Doing IT Projects Right with Risk Management - IT Projects Done Right: Risk Categories

Each risk was then put into one of six categories:

• Identified: a risk that has been identified but not yet dealt with in any way (the initial category for all risks).
• Accept and Monitor: Take no active steps regarding this risk, but continue to watch for its appearance.
• Mitigate: Take active steps to either eliminate the risk or mitigate its impact. 
• Closed – Realized: The risk already came to pass and there’s nothing to do about it now.
  
• Closed – Unrealized: The risk did not come to pass, and it doesn’t look as though it ever will.
• Closed – Consolidated: The risk is either a duplicate of another identified risk or so closely tied to it so as not to warrant separate tracking.

When I looked at the risks subsection, I found that the System X team had identified well over 200 risks to the project and was very actively evaluating, classifying, and addressing them.

The project team in turn used this risk information, as well as other reports and metrics, to generate a confidence-level status for the major project milestones. They expressed the status as: green; green-falling; yellow-rising; yellow; yellow-falling; red-rising; or red. Green, yellow and red convey the snapshot status of that milestone; “rising” or “falling” indicated whether the trend was improving or declining.

Of course, the problem with such confidence-level reporting is that it can be overly optimistic as it gets reported up the chain – the “thermocline of truth” that I’ve written about elsewhere.  But the fact that that the current list of risks is completely visible to everyone involved with the project (including upper management) tends to dampen that temptation to just pass up the good news. In other words, the risk visibility is critical for the success of such an approach, which is why the risks need to be online (rather than in a report) and readily accessible by all involved.

Computer Scientist Adele Goldberg once quipped, “Only optimists build complex systems.” I might amend that to say that while optimists start most complex systems projects, only the cautiously optimistic finish them. Active risk management is critical to the success of any major IT project.

For more insights and suggestions on this subject, I would strongly recommend Waltzing with Bears: Managing Risk on Software Projects by DeMarco and Lister. And remember: expose and discuss risks, don’t bury them. 

Bruce F. Webster is an international IT consultant. You can reach him at bwebster@bfwa.com or via his websites at brucefwebster.com and bfwa.com.
© Bruce F. Webster 2008