Risk Analysis

Risk analysis begins with a detailed study of the risk issues that have been identified and approved by decision-makers for further evaluation. The objective is to gather enough information about the risk issues to judge the likelihood of occurrence and cost, schedule, and technical consequences if the risk occurs. (Note: It is important that only approved risk issues be analyzed to prevent resources from being expended on issues that may not actually be risks.)

Risk analyses are often based on detailed information that may come from a variety of techniques, but not limited to:

• Comparisons with similar systems

• Relevant lessons-learned studies

• Experience

• Results from tests and prototype development

• Data from engineering or other models

• Specialist and expert judgments

• Analysis of plans and related documents

• Modeling and simulation

• Sensitivity analysis of alternatives

Each risk category (i.e., cost, schedule, and technical) includes a core set of evaluation tasks and is related to the other two categories. This relationship requires supportive analysis among areas to ensure the integration of the evaluation process. Some characteristics of cost, schedule, and technical evaluations follow:

Cost Evaluation

• Builds on technical and schedule evaluation results

• Translates technical and schedule risks into cost

• Derives cost estimate by integrating technical risk, schedule risk, and cost estimating uncertainty impacts to resources

• Documents cost basis and risk issues for the risk evaluation

Schedule Evaluation

• Evaluates baseline schedule inputs

• Reflects technical foundation, activity definition, and inputs from technical and cost areas

• Incorporates cost and technical evaluation and schedule uncertainty inputs to program schedule model

• Performs schedule analysis on program schedule

• Documents schedule basis and risk issues for the risk evaluation

Technical Evaluation

• Provides technical foundation

• Identifies and describes program risks (e.g., technology)

• Analyzes risks and relates them to other internal and external risks

• Prioritizes risks for program impact

• Analyzes associated program activities with both time duration and resources

• Analyzes inputs for cost evaluation and schedule evaluation

• Documents technical basis and risk issues for the risk evaluation

Describing and quantifying a specific risk and the magnitude of that risk usually requires some analysis or modeling. Typical tools for use in risk analysis are:

• Life-cycle cost analysis

• Network analysis

• Monte Carlo simulation

• Estimating relationships

• Risk scales (typically ordinal "probability" and consequence scales)

• Quick reaction rate/quantity impact analysis

• Probability analysis

• Graphical analysis

• Decision analysis

• Delphi techniques

• Work breakdown structure simulation

• Logic analysis

• Technology state-of-the-art trending

• Total risk-assessing cost analysis (TRACE)

• Process templates (e.g., DoD Directive 4245.7-M)

After performing a risk analysis, it is often necessary to convert the results into risk levels. Risk ratings are an indication of the potential impact of risks on a program. They are typically a measure of the likelihood of an issue occurring and the consequences of the issue, and often expressed as low, medium, and high. (Other factors that may significantly contribute to the importance of risk issues, such as frequency of occurrence, time sensitivity, and interdependence with other risk issues, can also be noted and used either directly or indirectly in the rating methodology used.) A representative ("strawman") set of risk rating definitions follows:

• High risk: Substantial impact on cost, schedule, or technical. Substantial action required to alleviate issue. High priority management attention is required.

• Moderate risk: Some impact on cost, schedule, or technical. Special action may be required to alleviate issue. Additional management attention may be needed.

• Low risk: Minimal impact on cost, schedule, or technical. Normal management oversight is sufficient.

It is important to use agreed-upon definitions (such as the "strawman" definitions above) and procedures for estimating risk levels, rather than subjectively assigning them, since each person could easily have a different understanding of words typically used to describe both probability distributions and risks. Figure 17-6 shows what some probability statements mean to different people.5 An important point to grasp from this figure is that a nontrivial variation in probability (e.g., 0.3) exists for more than half of the statements evaluated.

The prioritization of program risks should be performed after a structured risk rating approach (e.g., such as the "strawman" definitions above) has been applied. Here, inputs from managers and technical experts will often be necessary to separate risks assessed to be with a rating level (e.g., to prioritize various high risks).

A risk viewed as easily manageable by some managers may be considered hard to manage by less experienced or less knowledgeable managers. Consequently, the terms "high," "medium," or "low" risk are relative terms. Some managers may be risk averse and choose to avoid recognized risk at all reasonable cost. Other managers may be risk seekers and actually prefer to take an approach with more risk. The terms "high," "medium," and "low" risk may change with the turnover of managers and their superiors as much as with the project events.

Program managers can use risk ratings to identify issues requiring priority management (i.e., risk handling plans may be required for all medium or higher risk). Risk ratings also help to identify the areas that should be reported within and outside the program. Thus it is important that the ratings be portrayed as accurately as possible. High-risk areas may reflect missing capabilities in the project manager's organization or in supporting organizations. They may also reflect technical difficulties in the design or development process. In either case, "management" of risk involves using project management assets to reduce the level of risks present.

Previously, we showed that risk analysis could be performed by an expected value calculation. However, there are more sophisticated approaches that involve templates for es-

5. For a discussion of estimative probability values derived from a statistical analysis of survey results for fifty common subjective probability statements, see Edmund H. Conrow, Effective Risk Management: Some Keys to Success (Reston, VA: American Institute of Aeronautics and Astronautics, 2000), pp. 307-330, Copyright © 2000, Edmund H. Conrow.

Project Management Made Easy

Project Management Made Easy

What you need to know about… Project Management Made Easy! Project management consists of more than just a large building project and can encompass small projects as well. No matter what the size of your project, you need to have some sort of project management. How you manage your project has everything to do with its outcome.

Get My Free Ebook

Post a comment