返回正常中文阅读

想对这篇译文“指手画脚”吗?

您的参与将有助于译者提高译文的质量;同时,大家一起对问题的讨论也是最佳的学习方式。还等什么?请现在就注册登录译言,开始眉批!
大错 小错 不顺 建议

How to Develop a Risk Management Plan - wikiHow

Developing an effective Risk Management Plan is an important part of any project. Unfortunately, this step is often avoided with the "deal with it later" attitude. If everything goes smoothly and without incident, that approach does no harm. But normally, issues do arise and without a well developed plan, even small issues can become emergencies.

There are different types of Risk Management and different uses that include calculating credit-worthiness, planning for adverse events (i.e. disasters), determining how long the warranty on a product should last, calculating insurance rates, and many more. In this document we will look at Risk Management from the standpoint of planning for adverse events.

Steps

  1. Understand how Risk Management works. Risk is the effect (positive or negative) of an event. It is computed from the probability of the event materializing (becoming an issue) and the impact it would have (Risk = Probability X Impact). Various factors should be identified in order to analyze risk, including:

    • Event: What could happen?
    • Probability: How likely is it to happen?
    • Impact: How bad will it be if it happens?
    • Mitigation: How can you reduce the Probability (and by how much)?
    • Contingency: How can you reduce the Impact (and by how much)?
    • Reduction = Mitigation X Contingency
    • Exposure = Risk – Reduction

      • After you identify the above, the result will be what’s called Exposure – that’s the amount of risk you simply can’t avoid. Exposure may also be referred to as Threat, Liability, Severity or other names but they pretty much mean the same thing. It will be used to help determine if the planned activity should take place.
      • Often this is a simple cost vs. benefits formula. You might use these elements to determine if the risk of implementing the change is higher, or lower, than the risk of not implementing the change.
    • Assumed Risk If you decide to proceed (sometimes there is no choice, e.g. federally mandated changes) then your Exposure becomes what is known as Assumed Risk. In some environments, Assumed Risk is reduced to a dollar value which is then used to calculate the profitability of the end product.
  2. Define your project. In this article, let's pretend you are responsible for a computer system that provides important (but not life-critical) information to some large population. The main computer on which this system resides is old and needs to be replaced. Your task is to develop a Risk Management Plan for the migration. This will be a simplified model where Risk and Impact are listed as High, Medium or Low (that is very common especially in Project Management).
  3. Get input from others. Brainstorm on risks. Get several people together that are familiar with the project and ask for input on what could happen, how to help prevent it, and what to do if it does happen. Take a lot of notes! You will use the output of this very important session several times during the following steps. Try to keep an open mind about ideas. "Out of the box" thinking is good, but do keep control of the session. It needs to stay focused and on target.
  4. Identify the consequences of each risk. From your brainstorming session, you gathered information about what would happen if risks materialized. Associate each risk with the consequences arrived at during that session. Be as specific as possible with each one. "Project Delay" is not as desirable as "Project will be delayed by 13 days." If there is a dollar value, list it; just saying "Over Budget" is too general.
  5. Eliminate irrelevant issues. If you’re moving, for example, a car dealership’s computer system, then threats such as nuclear war, plague pandemic or killer asteroids are pretty much things that will disrupt the project. There’s nothing you can do to plan for them or to lessen the impact. You might keep them in mind, but don’t put that kind of thing on your risk plan (OK, if you’re working for the United Nations, maybe).
  6. List all identified risk elements. You don’t need to put them in any order just yet. Just list them one-by-one.
  7. Assign probability. For each risk element on your list, determine if the likelihood of it actually materializing is High, Medium or Low. If you absolutely have to use numbers, then figure Probability on a scale from 0.00 to 1.00. 0.01 to 0.33 = Low, 0.34 to 0.66 = Medium, 0.67 to 1.00 = High.

    • Note: If the probability of an event occurring is ZERO, then it will be removed from consideration. There’s no reason to consider things that simply cannot happen (enraged T-Rex eats the computer).

