9618$$ $CH5 09-06-02 14:59:48 PS 156 Preparing for the Project Management Professional Certification Exam Figure 5-3. Comparative ranking of risks. Risk B Risk C Risk D Risk E Risk A Risk A Risk B Risk C Risk D Risk E A A A A B B B B C C C C D E E E E D D D There are two things we need to consider. The first is that the risks need to be put into groups that can then be managed by individuals that are more familiar with the nature of these risks. The second is that the risks need to be put into some priority order. This is because no organization will ever have the funds or manpower to deal with all the risks. At some point the level of impact and probability will be such that even the most conservative of risk takers will take that risk and accept it. If we use probabilities between 0 and 1 to estimate the likelihood of our risks, and we use a quantitative number to assess impact, then we could multiply the two values and get the expected value for the risk. If the esti- mates were done consistently, then we would have a measure to rank them with the highest expected value at the top of the list and the rest below it in descending order. This is the same as the expected value analysis we did previously. The most qualitative and simple method of evaluating risks can be used 9618$$ $CH5 09-06-02 14:59:49 PS 157 Risk Management in a similar way. The most basic evaluation for risk could be to say the risk is ‘‘likely’’ and ‘‘bad,’’ using only the distinctions of ‘‘likely’’ and ‘‘unlikely’’ for probability and ‘‘bad’’ and ‘‘very bad’’ for impact. A step toward quantitative measure might be to evaluate the risks as, ‘‘high,’’ ‘‘medium,’’ and ‘‘low.’’ Going further, the risks could be evaluated on a scale of 1 to 10 or 1 to 100. Any other system or a combination of any of these is also appropriate. There is nothing wrong in saying that a risk has a high probability of occurring and has an impact of $40,000. The ultimate goal of this risk prioritization scheme is to get the risks into some hierarchical order. Then the resources of the project can be con- centrated on the risks at the top of the list, and effort is spent first on the ones that are the most important. Depending on the risk tolerance of the organization and the stakeholders, acceptable risks may be high or low on the list. Comparative Ranking One tool that can be used to prioritize risks that all come out with the same severity is comparative ranking. The layout of the diagram in figure 5-3 compares each risk to every other risk. In the first comparison, the diagonal box at the top of the diagram, risk A and risk B are compared to one another. When the comparison is made, only those two risks are compared. If a group is considering the risk, consensus can be reached for each comparison, or the individual votes of each member of the group can be recorded. After all of the comparisons are made, the total numbers of votes for each of the risks is counted, and the risks are ranked according to the highest vote count. It is important to limit the discussion to the two risks under consideration and not allow discussion of the other risks at that time. Grouping the Risks Risks will frequently need to be grouped. This will be more important on large projects than on small ones. The general idea is that if it takes more than ten people to meet and deal with a group of risks, the meeting is too large and will be inefficient. As projects become larger it is necessary to have a series of risk manage- ment meetings, whereas in a small project, one meeting might do. To facili- tate this, you can use techniques similar to the techniques that were used in the development of the work breakdown structure. In fact, the work break- down structure itself can be used to organize meetings for risk management. Risks should be assigned to the person that is most closely associated 9618$$ $CH5 09-06-02 14:59:49 PS 158 Preparing for the Project Management Professional Certification Exam with where the risk will have its largest impact or to the person who has the most familiarity with the technology of the risk. A risk that takes place during the completion of a particular task and only directly affects that task should be a concern to the person responsible for that task. Of course, no task in a project is truly independent of all the others, so for more severe risks a person in the organization above the person responsible for the task may be responsible for the risk. Oftentimes, in projects where risk is of great concern, the project man- ager creates the position of risk manager. This person is responsible for track- ing all risks and maintaining the risk management plan. As projects become larger or tolerance for risk is low, this approach becomes more necessary. Affinity Diagramming Affinity diagramming is a simple tool that can be used to separate risks into groups that can then be managed separately by different groups of people on the project team. All you need for this are pads of sticky-back notes, a room with wall space, and cooperative people. Members of the project team are brought together for a meeting. You begin the process by writing all of the risks on small pieces of paper. Post-It notes work well for this. The members of the meeting then take their pieces of paper and post them on the wall. This is done in strict silence. Each person is allowed to move any of the