Project Management

Project Management Central

Please login or join to subscribe to this thread

Topics: Risk Management
Risk management, risk statuses and lessons learned
For risk management we use several risk statuses:
- Identified
- Mitigation planned
- Materialized
- Accepted
- Resolved/Closed
- Not occurred
From risk management perspective I need to update statuses accordingly during the project. But for future analysis and lessons learned I need to know which risks were materialized and which were not.
How to achieve it? Will appreciate your help
Sort By:
Page: 1 2 next>
Perhaps I did not understand your question but I saw you have a status related to the matter so it seems to me the way is to asking for each status when you perform monitoring sessions.
...
1 reply by Olha Ilvachova
Nov 25, 2020 4:28 AM
Olha Ilvachova
...
Hi! I do ask each status when performing monitoring sessions. The problem is that when risk is materialized, and then resolved, I change the status from 'Materialized' to 'Resolved'. And I do the same after mitigation actions - change the status from 'Mitigation planned' to 'Resolved'. So in the end I have no indication which of the risks were materialized and which mitigated
Olha -

Based on the taxonomy you have provided, you can query your risk register for materialized risks (a better term would be "realized"). By default, all others were not realized.

Kiron
I do agree with Sergio and Kiron
"which risks were materialized and which were not" is not the only consideration in lessons learned (LL). The WHY? is critical in order for the LL to have lasting value.

There are a couple things to keep in mind when undertaking your risk analysis so as to assist later in lessons learned process.
1) the risk event versus impact has to be clearly defined. For example schedule slippage is the impact not the event. Labour shortage may also be an impact rather than an event. You have to drill down to identify the root cause.
2) Mitigation may be applied to reducing probability or impact (sometimes both). .
3) From a lessons learned perspective one has to know why a risk event materialized or 'did not occur'. Was it due to mitigation? Were the applied probability factors reasonable? Was probability mitigation sufficient?
4) If the risk event occurred was the impact as expected? Was the impact mitigation effective? Should other mitigation measures have been considered?.

If the intent is to do a post mortem (lessons learned) on the risk management process you have to set it up during the initial risk analysis.
...
1 reply by Olha Ilvachova
Nov 25, 2020 5:24 AM
Olha Ilvachova
...
Hi! Thanks for your comment. Actually, we perform risk analysis and describe all these things. The problem is with differentiating which risks were materialized and resolved, and which were resolved after mitigation actions
Having fought against poorly conceived metrics for many years, two things I recommend always considering are:

1) How will the data be used to drive performance?
2) How will the data be collected?

That requires thinking through your process before you collect data. Without considering those, organizations often spend a lot of time and money collecting useless data that provides no information of value.

You know more than us about how the data will be used and whether you're simply counting realized risks, or will later use that data to find common themes or trends for example. This is important because if you do not include the right data when you start, you eventually get to a point where you realize you are missing what you really needed.

How you enter and collect the data often drives how you must structure the data. If a risk was realized, and then resolved or mitigated and you over-write the status column, you just lost data. Something as simple as an extra column for Realized (Yes/No) may fix that. The point being, the data usage later drives the data collection/record keeping requirements.

Sometimes people try to avoid those by collecting every data point they can imagine in case it might be useful later. Most of it turns out to be worthless, and now people spend far too much time collecting data rather than managing risks.
Nov 24, 2020 6:48 AM
Replying to Sergio Luis Conte
...
Perhaps I did not understand your question but I saw you have a status related to the matter so it seems to me the way is to asking for each status when you perform monitoring sessions.
Hi! I do ask each status when performing monitoring sessions. The problem is that when risk is materialized, and then resolved, I change the status from 'Materialized' to 'Resolved'. And I do the same after mitigation actions - change the status from 'Mitigation planned' to 'Resolved'. So in the end I have no indication which of the risks were materialized and which mitigated
...
2 replies by Peter Rapin and Sergio Luis Conte
Nov 25, 2020 9:49 AM
Peter Rapin
...
Assuming you save the updates as you proceed you can always go back to earlier versions. More effort but the data should still be available.
Nov 27, 2020 9:51 AM
Sergio Luis Conte
...
Now I understood. This is an "ancient" problem in information technology (jeje). What you have to do is change the status but keep the previous record. I mean, when the status is changed you have to create a new record as a copy of the original but with the new status. In that way you will be able to trace the whole life of each risk/issue. This is a technique used in some place like bank/finance domains to pass SOX controls for example. Hope it helps.
Nov 24, 2020 10:04 AM
Replying to Peter Rapin
...
"which risks were materialized and which were not" is not the only consideration in lessons learned (LL). The WHY? is critical in order for the LL to have lasting value.

