Voices on Project Management offers insights, tips, advice and personal stories from project managers in different regions and industries. The goal is to get you thinking, and spark a discussion. So, if you read something that you agree with--or even disagree with--leave a comment.
When we prepare our risk management plan, we believe it will work. The irony is that its effectiveness is only revealed when the risk actually occurs. But have you ever thought of simulating the risk?
Let's start with two very basic risks that can occur with any IT project:
1. Critical project worker goes on emergency leave 2. Database server goes down one week before the release
How would you simulate and manage those risks?
In the first scenario, the best option could be just asking the worker to go on leave and see how you manage the work and team. Ask your team members to take leave on alternate schedules so you can measure the impact of each one of them.
In the second situation, ask your team to shut down the server and verify your mitigation plan. It may seem foolish, but this is best way you can determine the effectiveness of your mitigation plan if the risk actually occurs.
Running scenarios is a good way to test your response plans to a risk. As for the first one I understand what you are pointing out yet I do not think you will get a lot of volunteers to burn their leave to test a response plan.
I would opt of the following:
Ask the team member to remove him/herself from the project for a period of time. A week should do. You will have to have some confidence in this person that they will remove themselves from the project. In today's always connected world it could be hard to do.
I would also remove them from the project schedule to show the impact of a resource being lost.
Just some adjustments to your recommendations.
Rather then simulating risks to measure the effectiveness of mitigation plan, we need to take into consideration of alternatives.
First of all, who will assign budgets for simulation? or Do you think risk simulation is just like fire drill? It's okay if you are working for Government organization to use endless simulation models like the one used in weather forecasting with 30% - 80% of chance of raining.
My point is risk management plan should be made in good faith taking into account technical capabilities and financial liabilities of the organization to mitigate the risk under changed circumstances/environment. Take the example of BP in Gulf at least if not technical (fixing the well) for time being they are capable of taking care of financial liabilities arising out of failure of blowout prevention.
Extreme ideas are good but simulation for everything is waste of time and money. History of mankind shows after all Life and work not always go as per plan and wish.
Prasad Karnati, PMP
Although risk simulation is a good idea, I would like to add my opinion regarding the mentioned two basic risk scenarios.
It is known that risks can be classified into known risks and unknown risks. As mentioned by Saini, these two are most common scenarios in IT field. Definitely there must be existing a contingency plan for known risks when you were preparing the Project Plan. So we can follow the alternatives specified in the contingency plan.
Why I am stressing on this point, because in a project where time is a constraint you can't afford to spend time on simulating the basic risks. Also, we can gather information from lessons learned documents from previous projects on how these kind of risks are handled by previous teams.
As most of the basic risks can be handled efficiently, I would suggest that time can be spent on handling most critical and high priority risks.
Well, if time is not a constraint then definitely you can experiment on risk simulation.
Deepa Susan Koshy
On an actual project, I do not think the project manager has all the say to decide to perform simulations. Since you are introducing a risk to the project by doing this and since there can be impact to the triple constraints, you will need to have a buy-in from the project sponsor/ customer and other important stakeholders.
As Mr. Prasad has already pointed out, known risks are already planned for in the risk management plan and i think the most important think to understand about risks is that the actual can be different to the simulated setting. For example; in a 3-month duration project, the exact time (beginning/ end of project) when the critical resource is missing from the scene can have different effects to the project plan. So the actual risk you encounter could be different to the simulated scenario. The way out for the PM, bolster our decision making skills.
I agree with Deepa that for a 3-month duration, project risk simulation is not possible. I have been working on project for the last five years and we have depend on individual resources. We always try to simulate the resource going-on-leave risk.
It is a good idea to test the effectiveness of the risk mitigation solutions. However most of the projects cannot afford this luxury, as they are caught in the Bermuda triangle (of triple constraints).
In my opinion, if this has to be done, it is worthy to test only the risks with high severity. Also, this can be done in a very controlled way to minimize the impact on the projects.
For example, re: the two risks you mentioned,
1) Resource unavailable: The resource need not actually go on vacation/leave. If he/she is asked to not do the allocated work for a predetermined time period, the response plan can be put to test.
2) DB Shutdown: The server need not be shutdown for this, as it could disrupt the whole project. One or two resources can be asked to start working on the mitigation plan, presuming the server is down.
The objective is to only test the effectiveness of the response plan, not necessarily create a situation in which it occurs. It is as good as a fire drill, without any fire.
This approach may not be applicable for all the risks, however can be certainly tried where feasible.
On the first point, I agree to a large extent. Giving planned leave to a 'critical' person will give a chance to other aspirants in the team to rise up!!
Unverified plans aren't worth the paper they're written on, generally.
I would love to hear from a PM who has tried the suggestion above. I could just imagine my boss' response if I told him I had to go on paid administrative leave and be unreachable by phone or email in order to confirm that the plan I'd made for handling my emergency absence would work. And oh, by the way, the PM can't give prior notice or check in during the simulated emergency leave as that would distort the test conditions. I suspect it might be seen as a devious tactic for getting some vacation time.
I understand the necessity of verification, but can't see politically that this would fly.
A more viable option might be to have the PMO bear the costs/responsibility/accolades of putting such tested risk-management scenarios in place, which are common to all projects for the organization. Those could be part of the organization's risk management plan and applied to any project in the event they are needed.
There are many examples of performing a real or almost real simulation. It is the only way to be sure or as sure as is possible that your plan will work.
There was a lot of work to prepare for Y2K and many cities ran test of a complete shutdown to make sure their corrected code would work. Companies hire Licensed Penetration Testers to find out if their cyber security measures are adequate to keep out an experienced and determined hacker. Thatâ€™s not a simulation, they hack you and they will find where your security plans need to be shored up. They just wonâ€™t damage anything. Usually no one is notified or knows that this test is going on except the sponsor who is paying, so it is quite real.
In a short project this seems to be overkill. But in a very expensive and long term project, the impact of uncertainties may warrant simulations. I agree that risks which are easily identified and commonly identified such as these listed in the question would not warrant such testing, but those offering great severity may.
So, in the right situation, it may be just what you need to do to prove your point to someone, or to discover the potential impact, or try out your response plans. All reasonable expectations if the situation warrants it. The real risk then becomes being right about if the situation warrants it or if you would be wasting time and resources.
Actually both these points are typical risk categories that arise in any project and hence there should be standard mitigation procedures already set up.
For the server obviously there need to be a backup and restore environment. If the company is big then there need to be a automatic duplication mechanism in place.
For the key resource going on emergency, the risk mitigation mainly should be decouple the key with the resource and ensure a team of resources could handle the situation.
Apurv Raveshia, PMP
I would respectfully disagree to simulation of risk related to critical resources. A critical resource is in the end, a human being and humans can be ethical as well as non ethical.
If somebody is critical on project and is not ethical, he might misuse his dependency if he realizes his impact.
Undoubtedly we are going to plan certain things, if we happen to learn it has very severe impact, but still I would not take this for planned simulation.
However, if it happens like that resource is asking to work on something else or vacation, I would grant it and observe impacts in his absence without making any noise.
I am not being pessimistic about personal ethics and values. Just considering that as also risk.
Apurv Raveshia, PMP
I think talking about simulation and not taking advantage of the planning software available is surprising.
So there is a new feature in Microsoft Project 2010, which allows you to add risk actions which remains dormant until you switch them on, allowing you simulate more than one paths of future.