Managing risk and contingency
I was recently interviewing a risk management specialist and was intrigued to find that although he had a huge amount of knowledge about risk and issues management, he had very little knowledge of contingency. So many people think contingency is a cost management concern, they forget that its actually the integration point between cost and risk, and time and risk since contingency should also apply to the schedule.
Microsoft Excel and Sharepoint type tools are terrific for logging, assigning responsibility, ratings and capturing response plans. They can play a key part in ensuring issues and risks are managed. But what about the response plans, especially those you will do now or soon?
Many people think response plans are only activated once risks are realised, but that’s not risk management that’s issue management. There are things that can be done right now to either reduce the likelihood and/or the impact of the risk. The things you intend to do after the risk is realised are called contingency plans.
A classic mistake people make is to think that you only need one response plan for each risk. Wrong! With many risks, you plan to do various things to reduce the likelihood and various things to reduce the impact, plus have one or more contingency plans.
Example: Ocean racing and man overboard
Man overboard is an obvious risk with yacht racing. IF you fall overboard THEN you face a real prospect of death or severe exposure. As a skipper, you ensure:
- Training and procedures to avoid falling overboard (to reduce likelihood)
- Wearing of tethers, especially at night and in rough weather (to reduce likelihood)
- Wearing of life jackets and protective clothing (to reduce impact)
- Carrying of emergency beacons (to reduce impact)
- Training in man overboard recovery procedures (contingency plans)
As you can see, there are multiple response plans, real cost to people up front and a residual risk, since there will always be a man overboard risk.
So who funds the response plans? Are they expected to already be included in schedules and budgets or is there a separate risk budget and time allowance? Is there a hidden funding allowance or an expectation of overrun? Is there no allowance made?
Terminology is a problem, with some organisations referring to a risk budget, some to contingency, some to management reserve. This is further complicated if vendors are involved. Policies differ: some organisations consider a 10% overrun in budget is acceptable, for example 10% contingency factored in to funding.
Regardless of what it is called, consider:
- Time, effort and hence cost to fund risk response plans you will do now or soon.
- Time, effort and hence cost to fund contingency plans you might do in the future if risks are realised—tricky as probability is a factor here.
- Cost allowance to fund impact on the project and/or business of risks in the future if risks are realised—tricky as probability is a factor here.
- Time, effort and hence cost to fund anticipated but as yet unknown risks.
- Time, effort and hence cost to fund anticipated but as yet unknown scope changes.
Some of the above will be included in the project budget, others will be outside of the project budget but may well be included in funding requests.
Is contingency owned by the vendor, the project team or the sponsor? This depends to some extent on who owns the risk. Maturity also comes into it, with fear of making visible contingency plus misunderstanding of forecasting versus budgeting being common.
So how much is enough? In construction, we used to talk 10%. In IT, depending on what you believe, studies we have seen indicate 30% or higher is more realistic. All we really know for sure is that 0% is definitely the wrong answer.