Risk is a future event that may have an impact on schedule, cost or scope. It may happen or it may not.
Image Courtesy: Open Security Architecture
While Issue is a condition or problem already occurred (or will occur for sure) that impacts schedule, cost or scope.
When Risk is realized, it becomes an issue. It should be handled accordingly using the money set aside called Management Reserve. A governance process is usually established to authorize the use of Management Reserve.
Risk and Issues are recorded into Risk and Issue Logs (sometimes Excel spreadsheets). Risks are identified prior to project startup and through out the project life-cycle. Risks are communicated to Stakeholders. Risks when recorded should be worded such that sentences are complete and specific identifying area of impact with its probability. Issues are prioritized and assigned. Assigned person develops the action plan to resolve the issue.
Risk must always be assigned to someone, with a target resolution date. Assigned person has responsibility to provide mitigation/contingency plans on how to handle Risk, if it realizes.
Severity determines how to react to the Risk. It can be calculated:
Severity = Probability of occurring Risk x Impact on the Project
Probability and Impact are measured in High, Medium and Low.
Mitigation plan is proactive approach; it is focused on how to mitigate or reduce the severity. You need mitigation plan for any risk that has severity either medium or high.
Contingency plan is relative approach; it is set of predefined/contingent actions that team will take if Risk event occurs. For any risk with high severity, you must provide contingency plan.
Four ways to handle Risks – Watch, Accept, Transfer and Mitigate.
- Watch – Just keep an eye (monitor regularly) the Risk but no action.
- Accept – Accepting the full impact and plan accordingly
- Transfer – Divert the impact to another party
- Mitigate – Plan on how can the impact be lessened on project
Action Plan is a plan of documented actions developed in order to resolve an issue that is adversely impacting the project. Action steps should be clear and identify outcome and deliverables from the action.
Project Manager‘s responsibility is to review the feasibility of mitigation, contingency and action plans. Then approval is sought for the plan from governance board and then communicated to the stakeholders. Project work plan is updated to reflect these approved risk management related changes.
Closing Risk is little tricky, mostly when risk is realized it becomes issue and risk is appropriately closed. You need to check if this risk could re-occur? If yes, then keep risk open and review budget for management reserve amount. Closing issue needs confirmation that issue is resolved. A sign-off note from customer or impacted stakeholder is also required.
Note – These are some key points that I captured sometime ago during Risk Management Refresher, hope it will help