      Table 1
      Table 1


  8. Assign impact. In general, assign Impact as High, Medium or Low based on some pre-established guidelines. If you absolutely have to use numbers, then figure Impact on a scale from 0.00 to 1.00 as follows: 0.01 to 0.33 = Low, 0.34 – 066 = Medium, 0.67 – 1.00 = High.

    • Note: If the impact of an event is ZERO, it should not be listed. There’s no reason to consider things that are irrelevant, regardless of the probability (my dog ate dinner).

      Table 2
      Table 2
  9. Determine risk for the element. Often, a table is used for this. If you have used the Low, Medium, High values for Probability and Impact, the top table is most useful. If you have used numeric values, you will need to consider a bit more complex rating system similar to the second table here. It is important to note that there is no universal formula for combining Probability and Impact; that will vary between people, and between projects. This is only an example (albeit a real-life one):

    Table 3 at top, Table 4 at bottom
    Table 3 at top, Table 4 at bottom


    • Be flexible in analysis. Sometimes it may be appropriate to switch back and forth between the L-M-H designations and numeric designations. You might use a table similar to the one here:

      Table 5
      Table 5
  10. Rank the risks: List all the elements you have identified from the highest risk to the lowest risk.

    Table 6
    Table 6
  11. Compute the total risk: Here is where numbers will help you. In Table 6 you have 7 risks assigned as H, H, M, M, M, L, and L which can translate to 0.8, 0.8, 0.5, 0.5, 0.5, 0.2 and 0.2, from Table 5. The average of the total risk is then 0.5 which translates to Medium.
  12. Develop mitigation strategies. Mitigation is designed to reduce the probability that a risk will materialize. Normally you will only do this for High and Medium elements. You might want to mitigate low risk items but certainly address the other ones first. For example, if one of your risk elements is that there could be a delay in delivery of critical parts, you might mitigate the risk by ordering early in the project.
  13. Develop contingency plans. Contingency is designed to reduce the impact if a risk does materialize. Again, you will usually only develop contingencies for High and Medium elements. For example, if the critical parts you need do not arrive on time, you might have to use old, existing parts while you’re waiting for the new ones.
  14. Analyze the effectiveness of strategies. How much have you reduced the Probability and Impact? Evaluate your Contingency and Mitigation strategies and reassign Effective Ratings to your risks.

    Table 7
    Table 7
  15. Compute your effective risk. Now your 7 risks are M, M, M, L, L, L and L, which translate to 0.5, 0.5, 0.5, 0.2, 0.2, 0.2 and 0.2 which gives an average risk of 0.329. Looking at Table 5 we see that the overall risk is now categorized as Low. Originally the Risk was Medium (0.5). After management strategies have been added, your Exposure is Low (0.329). That means you have achieved a 34.2% reduction in Risk through Mitigation and Contingency; Not bad!
  16. Monitor your risks. Now that you know what your risks are, you need to determine how you’ll know if they materialize so you’ll know when and if you should put your contingencies in place. This is done by identifying Risk Cues. Do this for each one of your High and Medium risk elements. Then, as your project progresses, you will be able to determine if a risk element has become an issue. If you don’t know these cues, it is very possible a risk could silently materialize and affect the project, even if you have good contingencies in place.

    Table 8
    Table 8

 

Tips

  • Plan for change. Risk Management is a fluid process because risks are always changing. Today, you might assign some risk with a high probability and a high impact. Tomorrow, the probability or the impact might change. Also, some risks might drop completely off the table while others come into play.
  • Always investigate. What have you missed? What things could happen that you haven’t yet considered? This is one of the hardest things to do and one of the most critical. Make a list and check it repeatedly.
  • Use a spreadsheet to keep track of the risk plan on an ongoing basis. Risks change, old risks may disappear and new risks will come into focus.
  • Part of a good contingency plan is an early warning signal. If there is a test result that will tell you if you need to adopt your contengency plan, make sure you expedite those test results. If there isn't a good warning signal, try to design one.
  • You can use Exposure to help determine if you want to actually do the project. If the total project estimate is $1,000,000 and your Exposure is 0.329, the general rule is you have a $329,000 potential over the estimate. Can you budget the extra money... just in case? If not, you might want to reconsider the scope of the project.
  • Reduction = Risk – Exposure. In this example (and assuming a $1,000,000 project estimate) your Risk is 0.5 X $1,000,000 ($500,000) and your Exposure is 0.329 X $1,000,000 ($329,000) which means the value of your Reduction = $171,000. Use that as an indication of how much you can reasonably spend on managing the risks – that should be a part of the revised project estimate (like Insurance).
  • In situations where the Project Manager may become overloaded with the Risk Management function, the analysis could be limited to the project's critical path. In that event it is advisable to calculate multiple critical paths with, perhaps, additional lag time to more proactively identify tasks that are likely to land on the critical path. This is especially appropriate when a single PM is controlling multiple projects. Risk Management needs to be considered as a part of the project, but not overshadow the other planning and control functions (see Warnings).

 

Warnings

  • Don’t get too intricate for the project. Risk Management is an important part of the project but it shouldn’t overshadow the actual work to be done. If you’re not careful about this, you can start chasing irrelevant risks and overload your plan with useless information.
  • Do not ignore Low risk items completely, but don’t spend much time with them. Use High, Medium and Low to indicate how much effort you will put into monitoring each risk.
  • Do not assume you have all the risks identified. The nature of risk is that it is unpredictable.
  • Do not let politics interfere with your assessment. This happens a lot. People don’t want to believe things they control could go wrong and will often fight you about risk levels. "Oh that could never happen" could be true, but then again it might be someone's ego talking.
  • Consider what might happen if two or three things go wrong at the same time. The probability will be very low, but the impact can be extreme. Nearly every major disaster involved multiple failures.

如何制定风险管理计划

对任何项目来说,制定一个有效的风险管理计划是十分必要的。但是这项工作常常被忽视。如果一切顺利,当然无妨。但是如果出现问题,没有一个可行的计划,即使是一个小失误也会演变成突发危机。

不同的风险管理方式有不同的使用方法,它包括信贷价值、危机的估计(即灾害)、确定产品的有效期、计算保险费率,等等。通过这篇文章,我们可以学习到如何通过风险管理来应对突发事件。

步骤

1. 了解风险管理的工作原理。风险指的是会发生的事故的影响(正面的和负面的)。它对事故发生(转变为问题)的概率和所带来的影响进行系统的计算。(风险=概率X影响)通过对以下各方面的因素进行分析,以估计风险:

  • 事故:可能会发生什么?
  • 概率:事故发生的可能性?
  • 影响:发生后会造成什么后果?
  • 缓解:如何降低事故发生的可能性?(能做到什么程度?)
  • 应对:如何降低影响?(能做到多好?)
  • 削减=缓解X应对
  • 危险=风险-削减

当你确定了上述的情况,那么之后所产生的结果我们称之为“危险”——这是你所不能避免的风险。危险也可被称为威胁、责任、严重的事态,但他们都指代同一个意思。它可以作为决定计划是否实施的参考因素。

这通常表现为成本与收益的博弈过程。你可能需要上述内容来对比执行计划产生的成本是否大于不执行计划所产生的成本。

  • 潜在风险,如果你决定付诸行动(有时候必须这么做,如联邦政府指示),那么你的“危险”就转变为已知的潜在风险。在某些时候,当潜在风险降低到一定程度,那么就可以进行最终盈利能力的计算了。

2. 定义你的项目。在这里,我们假设你负责这样一个系统,它向大量的人群提供一些重要信息(无生命危险的)。而提供信息这一电脑系统过于陈旧,需要更换。你当前的任务是为了这次更换工作做一个风险管理计划。这里有一个简单的模式:你可以把风险和影响按高、中、低的层次进行划分(这在项目管理中很常见)。

