Risk response strategies example

Risk response strategies example - RISK RESPONSE PLANNING...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: RISK RESPONSE PLANNING : SELECTING THE RIGHT STRATEGY Crispin (“Kik”) Piney [email protected] Overview For project risk management to be carried out effectively, all of the steps – from Risk Management Planning, through Identification and Analysis, to Response Planning and finally Monitoring and Control (PMI “PMBOK®”, 2000) – need to be integrated consistently in line with the project objectives and the risk tolerances of the organization and the stakeholders. Where a number of potential responses are available for dealing with any given risk, an agreed method is required in order to select the preferred approach, to support with the wider business strategy – for example, how to decide between the option of taking out insurance and that of accepting the risk. The paper will show how to develop and use an integrated decision tool, known as the Project Risk Response Chart. Organisational Risk Tolerance Utility concepts To quite a large extent, the potential impact of risks (whether they are opportunities or threats) is a subjective matter. However, in all cases, we can identify three main ranges of impact (fig. 1 below is taken from: Piney, 2002): Where the effect can be ignored (“dead zone”) Where the effect rises at the same rate as the size of the impact (“rational zone”) Where the effect rises very sharply once the size of the impact exceeds a given threshold (“sensitive / saturation zone”) A simple example of this is given by the way in which you might reason about playing a lottery. If the ticket is very cheap, you might buy it just for the fun of it – “you won’t miss the money”. If the ticket costs more, you would then calculate whether the potential prize makes playing worthwhile (for example by comparing the expected monetary value of the prize against the price of a ticket). Beyond a given price, you would not agree to buy a ticket, whatever the prize. This relationship between (objective) cost and (subjective) value (or pain) can be represented by a “utility curve”, as shown in Fig.1. Fig. 1: Utility Curve for Gains and Losses Pleasure Loss Gain Pain Reserve for: the Fifth European Project Management Conference, PMI Europe 2002, Cannes France, 19-20 June 2002 Organised by the PMI France Sud Page 1 Risk Response Planning: Selecting the Right Strategy The vertical axis represents “utility units” which can be chosen either as “percentage of maximum imaginable” or some other unit that effectively measures the subjective effect of a given impact. A brief inspection of the curve shows that each half (pleasure – for opportunities – and pain – for threats) has four distinct areas (as shown in Fig. 2), starting from the origin, and delimited by an abrupt change in the slope of the utility curve: An area where the impact is considered insignificant (“dead zone”) An area where the utility varies linearly with the impact (“rational zone”) An area where the utility varies increasingly rapidly with respect to the impact (“sensitive zone”) An area where the utility bears no relationship to the corresponding impact: for opportunities, it reaches a ceiling of pleasure, whereas, for pain, it goes to infinity (“saturation zone”) Fig. 2: Utility Curve for Gains and Losses Pleasure Loss 23 21 19 17 13 15 9 11 7 5 3 1 -3 -1 -7 -5 1 5 -9 -1 -1 -1 3 Gain Pain In order to obtain the curve, the way in which risk is viewed by a business or organization needs to be understood. This depends on a large number of factors, such as: Financial conditions of the company: large multi-national, down to small business Business approach: from steady, safety-conscious long-established company to aggressive, risktaking start-up. These organization-related features have to be integrated with the specific characteristics of the project, in order to provide clear guidance for the management of the corresponding risks – e.g.: Project budget Financial and/ or strategic benefits of the project Duration or time-horizon for the project activities to be managed. One other factor that needs to be defined is a “benchmark”: this is the value (see Dembo & Freeman, 1998) of the project outcome which is “expected”. In other words, a lower value will generate “regret” (even if it still returns a profit), whereas a higher value will be considered a success. The impacts of the project risks will need to be calculated relative to this benchmark result. In fig. 1, the zero of the xaxis (loss-gain axis) corresponds to this benchmark value. The Risk Management Plan The Risk Management Plan (PMBOK®, 2000) describes how risk identification, qualitative and quantitative analysis, response planning, monitoring and control will be structured and performed during the project life cycle. A typical table of contents for this plan is given below: Reserve for: the Fifth European Project Management Conference, PMI Europe 2002, Cannes France, 19-20 June 2002 Organised by the PMI France Sud Page 2 Risk Response Planning: Selecting the Right Strategy Fig. 3: Typical Risk Management Plan Structure Introduction Methodology Roles & Responsibilities Budgeting Timing Use of Tools o Scoring and Interpretation o Thresholds Reporting Formats Tracking and Recording The “use of tools” section of the Risk Management Plan should contain information relative to the utility parameters for the specific project: The project success benchmark The limiting values of the various utility zones shown in fig. 2 with, if possible, the utility curve itself The Risk Response Planning Chart that is described in the following sections These will be of use for both analysis and response planning. Once you understand the way in which risk should be viewed within the context of your project, you are in a good position to develop the guidelines with respect to which the potential responses will be assessed. Risk Response Planning Risk Response Planning entails developing options and determining actions to enhance opportunities and reduce