"On large projects, a healthy respect for significant risks is the difference between success and failure; and on the large projects, the financial consequences--as well as the legal, social, and political consequences--can be devastating."

—Edward Yourdon

Risk Management can be viewed as the disciplined application of experience. In a very real sense, it is "the forward application of hindsight." All program planners do risk management at some level when they structure a program. As a planner determines what must be accomplished, and the steps that need to be taken in reaching a specific goal, he/she will identify problems that might occur based on logic or prior experience. The program is then structured to avoid those problems if they can be avoided or to minimize their impact should they occur.

Continuous risk management calls for formalizing this process into something that can be consistently applied. It involves assigning responsibility for managing risks, setting up a process that makes it easy to identify risks and/or problems, allocating staff resources necessary to make the risk process a reality, building the automated infrastructure needed to facilitate risk identification and management, as well as establishing and nurturing an environment where team members can report risks/problems without retribution. To be acted upon risks needed to be elevated to the proper decision making authority, so this practice involves the establishment of a regular reporting vehicle. Risk Management also includes identifying strategies for either mitigating or avoiding the potential problem and identifying a set of objective criteria for determining if the potential problem either has or is beginning to become a reality. Based on experience from past projects, as well as factors relevant to the current one, Risk Management is the process of identifying what might/could go wrong, determining the significance of the situation, keeping a watchful eye out for potential problems, and steering activities to avoid the problem if possible, but being prepared to react if necessary.

An effective risk management program requires the assignment of a risk officer to facilitate the risk process. This staff officer will serve many roles, but one of the key ones is "being the resident nay-sayer." It is essential that in a complex environment, there be someone who objectively looks at potential problems in making a problem work. This provides a valuable counter-balance to the "can do" attitude typical of developers.

In a program of any complexity, a large number of risks will be identified. The Risk Management needs to establish a process for prioritizing risks and evaluating action plans.

Risk Management exploits experience to avoid problems that have plagued previous projects. Continuous risk management establishes a systematic process within an organization for consistently managing the effort. However to be successful there must be support for the program at the senior corporate levels. Without this support, risk management can easily decay into a non-productive, bureaucratic exercise that helps no one.

top

---