can we use these estimates for risk analysis without making it too complicated (by combining 3 probability figures with 3 impact figures we would end up with 9 different values to follow up)?
As in the Delphi Method of effort estimation, we could calculate for probability
p = (p_best + 4 • p_normal + p_worst) / 6 =
= (5 + 40 + 20) / 6 =
and similarly for impact
i = (i_best + 4 • i_normal + i_worst) / 6 =
= (3,000 + 120,000 + 90,000) / 6 =
= 35,500.-- USD
After this "risk analysis", which is actually guess work, we continue with the next step of the risk management process which we describe more detailed in sub-section Risk Management.
For certain work packages that are similar from project to project, we have data available. With a little bit of mathematical statistics we can use those data to replace, or at least back up, our guess work in a new project by some simple calculations.
Underlying assumption of the approach we describe below is: we have done a certain work package 50 times already, in 50 earlier projects; this is not unusual for most of our organizations. Now, we apply some mathematical statistics to those data.
Of course, it might be the case that those 50 work packages were not exactly the same. In our example above, delivery of a number of photovoltaic panels, it makes a difference if we had to deliver within our own country or across borders, if the panels had to be state of the art or off-the-shelf units, if the delivery went into a remote area or nearby a town, etc. So, we refer to those work packages that had to be carried out under similar or comparable conditions. Then, we will identify similar or comparable risk events.
For these risk events, we continue with risk analysis as follows. In our risk data base, we find actual data about how often a certain risk event happened and what impact it really had. Then, we can calculate:
mean value of probability, p_mean
standard deviation of probability, p_SD
mean value of impact, i_mean
standard deviation of impact, i_SD
In our further risk analysis, we now can take values for probability and impact out of the intervals
from p_mean – p_SD to p_mean + p_SD
from i_mean – i_SD to i_mean + i_SD
or maybe, with 2 • p_SD or even 3 • p_SD, and 2 • i_SD or even 3 • i_SD, respectively, depending on how far we want to be on the safe side.
In our example above, we find 20 similar work packages from earlier projects in our data base. The values for probability and impact are:
p_mean = 9%
p_SD = 1%
i_mean = USD 28,000.--
i_SD = USD 3,000.-
For the new work package under risk analysis, we can choose values for
p, from 8% to 10%
i, from USD 25,000.-- to USD 31,000.--
under the condition that + or – 1 single standard deviation gives us enough safety.
(1) Quantity of data: It is clear that this method of risk analysis only works where we have a certain minimum of data from earlier projects. A number of 10 is minimum requirement, the more the better. Therefore, project managers and team members must be motivated to contribute all the actual results of their projects.
(2) Quality of data: It is absolutely essential that we refer only to work packages that were carried out under the same or comparable conditions. This accounts again for a high level of motivation of project managers and team members to fill the risk data base with all available details, including work package requirements and specifications, assumptions, interpretation of contract wordings, etc.
In case you would like to use practical and useful packages of tools, templates and checklists, here you can get them. They save you a lot of time, are easy to use and easy to change:
All four PM Phases in one Set