Thursday 29 March 2007

Assessing Composite Residual Risk in projects

This is an interesting answer from Alan Ashton-Jeanes in repsonse to my LinkedIn question on Assessing Project Risk.
Alan wrote:
Risk is the main reason why projects exist. A dynamic approach to managing the risks affecting the project is an integral part of managing the project. It is the approach to risk management that should determine the value of the risk assessment approaches that feed into it.
I wish I could take it as read that the project will have one or more planned levels of residual risk exposure at the completion of each phase. DO THIS! If these targets are defined in measurable terms, then tracking of composite residual risk should use the same scales of measure. The assessment of the residual component of individual risks is then an extension of the approach to composite residual risk.
For example, the individual risk is viewed as the project's only risk and the project's composite residual risk measurement in that hypothetical case is taken as the individual residual risk measurement. An advantage of this approach is that composite residual risk is then equal, by definition, to the sum of the individual residual risk levels. A disadvantage is that multiplier effects (of one risk on another) are not naturally handled. However, by assessing the multiplier effects as individual risks, this disadvantage can be mitigated.
Another disadvantage is that the assessed risk levels are necessarily estimates, so there is uncertainty in the implicit or explicit range of values that applies to an individual risk, and hence (even more so) to the composite risk values. I find that using percentages helps here: an individual risk currently represents between, say, 4% and 12% of the phase completion target. You can only make interesting observations like this if you have numeric assessments, of course. That could be monetary value, other numbers such as mandays, or just "points".
HML or RAG approaches can easily be adapted by scoring the different levels. This needs to be done by reference to your targets for composite residual risk. If your target is "all risks Green", for example, then a Green risk makes zero contribution to the the project's residual risk, so it should have zero points. Conversely, if your target is "no risks Red", then each Red risk represents at least 100% of your risk quota. It is this type of feedback loop that leads me away from RAG and towards HML or genuine numbers. The RAG status is then some function of the relationship between the individual risk and the target.

No comments: