Project risk and recovery
If a risk cannot be treated to a level within the desired range, the organisation must make a conscious decision about continuing the project based on the costs and expected benefits. This should be combined with a clear rollback strategy (prevention) or insurance (transference), which can be used if the risk occurs.
If we apply the same principles to disaster recovery, we should aim to reduce the impact of a threat to a level acceptable to the organisation. If there are threats that we cannot get low enough in terms of likelihood or impact, the organisation has to make a conscious decision about accepting the threat or requiring different treatment. In many cases, this will be based on the monetary loss expected if the threat occurs.
Project risk in practice
Let’s apply the table to a project risk. There is a high impact, medium probability risk or threat that, if it occurs, would result in a $100,000 organisational cost. Based on this, we would ‘value’ the risk at $20,000, 20 percent of $100,000.
We now apply $25,000 of mitigation, which reduces the likelihood to low and the impact to medium. We also put in place another $10,000 of contingency to reduce the impact further to low, leaving a residual risk value of $3,000, three percent of $100,000.
The overall impact of these activities can now be valued in the business case—$25,000 up front and $10,000 if the risk occurs—and $3,000 residual. If the project benefits show we can afford this, then we go ahead.
This risk value can be used to balance the treatment between mitigation and contingency, and to determine the suitability of the treatment and the size of the risk budget to be applied in a project.
As project managers, we have input into this along with project governance, and this enables us to give the business some monetary value related to the likelihood of the threat occurring. This will need to be reassessed over time and the risks monitored and reported. We can also total the overall value of residual risks and monitor the risk value over time.
We can use the same process with threats after we apply disaster recovery activities to get a monetary value for the residual exposure involved. The one difference is that, as we will be looking at the threat over a longer time frame, the probability is likely to be higher as our proximity horizon will be greater and so the residual value will also be greater.
Each threat with a residual rating above the threshold should be assigned an owner who will be responsible for monitoring the threat and reporting to the organisation if the risk level changes, or on a regular basis if not. This brings the treatment of threats front-of-mind in the organisation and gives them a real basis for acting based on a perceived monetary value.
So what about our project manager focused on delivery of the project? If we lost an hour’s worth of work once a century, would that be worth doing something about? How about every 10 years? How about every year, month, week or day? Is the treatment value for money?
It all comes back to the likelihood of the threat or risk occurring that will impact on our treatment. Remember our treatment may apply across a number of threats or risks, and impact the value we expect to get from each individual treatment.
As project and threat managers, we can now look at these high impact, low likelihood risks and threats in a common way and, using the above formula, come up with a monetary impact on the organisation if they should occur. It will then be up to the organisation, not the project manager, to decide how they fund this, and go into it with a firm basis for getting value for money out of our risk and threat treatment.