posted notes. The notes may be moved as often as anyone wishes. Eventually, the notes will form into groups. When all the movement has stopped, the process is complete. At that point, one person in the group or the facilitator must document the results. Sticky-back notes will not stay on the wall for long. Risk Response Planning The next task that must be done in our risk management system is risk response planning. At this stage we have discovered all of the risks known to date and have an iterative process for discovering new risks as the project progresses. We have evaluated the risks and assessed their impact and proba- bility of occurrence. We have prioritized the risks in their order of impor- tance. We now must decide what to do about them. This is risk response planning. Risk response planning is the process of developing the procedures and 9618$$ $CH5 09-06-02 14:59:50 PS 159 Risk Management techniques to enhance opportunities and reduce threats to the project’s ob- jectives. In this process it will be necessary to assign individuals who will be responsible for each risk and generate a response that can be used for each risk. Risk Strategies Risk strategies are the techniques that will be used to reduce the effect or probability of the identified or even the unidentified risks. In terms of the risk strategy that should be employed, a qualitative or quantitative evaluation of the severity of the risk will be a guideline as to how much time, money, and effort should be spent on the strategy to limit the risk. Avoidance Risk avoidance means just what it says. The strategy is to avoid the risk completely. The project plan or the nature of the project is actually changed to make it impossible for the risk to occur. Some risks, such as the risk of not having a clearly defined set of user requirements, can be avoided by expending the effort to more clearly define the requirements. This may increase the time and effort previously allowed for this activity, but it will have the result of eliminating the risk. For example, suppose our project is to design a bicycle. Let’s say that during the design phase someone identified a risk of corrosion in the frame of the bicycle. If this corrosion were severe enough, it could cause a failure in the bicycle frame. This failure could cause serious injury to the person riding the bicycle at the time of failure. The strategy exercised by the project team on this project is to redesign the components that are corrosion problems and use a corrosion resistant material such as stainless steel. This completely avoids the problem of corro- sion in the bicycle frame identified as risky. The avoidance strategy cannot completely eliminate the risk. In this example, even though the bicycle is redesigned in stainless steel, if the bicycle were left outdoors by the ocean for nineteen years, it might still corrode enough to fail, but the probability becomes so small that the risk is, for all practical purposes, eliminated. Transfer Transferring a risk also eliminates the risk from impacting the project. When we transfer a risk, we move the impact of the risk to some other party. When 9618$$ $CH5 09-06-02 14:59:50 PS 160 Preparing for the Project Management Professional Certification Exam risks are transferred to another party, there is usually some sort of payment involved to induce the third party to take on the risk. Insurance is a method for transferring risk. In terms of risk manage- ment, what we are doing is hiring some third party to take over the impact of the risk. In return for this we pay a premium. For example, in 1995, PMI held its annual meeting in the city of New Orleans. Six months prior to this meeting, the PMI Board of Directors held their quarterly board meeting in New Orleans. The chapter hosted the board for a chapter meeting, and for the program they invited a panel of disaster and emergency management people to discuss hurricane effects on the city. The discussion at the meeting concerned itself with the possible results of a hurricane hitting New Orleans. The PMI board became somewhat ner- vous about their meeting, since it would be held in prime hurricane season. PMI recognized that the revenue from their annual meeting was a significant part of their operating budget, and they could not afford to take this loss. The result of this nervousness was that PMI purchased convention in- surance for the first time. As a result they paid a premium to the insurance company to take the risk of having their meeting cancelled. The insurance company agreed to pay PMI in the event of some disaster occurring that would force PMI to cancel their meeting. To show that this was indeed a real risk, three years later, a similar meeting was held by the Petroleum Engineers Association; the meeting was cancelled due to a hurricane. Contracting Another way of transferring risk is to contract the risk to an outside vendor. If this is done with a firm fixed price contract, the risk is effectively trans- ferred to the vendor. Generally, in firm fixed price contracts the vendor will alway raise the price of the service to compensate for the effect of the risk. Warrantees, performance bonds, and guarantees are additional methods for transferring risk. Acceptance The acceptance of a risk means that the project team has decided not to change the project in any way to compensate for the risk. The