Life is filled with risks. Some risks occur slowly. Others strike with little warning. Let’s look at how to evaluate risk velocity and why it matters.
What is Risk Velocity?
Risk velocity is the time to impact. Think of velocity as an estimate of the time frame within which a risk may occur.
Why Risk Velocity Matters
When the velocity is low, we have more time to respond to the risks. For a threat, we may take steps to reduce the probability and impact. The risk owner has time to develop a contingency plan (i.e., a plan we will execute if the risk occurs) and a fallback plan (i.e., a plan we will execute if the contingency plan fails).
If the velocity is very high, threats strike quickly. Thus, these risks are more likely to become issues, costing more time and money. Here are some causal factors for high-velocity risks:
Sponsor notifies you that two critical team members need to be transitioned to another project within two weeks
The servers that you ordered for your test region are going to be two to three weeks late
Wildfires are emerging into the area of your offices
Imagine that two risks have a risk score of 20 on a scale of 25. But Risk A will likely to occur in a two to three weeks where Risk B will take at least six months. Which risk merits your attention most? See the difference?
We all have biases; many are helpful. In projects, we have biases towards successful projects and motivated teams. If a project sponsor says that schedule is the top priority, the project team has a bias towards meeting the schedule.
However, some biases are harmful. Stakeholders may attempt to sway project decisions in unfair ways. These biases undermine the health of the project and breed distrust.
Let’s look at different types of biases and ways to reduce bias in the risk evaluations. These steps will help ensure the right decisions are made for the right reasons.
What are the Motives and Perception?
Stakeholders may exhibit different types of bias. PMI’s Practice Standard for Project Risk Management explains motivational bias is “where someone is trying to bias the result in one direction or another.” Cognitive biases occur as people make inferences in an illogical fashion. Cognitive biases are based on people’s perceptions.
How to Manage Bias
Uncloak the bias. Project managers should watch and listen for bias. Expose the bias in one-on-one meetings or team meetings, whichever is most appropriate. Be careful – do not judge or challenge too quickly. Be slow to speak. Listen. Seek to understand.
Have open conversations. When a bias is not understood, the project manager should dig deeper. If the bias is based on the wrong perceptions, provide the facts. If the bias is ill intended, ask non-threatening questions that allow the individual to understand how the bias may negatively affect the project.
Reduce the subjectivity. Project managers use qualitative methods to evaluate risks quickly. Some project managers fail to understand that they may be creating greater bias. Let’s look for ways to reduce the subjectivity while keeping the convenience and speed of the qualitative methods.
How to Reduce Bias When Evaluating Risks
For small projects, I use a KISS (Keep It Super Simple) Method for qualitative risk assessments. This one-dimensional technique involves rating risks as:
While the KISS Method is a simple and quick way to prioritize risks, it is also subjective and open to greater bias. When I use this method, I focus on open and honest conversations about the ratings.
A more common qualitative method is the two-dimensional Probability/Impact matrix. With this method, we rate probability and impact on a scale such as 1 to 10, with 10 being the highest. This method provides a more in-depth analysis of risks as compared to the KISS Method. However, a scale of 1-10 is still highly subjective.
How can we reduce the subjectivity?
The first step is to define qualitative terms (e.g., Low – Very High) for the ratings. Here is an example:
Another step is to define ranges for the scale (e.g., 0-5% for Low). Defining the scale reduces subjectivity and drives greater consistency in the ratings.
If the probability or likelihood of a risk is approximately 15%, we assign a probability rating of 5. If the potential impact on the budget or schedule is 55%, we assign an impact rating of 9. The resulting risk score would be 45 (i.e., 5 x 9 = 45).
If stakeholders need objectivity, perform a quantitative risk analysis. Quantitative risk analysis takes more time than qualitative risk analysis. However, this method provides objective information and data for business decisions.
Successful project managers have a common trait – they identify and manage risks. Let’s look at seven tools and techniques to identify risks.
Often project managers start with a splash. They get the team together, identify lots of risks, and enter them into an Excel spreadsheet. However, the risks are never discussed again.
What happens when project managers and their team fail to identify risks in an iterative fashion? Teams spend their time and energy on things that do not matter. Risks are not identified and turn into more costly issues. Project teams are not aware of emerging killer risks.
Vague risk statements lead to poor risk response planning. When organizations or project teams fail to respond to significant risks (i.e., threats and opportunities), these groups fail to achieve their goals and reach their potential. Risk management starts with identifying risks and writing clear risk statements.
Why do people define risks poorly? I am convinced that most people simply don’t know how. Allow me to share some simple tips that can improve your ability to write clear risk statements.
Test Your Risk Statements
When I ask someone to identify a risk, individuals often respond with something like “there is a conflict between two executive sponsors” or “the estimates are incorrect” or “we are experiencing system outages.” But these are facts or conditions that are true, not statements of uncertainty. In other words, these are causes that give rise to uncertain events or conditions.
Every project manager deals with risks. We all face significant uncertainty. Allow me to share seven things you ought to know about identifying risks.
Project managers must address unrealistic time frames where failure seems unavoidable, scope creep, ambiguous requirements, delays from third parties, and the lack of required skills, to name a few.
How do we manage risks and the causal factors?
Risk management begins with the practice of identifying risks. In this process, we consider future events or conditions that may impact our ability to achieve our goals. Risk identification includes figuring out where, when, how, and why such events may occur.
Not sure how to get the most value from risk identification? Well, here are answers to common questions. If you understand these basic principles, you have the foundation for an effective and efficient risk identification process.
Tom is the program manager for a large, complex program comprised of eight projects. He thinks his project managers have identified most of their risks, but he’s not sure where to focus his attention. What areas have the highest risk exposure? Let’s look at how to actually define risk categories and how they can help Tom (and you).
What are Risk Categories?
Risk categories allow you to group individual project risks for evaluating and responding to risks.
Project managers often use a common set of project risk categories: schedule, cost, quality, and scope. But project managers may use other categories.
Steven Covey introduced the concept of Quadrant II activities—working on things that are important but are not urgent. Planning is a powerful Quadrant II activity that can save you time and energy. Think about the future so you can make better decisions in the present. Let’s talk about how to plan your risk management from start to finish.
First Things First
Some people think of risk management plans in the wrong way. Risk management plans are not a list of risks and what you plan to do (e.g. risk register). Rather the plan is your approach to risk management.
How do you plan to identify and evaluate risks?
How will you develop risk response plans?
How will you periodically review risks and your risk management processes?
Why is that some project managers have over or undersized risk management plans? First, individuals may be looking for shortcuts. They simply copy someone else’s plan and check a box. Second, others want to impress others with their knowledge by writing plans longer than The Grapes of Wrath.
Want to really make a good impression? Work with your team to develop a risk management plan that is fitting to your project, aids in decision making, and adds value. Document the plan but keep it practical and to-the-point.
So, how can we right-size our plans? Here are four steps to make it easier.