threats to the project’s objectives. A clear explanation of the appropriate approach is given in Hillson 1999. There are four main categories of response strategies for threats: avoidance, transfer, mitigation and acceptance. The corresponding strategies for opportunities (see also Hillson, 1999 & 2001) are: exploit, share, enhance and ignore. When carrying out the planning and subsequent selection of the primary response, the project manager needs to know the conditions under which each strategy will be considered to be acceptable, required, or unacceptable for the specific project. The potential responses need to be assessed with respect to the effect they have on three key parameters: The expected value of the outcome (i.e. the product of impact by probability, plus the cost of the response) The worst case scenario (i.e. the impact plus the cost of the response) The best case scenario (i.e. the event does not occur: take the response impact into account) Response planning for threats The PMBOK® identifies four different approaches for responding to risks. These are explained briefly below, along with their main characteristics plus an insight into how these characteristics interact with risk thresholds defined in the Risk Management Plan. This serves as the basis for developing a synthesis view to be known as the Risk Response Planning Chart. As explained in Hillson 1999, some risks may require a combination of strategies. Risk avoidance Risk avoidance entails taking actions so that the risk event no longer impacts the project objectives. This can be achieved either through changing the way of carrying out the relevant activities or by modifying the objectives. If avoidance can be achieved for little or no cost, that approach should obviously be taken. On the other hand, avoidance will be mandatory if the potential impact (after all valid attempts to reduce it) remains unacceptable i.e. the impact falls beyond a point on the utility curve, defined in the Risk Management Plan. Reserve for: the Fifth European Project Management Conference, PMI Europe 2002, Cannes France, 19-20 June 2002 Organised by the PMI France Sud Page 3 Risk Response Planning: Selecting the Right Strategy Risk transfer Risk transfer implies ensuring that a third party will shield the project – totally or in part – from the impact of the risk event. This will normally require a financial arrangement (“risk premium”) between the project and the third party – e.g. an insurance premium, a financial guarantee, a contract provision, etc. Generally, risk transfer will have the following effect on a chance event: it will make the “best case” scenario less good, the “worst case” scenario less bad and displace the expected monetary value towards lower benefit. This approach is therefore to be preferred in the case where a bad “worst case” would cause more damage than the potential reduction in the “best” and “expected” values, as measured on the corresponding utility curves. Risk mitigation This is a general term for reducing probability and/or consequences of an adverse risk event. In the extreme case, this can lead to eliminating the risk entirely (as seen in “avoidance”). However, in mitigation, it is not sufficient to consider only the resultant expected value, because, if the potential impact is above a certain threshold - given in the Risk Management Plan -, the risk remains unacceptable. In this case, one of the other approaches will have to be adopted. Risk acceptance Risk acceptance entails planning for ways in which to deal with the event if it occurs, rather than attempting to influence its probability or impact. From the point of view of the project, this will be the strategy of choice in cases where the effect of the risk is known to be sufficiently contained for it to be acceptable (i.e. below the defined “pain threshold”). Acceptance can be “passive” when the impact is of minor importance (e.g. in the utility “dead” zone); in this case, no prior plans are put in place. Acceptance is “active” when the impact, if the event occurs, will need to be reduced: in this case a “contingency” plan for responding to the event is developed so as to reduce the overall impact (cost of the plan plus cost of the risk event) to an acceptable level. Building the risk response planning chart for threats All of these guidelines for selecting the category of response can be represented on a single chart as shown below: each area (1-5) on the chart defines the primary strategy that should be considered for any risk that falls within that area; mitigation (6) is treated as a potential adjunct to each of these strategies. The overall shape of a risk response planning chart is the same for all projects. However the values and scales of the axes will change depending on the organisation and the project. Fig. 4: Typical Risk Response Planning Chart for Threats High Probability of Occurrence 1 5 6 3 2 4 High Impact Reserve for: the Fifth European Project Management Conference, PMI Europe 2002, Cannes France, 19-20 June 2002 Organised by the PMI France Sud Page 4 Risk Response Planning: Selecting the Right Strategy The rationale behind the chart is as follows: 1. Above a given probability of a risk, it is often easier to manage the situation by assuming that the event will happen and treating its non-occurrence as a potential opportunity 2. All risks with an impact over a given limit can totally wreck a project: they all have to be avoided except at a vanishingly small probability 3. All risks with an impact in, or near the utility “dead zone” (and within the tolerances of the project) can be accepted passively 4. Between passive acceptance and avoidance, some action has to be taken. If the frequency of occurrence of a risk is low (i.e. gives an expected value below a chosen value within this range of impacts), it is not worthwhile for the project organisation to put effort into a contingency plan; it should therefore transfer the risk. 5. For risks that are more likely to occur – and potentially a number of times –, it is beneficial for the organisation to plan for the eventuality by accepting actively, and save the corresponding risk premium. 