3. 听取他人的意见。针对风险估计开一次头脑风暴会议。聚集熟悉此次项目的同伴,探讨可能会出现的危机,如何防范这种危机,危机发生后如何处理等事项。记下来!在以后的几个步骤里面,本次会议的信息将成为主角。保持开放性的思维。“天马行空”是件好事,不过依然有必要控制会议。把讨论的重点集中起来,放到点上。

4. 确定每种风险所带来的后果。从头脑风暴会议收集到的信息里,判定潜在风险所带来的后果。在会议上,要核实和判定出每一种可能产生的风险。每一个都要尽可能的具体。例如,“工程延误”不能只是笼统地表述为“会延误13天”。即使只是有一美元,也要把数字列出来;如果只是简单的做一个“超出预算”的标志,那可不行。

5. 删除不相关问题。打个比方,如果你要为一个汽车经销商更换电脑系统,那么核战争、瘟疫和小行星冲击这些风险就不用考虑了。如果这些事情发生,你可帮不上什么忙。你需要考虑到这些因素,但是不用把它列到具体的风险预期里面。(好吧,如果你是为联合国工作,就把这些摆上案头吧。)

6. 列出所有核实了的预期风险不要急着处理问题,现在还为时过早。先把它们一个一个的排好。

7. 把概率转化为数值。针对表单上的每一个潜在风险,按照高、中、低排列出他们发生的可能性。如果你有能力进行更精确的计算的话,不妨把它们从0.00到1.00进行编排。0.01到0.33是低级;0.34到0.66是中级;0.67到1.00是高级。

  • 注意:如果事件发生的可能性是零,通过审议以后就把它取消吧。没什么理由让我们费心考虑那些根本不可能发生的事情。(例如,被愤怒的T-Rex乐队砸烂电脑)

表一

表一

8. 把影响转化为数值。一般来说,可以根据一些可预计的情况,把影响转化为高、中、低三个等级进行排列。如果可能的话,也可以把它们用数字表示:0.01到0.33是低级;0.34到0.66是中级;0.67到1.00是高级。

  • 注意:如果事件的影响为零,就不要上榜。我们不需要考虑这些影响为零的事情,不管他们是不是可能发生。(如,给我的狗喂食)

表二

表二

 9. 通过上述因素估算出风险值。通常,我们会使用以下表格。如果你使用的是低、中、高三个等级来估算概率和影响,那么第一个表格会更适合你;如果使用的是数值,你应该使用第二个表格来进行一个更精细的估算。要注意的是,没有一个放之四海皆准的公式来根据概率和影响,统计和估算出风险值。这里给出的只是一个例子(适用于生活中的):

表三表四

  • 分析的时候灵活一点。有时候你需要在文字结论与数据结论之间进行对比。那就有可能用到这张表格:

表五

10. 排列出风险值:按照由高到低的风险顺序排列以上得出的内容。

表六

11. 计算出总体的风险这里的数据会对你有所帮助。在表六,你可以看到分别按照高、高、中、中、中、低、低的顺序排列的风险值。从表五你可以得出,它们可以转化成0.8,0.8,0.5,0.5,0.5,0.2,0.2的数字。那么平均以后的总体风险值就是0.5,也就是说风险等级为中级。

12. 制定缓解措施。缓解指的是降低风险发生的可能性。通常情况下,你最好为高、中级风险制定防范计划。也可以为低风险的情况作防御工作,但是要把其他风险放在第一位。例如,如果你预期中,可能会有一个关键部件的交付会延迟,那么缓解危机的方法就是把这项工作安排在前面。

13. 制定应急措施。应急指的是当风险爆发的时候,如何减轻影响。同样的,你最好制定高、中级的应急措施。例如,如果关键部件不能按时到达,你可是在等待的时候姑且适用老的现有的部件。

14. 分析应对战略的效用。你在多大程度上降低了概率和影响?评估你的应急和缓解战略,并重新排列面临的风险。

表七

15. 估算你的实际风险现在,你的风险已经降低为中、中、中、低、低、低、低,换算为数字是0.5,0.5,0.5,0.2,0.2,0.2,0.2,那么平均风险值就是0.329。回顾表五,我们可以看到总体风险降低为低水平了。原始的风险值是中级(0.5)。经过管理战略的实施,你的最终危险值降为低级(0.329)。这表示,你通过缓解和应急措施,把风险降低了34.2%,这听起来不错,不是吗?