There are a couple things to keep in mind when undertaking your risk analysis so as to assist later in lessons learned process.
1) the risk event versus impact has to be clearly defined. For example schedule slippage is the impact not the event. Labour shortage may also be an impact rather than an event. You have to drill down to identify the root cause.
2) Mitigation may be applied to reducing probability or impact (sometimes both). .
3) From a lessons learned perspective one has to know why a risk event materialized or 'did not occur'. Was it due to mitigation? Were the applied probability factors reasonable? Was probability mitigation sufficient?
4) If the risk event occurred was the impact as expected? Was the impact mitigation effective? Should other mitigation measures have been considered?.

If the intent is to do a post mortem (lessons learned) on the risk management process you have to set it up during the initial risk analysis.
Hi! Thanks for your comment. Actually, we perform risk analysis and describe all these things. The problem is with differentiating which risks were materialized and resolved, and which were resolved after mitigation actions
Olha -

Are you able to modify the taxonomy to support the reporting you are looking for? Basically, you'd want to differentiate the following four cases:

1. Identified risks which were just accepted but were not realized
2. Identified risks which were just accepted and were realized
3. Identified risks which were responded to (e.g. avoid/transfer/mitigate/escalate) and were not realized
4. Identified risks which were responded to (e.g. avoid/transfer/mitigate/escalate) and were realized

Kiron
...
3 replies by Olha Ilvachova and Peter Rapin
Nov 25, 2020 9:47 AM
Peter Rapin
...
I would add for risks that materialized but were NOT initially identified. From a lessons learned perspective what you missed is as important as confirmation of what you didn't.
Nov 25, 2020 10:30 AM
Olha Ilvachova
...
You actually gave me an idea that I might just need 2 different statuses for resolved: 1) 'Resolved (mitigated)' that can be used for risks that were successfully mitigated and thus prevented. 2) 'Resolved (materialized)' for risks that materialized and were fixed afterwards
Nov 25, 2020 10:41 AM
Olha Ilvachova
...
Identified - risks that were identified and are in the process of investigation/response planning.
Mitigation planned - risks where we have created a mitigation plan and someone is assigned for taking care about it.
Materialized - risks that occurred. It can be both accepted risks and with mitigation plan (unsuccessful)
Accepted - when team could not suggest any mitigation plan and we leave it as is
Not occurred - risk that just not happened without any mitigation steps. Usually we se it for accepted risks
Resolved/Closed - risks either successfully mitigated, or materialized and the consecuences fixed.
So I assume that I might need to differentiate 2 types of 'resolved' and that should help. Because I manage risks via MS Project Online and it does not support historical information
Nov 25, 2020 7:58 AM
Replying to Kiron Bondale
...
Olha -

Are you able to modify the taxonomy to support the reporting you are looking for? Basically, you'd want to differentiate the following four cases:

1. Identified risks which were just accepted but were not realized
2. Identified risks which were just accepted and were realized
3. Identified risks which were responded to (e.g. avoid/transfer/mitigate/escalate) and were not realized
4. Identified risks which were responded to (e.g. avoid/transfer/mitigate/escalate) and were realized

Kiron
I would add for risks that materialized but were NOT initially identified. From a lessons learned perspective what you missed is as important as confirmation of what you didn't.
Nov 25, 2020 4:28 AM
Replying to Olha Ilvachova
...
Hi! I do ask each status when performing monitoring sessions. The problem is that when risk is materialized, and then resolved, I change the status from 'Materialized' to 'Resolved'. And I do the same after mitigation actions - change the status from 'Mitigation planned' to 'Resolved'. So in the end I have no indication which of the risks were materialized and which mitigated
Assuming you save the updates as you proceed you can always go back to earlier versions. More effort but the data should still be available.
Page: 1 2 next>  

Please login or join to reply

Content ID:
ADVERTISEMENTS

"The most incomprehensible thing about the universe is that it is comprehensible."

- Albert Einstein