6. In addition, mitigation should be used wherever it proves viable, to move the risk towards the lower expected values Using the risk response planning chart for threats The way in which the chart should be used is as follows: a) Using the results of the risk analysis phase, identify where the risk falls in the chart b) Ignore any risks in the “ignore” area c) Apply mitigation where viable d) Apply the response strategy that corresponds to the mitigated risk. Note that you can select the strategy from the region in which the risk falls, or that of any region corresponding to a risk of greater expected value, if the cost of the strategy is acceptable. This is shown in more detail in the flowchart in fig. 5. Y PASSIVE ACCEPT area? Select PASSIVE ACCEPT N Can Risk be avoided? Y Select the AVOIDANCE N AVOID area? Y N Select the MITIGATION and add to plan AVOID by replanning or cancelling the project N Can risk be mitigated into PASSIVE ACCEPT? Y Can Impact be mitigated below Avoid threshold? Y N ACTIVE ACCEPT area? N Y Can probability be mitigated down to TRANSFER level? Y Can risk be TRANSFERRED? Y Select the MITIGATION and add to plan N N Select ACTIVE ACCEPT (develop contingency plan) TRANSFER area Can risk be TRANSFERRED? Y Select TRANSFER N Fig. 5: Flowchart of risk response planning actions for Threats, based on where a threat falls in the Risk Response Planning Chart Reserve for: the Fifth European Project Management Conference, PMI Europe 2002, Cannes France, 19-20 June 2002 Organised by the PMI France Sud Page 5 Risk Response Planning: Selecting the Right Strategy You should then: e) Identify and analyse the risks introduced by any changes to the previous plan (“secondary risks”) f) If any secondary risks are outside the “passive accept” area, restart at a) for the “secondary risks” Risk Response planning for opportunities As explained earlier, each of the response strategies for threats has a corresponding strategy for opportunities. These can be mapped onto the utility regions in the same way as for threats, giving rise to the chart shown in fig.6, and the flowchart in fig.7. Probability of Occurrence Fig. 6: Risk Response Planning Chart for Opportunities Impact Fig. 7: Flowchart of risk response planning for Opportunities Y EXPLOIT area? Select EXPLOIT N Can risk be ENHANCED into new region? Y Select ENHANCEMENT and add to plan N PURSUE area? Y Select PURSUE (develop contingency plan) N SHARE area? Y Can Opportunity be SHARED?? Y Select SHARING N N IGNORE area IGNORE Reserve for: the Fifth European Project Management Conference, PMI Europe 2002, Cannes France, 19-20 June 2002 Organised by the PMI France Sud Page 6 Risk Response Planning: Selecting the Right Strategy Risk Response Planning Example This example demonstrates the way in which the threat flowchart and analysis rules can be used. It also shows how response actions can interact as well as generating new risks. Consider the project to install an automated voice response telephone service in a call centre in order to support an organisation’s after-sales service business. The threats identified are A) Total loss of service due to failure of the voice switch B) Financial loss due to fire in a voice switch C) User dissatisfaction due to reduced human interaction Risk C falls in the passively acceptable area and nothing will be done about it. Risk A falls in the unacceptable (i.e. avoid) area. We decide to modify the design to include batteries to eliminate stoppage due to power failure, and to double-up the equipment to mitigate equipment failure. Risk B falls between “passive” and “avoid”; we can see no way of mitigating it down to “passive acceptance”; the probability of fire is low, so we will transfer the risk by insuring it. Our actions have raised secondary risks: D) If a power outage is too long, the batteries will be run down, leading to loss of service. This risk has been increased by doubling-up on the equipment, since the batteries will drain twice as fast. We need a contingency plan (active acceptance) that includes use of power generators E) There is the risk that the insurance company will be unable (or unwilling) to pay in case of fire. This is considered so unlikely as to be accepted passively. Our responses to the secondary risks have raised more risks: F) The cost of running the power-generators could damage the business forecast. We will partially transfer the impact by including a penalty clause in our agreement with the electricity supplier. There now remain no risks that are insufficiently contained. Conclusions By establishing the thresholds of acceptability of the impact and probability of risks at the start of the project, the subsequent tasks of risk response planning can be carried out in a structured and predictable way that has a high chance of complying with the business objectives and constraints of the sponsoring organisation. ___________________________________________________________________ References Books: Dembo, Ron S.; Freeman, Andrew. 1998. Seeing Tomorrow. NY, NY: John Wiley & Sons. Project Management Institute, 2000. A Guide to the Project Management Body of Knowledge. Pennsylvania: PMI. Articles: Hillson, David. 1999. Developing Effective Risk Responses. Proceedings of the 30th Annual Project Management Institute 1999 Seminars & Symposium. Hillson, David. 2001. Effective Strategies for Exploiting Opportunities. Proceedings of the Project Management Institute Annual Seminars and Symposium Nashville, Tenn., USA. Piney, Crispin (“Kik”). Submitted 2002. Applying Utility theory to Risk Management. Project Management Journal. Reserve for: the Fifth European Project Management Conference, PMI Europe 2002, Cannes France, 19-20 June 2002 Organised by the PMI France Sud Page 7 ...
View Full Document

This note was uploaded on 12/02/2009 for the course PROJECT MA mgmt1140 taught by Professor Dibel during the Spring '09 term at Conestoga.

Ask a homework question - tutors are online