risk will be dealt with if and when it occurs. One way to think of acceptance is visualize the list of risks that was made. The risks were put in order according to the impact they would have on the project. If we imagine a line going through the list at some point. The items above the line are ones that we will do something about in our risk strategy. The items below the line are the risks 9618$$ $CH5 09-06-02 14:59:51 PS 161 Risk Management that we will accept. The point at which the line is drawn is the point of risk tolerance. Passive acceptance is when the project team does nothing at all about the risk. If the risk actually occurs, the project team will develop a way to work around the risk or to correct its effects. Active acceptance is when the project team develops a plan of action to be taken in anticipation of the risk occuring. This action will result in a contingency plan. The contingency plan can be implemented if triggers occur indicating the possibility of the risk occurring. In addition to the contingency plan, a fallback plan may be made as well. A fallback plan is an additional contingency plan to use in the event that the first contingency plan fails. Mitigation The strategies that we have discussed have either gotten rid of the risk en- tirely, transferred it to someone else, or just taken acceptance of the risk, either passively or actively. Risk mitigation is an effort to reduce the proba- bility or impact of the risk to a point where the risk can be accepted. Adding additional tests, hiring duplicate suppliers, adding more expert personnel, designing prototypes, or in other ways changing the conditions under which the risk can occur are ways of mitigating risk. The important difference in risk mitigation is that it reduces the risk to a level where we can accept it and its consequences. Adding specific work to the project plan employs the mitigation strategy. This work will always be done regardless of whether the risk occurs. The mitigation tasks are specific project tasks that are added to the project plan to reduce the impact or probability of the risk. It should be clear that an overall risk strategy should be designed to deal with risks by accepting them as they are, avoiding them by eliminating them from being possible, transferring them to another’s responsibility, or reducing their impact and/or probability to a level where they can be ac- cepted. Risk Opportunities Risks that are opportunities should be treated in a different way from risks that are damaging to the project. Generally, the same strategies should be used, with the exception that risks that are opportunities should not be deflected or transferred. This type of risk should be accepted or encouraged, a sort of mitigation in reverse. 9618$$ $CH5 09-06-02 14:59:51 PS TEAMFLY Team-Fly ® 162 Preparing for the Project Management Professional Certification Exam Budgeting for Risk In keeping with the principle that project baselines are definite commitments for the project, the project budget and schedules should be ones that the project is truly expected to meet. That is, the budget is the budget that is really expected to be spent when the project is complete, and the schedule should allow for sufficient time to do the project. This budget and schedule must include the time for managing and overcoming risks. In chapter 2, Time Management, we looked at dealing with schedule contingency. Here I discuss planning for budget contingency. Funds that are to be used for mitigation, avoidance, or transfer are budgeted in with the rest of the committed project work. These are actual tasks that must be done, or they are funds that will be spent regardless of whether or not the risk occurs. But how do we budget for the risk, work that must be done only if the risk occurs? There are two kinds of risks that must be dealt with, known risks and unknown risks. Known risks are the risks that were identified in the identifi- cation process of risk management discussed earlier. Unknown risks are the ones that we know will probably occur on this project, because unknown and unexpected risks have occurred before on projects of this type. Known risks should be handled by the creation of a contingency bud- get. This money is not assigned to specific project tasks and is set aside and available to fund the work that must be done if and when a risk occurs. This budget should require the approval of the project manager as a means of making certain that the money is truly allocated to solve risk problems. If this money is made available too easily, it will be spent early in the project on problems that occur that might have been solved in the normal course of completing the task. Unknown risks must be funded as well. In this case the risks are those that could not be identified in the risk identification process. An estimate based on past experience with similar projects can be made. This estimate is used to create a management reserve. The management reserve is similar to the contingency budget in that it is made available to fund unknown risks when they occur. In order to prevent the inappropriate use of this budget, a person at a level above the project manager level must approve the use of these funds. Risk Monitoring and Control Risk monitoring and control is the process of keeping track of all the identi- fied risks, identifying new risks as their presence becomes known, and resid- 9618$$ $CH5 09-06-02 14:59:52 PS 163 Risk Management ual risks that occur when the risk management plans are implemented on individual risks. The effectiveness of the risk management plan is evaluated on an ongoing basis throughout the project. When a risk is apparently going to take place, the contingency plan is put into place. If there is no contingency plan, then the risk is dealt with on an ad hoc basis using what is termed a ‘‘workaround.’’ A workaround is an unplanned response to a negative risk event. A corrective action is the act of performing the workaround or the contingency plan. The concern of the project manager and the project team is that the risk responses have been brought to bear on the risk as planned and that the risk response has been effective. After observing the effectiveness of the risk re- sponse, additional risks may develop or additional responses may be necessary. Risk management is a continuous process that takes place during the entire project from beginning to end. As the project progresses, the risks that have been identified are monitored and reassessed as the time that they can take place approaches. Early warning indicators are monitored to reassess the probability and impact of the risk. As the risk approaches the risk strategies are reviewed for appropriateness and additional responses are planned. As each risk occurs and is dealt with or is avoided, these changes must be documented. Good documentation insures that risks of this type will be dealt with in a more effective way than before and that the next project manager will benefit from ‘‘lessons learned.’’ Summary Risk management has become one of the most important aspects of project management. As companies become better at managing projects, the signifi- cance of risk management becomes more important. Many companies are not yet adept at determining project cost, schedule, and scope baselines and have not yet learned to manage the work that is actually going to have to get done in the project. Until this is done it does not seem worthwhile to con- sider risk management. The components of risk identification, probability, and impact must all be considered in order to determine how to deal with a risk. The combina- tion of impact and probability determine the severity of the risk. The severity of a risk determines its importance in ranking it among other risks. The steps in risk management—risk identification, risk evaluation, risk mitigation, and risk control—are necessary to manage risk. The steps must be carried out on a continuous basis throughout the project. 9618$$ $CH5 09-06-02 14:59:52 PS 164 Preparing for the Project Management Professional Certification Exam Companies and individuals have risk tolerance. They either tend to be gamblers and are willing to take chances to achieve rewards, or they tend to be conservative and less willing to take chances. Various methods can be used for risk identification. All of the tech- niques useful for group dynamics are also useful for identifying risks. Risk evaluation must determine the probability of the risk occurring and the im- pact that it will have if it does. Risks that are either very low in probability or very low in impact need not be considered as a serious threat to the project even though they may be coupled with high impacts or high probability, respectively. Expected values for risks are useful in determining the quantitative value of a risk in terms of dollars. The expected value of a risk is the approxi- mate amount of money that could be spent to eliminate the risk. Once it has been determined that a risk should be dealt with, the proper strategy must be employed. Risks can be avoided by completely eliminating the possibility of the risk through redesign or restructure of the project. Risks can be transferred by making someone else outside the project responsible for the risk. Risks can be mitigated by reducing either their probability or their impact to a level where they can be accepted. Contingency reserves are monies set aside for dealing with an identified risk when it occurs. The contingency reserve is part of the project budget. Management reserves are monies that are set aside for dealing with unidenti- fied risks when they occur. Management reserves are part of the project budget. CHAPTER 6 Quality Management O ne of the goals of project management is to meet the expectations of the stakeholders of the project. Managing the quality of the proj- ect is the function that will allow this to happen. Quality manage- ment will include all the work that is necessary to ensure that each of the objectives of the project is met. In the latest edition of the Guide to the Project Management Body of Knowledge, PMI emphasizes that the purpose of the project is to meet the requirements of the stakeholders. In the past, the project goal was to meet or exceed the customer’s expectations. We have discussed methods of controlling the project costs and sched- ule in the cost and time management chapters. These controls cover only two of the sides of the triple constraint triangle. Quality management con- trols the third side of the triangle, scope, as well as provides guidance for and assurance to meeting the other two constraints of cost and schedule. It is important to recognize that in modern project management, it is important to meet the stakeholders’ expectations. It is also important that the expectations of the stakeholders are not exceeded. The customer contracts for certain deliverables, and delivering something that was not asked for can be a waste of time and money. In some cases delivering more than is asked for can make matters worse. Quality should not be confused with grade. Quality that is low is always going to be a problem, while a low grade is not necessarily a bad condition. A product may be developed and marketed to appeal to those who want an inexpensive product that will have a limited useful life and functionality. This product may also have a lower cost. Stakeholders should get what they 165 [...]