The facilitated risk assessment
When the team meet for the first risk assessment, and the risk management plan has
been discussed and understood, they begin identifying risks. A structured workshop
usually captures a set of risks from the project team, and other assumptions about
the project that may cause uncertainty. Facilitation techniques are used to collect
input from as wide a team as possible, and to focus the session on identifying,
rather than further qualifying the issues raised.
Subsequent workshops and team and individual interviews further refine the risk
assessment by focusing attention on causes, likelihoods and consequences of the
risks identified. At this stage similar risks can be combined if appropriate, or
agreed to be excluded or outside the scope of the assessment.
The risk assessment is intended to be a realistic, honest expression of risk as
the project team sees it. Some risks the project may be able to address and mitigate;
others it may need to accept. For all risks within the scope of the assessment,
the risk assessment asks the team to quantify (to a certain degree) them: likelihoods
are given as probabilities, or bands of probability, and consequences are given
as numbers of days, or sums of money, or at least broad bands of magnitude. Assumptions
are given degrees of uncertainty, by establishing the reasonable ranges of expectation.
As the risk assessment progresses, the risk model (the framework in which the risks
are being assessed) begins to show the logical effect of the assessments the team
are making, so that they can see the connection with their individual assessments
and the overall project risk assessment. The risk model, by eliciting reasonable
ranges of expectation from the project team around individual assumptions, and by
showing them the corresponding expectation for the project as a whole, gives the
team confidence that their assessment does reasonably reflect the project as it
is likely to pan out. The model helps the team understand how risks behave by showing
how specific areas of the project are exposed to risk, and how the risk "rolls up"
through the project structure; by seeing how the overall risk breaks down through
the individual components, the team can explore and validate the risk assessment
as they have described it.
As the team discusses the assumptions they are making, and the risks they are taking,
they will also discuss actions that could be taken to mitigate risk, or to strengthen
the assumptions. The risk assessment needs to capture and document such mitigation
actions, and to elicit the team’s beliefs on how effective they will be, and the
resources they will require, as well as how much approval they have and how they
will be planned and carried out.
Click here for more
information on risk assessments.
Between five and ten days of focussed risk assessment could be expected to establish
a defendable risk register and risk model, for a typical medium-sized project.
The full project team would be required for the initial 2-3 days; the remainder of the assessment is carried out by smaller groups.
Note: These estimates of effort depend on many factors including project complexity,
scope of assessment, team availability, and extent of changes to assumptions during
the assessment process.
This step repeats as part of the
ongoing risk reviews throughout the project.