Wednesday, November 2, 2011

All the risks up front

Last month I was having a discussion and the point was made that perhaps risk managers should use a governance paradigm something like the original requirements paradigm: define all the risks at the beginning, and then only review plans and progress thereafter, resisting--with governance--changes during the course of the project.

I said no.

You can't freeze risks any more so than you can freeze requirements. The world simply does not stand still, and perhaps that is more true for risks than requirements, though I'm really not sure. In any event, as the requirements governance paradigm has evolved, and means and methods developed to deal with change--and perhaps Agile is the most extreme but not exclusive means and method for doing so--so also a regimen for risk management should have a governance mindset to deal with volatility.

To my risk management students I have posited the "cone of uncertainty", something written about by many, to include Dr Barry Boehm.  The cone gives a temporal dimension to risk: the farther out in time, the more optimistic we are in evaluating risk.  There's simply more time to deal with it; we feel we can fix it.  Closer in time, some options are off the table, and we're more pessimistic.  The cone begins to close down.

Thus, if for no other reason, the risk register can not be static.  Even we don't discover any new risks, the risks so far identified will change character, or our assessment of them will change--we call this utility--and the risk response will change with accordingly.

So, bottom line: there can be no static up front identification and assessment.  Even the PMBOK agrees that the process is repeated throughout the project.

Got to keep it relevant and current.


Are you on LinkedIn?    Share this article with your network by clicking on the link.