... carried out by the project team to accomplish this The plan also serves to provide the additional activities that will be added to the project scope, budget, and schedule that will allow these things to happen The quality plan should reflect the information that is gathered throughout the project All of the other areas of the management of the Quality Management 167 project should complement the quality... recognized, the project has been turned over to a maintenance and support function The project team may have been dissolved, and the members may be working on other projects Follow­ ing is a listing of the considerations for these costs According to Edward Deming, ‘‘Eighty-five percent of the cost of qual­ ity are the direct responsibility of management. ’’ 168 Preparing for the Project Management Professional. .. of quality in projects completed by the organization Each member of the project team, including each of the stakeholders of the project, is essential to the quality assurance of the project In modern thinking on quality it is the individual person performing work that is really responsible for assuring the quality of the product Cost of Quality As in all things in project management, there should be... used to accomplish the goal of ensuring that the scope of the project fulfills the stakeholders’ expectations The quality assurance function is a process that monitors the overall ability of the project to meet the expectations of the stakeholders The pur­ pose of the quality assurance function is to provide the confidence that the project will have the proper controls to be able to meet the standards that... implementation process Closeout occurs at the close of the contract Requirement Process In the requirement process the needs of the project are identified As in the requirements definition of the project, the requirements of the contract are identified These requirements come from a needs assessment, and the 184 Preparing for the Project Management Professional Certification Exam Figure 7-1 Contracting... the old machine, the benchmark for the existing process on the old machine is two hundred parts per hour Summary Quality management is one of the most important aspects of project man­ agement It is the ‘‘stuff ’’ that holds a project together We must have excel­ lent quality in the projects that we produce Quality management is the process that ensures that we produce each of the deliverables of the. .. areas of the project Audits make it possible to determine what is happening in the proj­ ect and whether the project quality is meeting the standards that were deter­ mined in the quality plan The quality assurance function includes the means to continuously im­ prove the quality of future projects as well Lessons learned from one project are applied to the quality plans of future projects so that there... In this technique the item to be inspected is made to fit or not fit into a specially designed gauge or special measuring device If the part fits into the ‘‘Go’’ gauge and does not fit into the ‘‘No Go’’ gauge, then the part is acceptable If the part does not fit into 170 Preparing for the Project Management Professional Certification Exam the ‘‘Go’’ gauge or fits into the ‘‘No Go’’ gauge, the part is considered... Generally, this is the common policy that will be used by all projects that the company will accomplish Each project and each interrelated project must modify the guidelines and gain approval on changes that will be required for a particular project The result of the quality planning process is the quality plan This plan describes how the quality of the project will be assured and the functions that... quality management (TQM) that are popular today In the latest edition of the Guide to the PMBOK, this position has not been changed, except where I have noted In preparing for the PMP examination, it would be advisable to read additionally in the area of TQM, since the certification exam committee may feel that this is an appropriate area for project management regardless of the treatment in the Guide to the . move the impact of the risk to some other party. When 9618$$ $CH5 09-06-02 14 :59 :50 PS 160 Preparing for the Project Management Professional Certification Exam risks are transferred to another. risk. The steps must be carried out on a continuous basis throughout the project. 9618$$ $CH5 09-06-02 14 :59 :52 PS 164 Preparing for the Project Management Professional Certification Exam Companies. Stakeholders should get what they 1 65 9618$$ $CH6 09-06-02 14 :59 :30 PS 166 Preparing for the Project Management Professional Certification Exam pay for. The quality of the item means that it is