16. 监控你的风险表单。现在你已经详细了解到潜在风险了,可以知道在危机爆发的时候采取何种应急措施,如果工作到位的话甚至可以预计风险发生的时间。这是通过分析风险因素得出的。按照这些步骤处理你的高、中风险。那么,在项目实施过程中,可以掌握到风险演变成为危机的时机。如果你不了解这些因素,那么在项目实施过程中,有可能在风险爆发,产生危机的时候,你的应急措施根本不能到位。

表七

小贴士

  • 计划不是固定不变的。风险管理是动态的过程,因为风险总是在不停的变化。今天你分析出的高概率和高影响力的风险,在明天,他的概率和影响力可能就会改变。另外,有些风险应该退出表单,另一些风险又会蠢蠢欲动。
  • 坚持调查。你遗漏了什么吗?你忘了考虑哪些事情?这才是最难做的和是最关键的一环。把它们编列成册,并不时检查一番。
  • 用电子表格来跟踪风险管理的实施情况。删除已然消失的旧风险,加入新增的潜在风险,保持风险记录与实际情况同步。
  • 应急措施相当于一个预警系统。如果其中一项措施要求你制定一个权变计划,你必须采取必要措施。如果你还没有制定一个良好的预警系统,那么事不宜迟。
  • 你可以根据估算出来的危险值来决定是否开展相关项目的工作。如果项目总投入是1,000,000美元,你的危险值是0.329,那么你最好留出329,000美元来应对这预期的危机。你还能拨出这些钱吗?还是算了?如果打算继续的话,你可能需要重新考虑这个项目的规模。
  • 削减=风险-危险。举个例子,你这项工程的预算款是1,000,000美元,你的风险值是0.5X1,000,000美元(也就是500,000美元),风险管理后的危险值为0.329X1,000,000美元(也就是329,000美元),这表示你节约了171,000美元。这个数字让你坚定进行风险管理的决心——这笔省下来的钱可投入在工程危险防范上(如,保险)。
  • 大多数情况下,即使添加了风险管理,超负荷工作的项目经理可能只能把精力用在关键部分上。在这种情况下,拿出额外的时间来考虑多种关键途径,提前鉴别哪些危机最可能发生在关键领域是不错的办法。这尤其适用于那些一个人要承担很多课题的经理人身上。风险管理是项目管理的一部分,但是不应该掩盖其他的计划和控制项目(见警告)。

警告

  • 不要把这个工作搞得过于复杂。风险管理是项目管理的重要部分,但它不能超越实际应该进行的工作。如果不注意这一点,你很可能会耽于那些不相干的危机,让零碎的信息加载到已不堪重负的计划体系里。
  • 不要漠视低风险项目,但是也不要在这上面花太多时间。按照高、中、低三个等级的顺序来分派你用于处理各项风险的时间。
  • 不要以为自己已然把握了所有的风险。要知道风险的本质特征在于它的不可预知性。
  • 千万不要让别人的观点干预你的评估工作。这不少见。人们可不情愿相信自己控制的东西会出错,并因此不同意你的风险评估。有人会说“这不可能”,但是下一次的时候(因为看到你的管理奏效了——译者注)他就不好意思公开发表这种言论了。
  • 要考虑到如果两三件危机同时爆发的情况。这种情况发生的可能性很小,但是后果却不堪设想。几乎所有的重大损失都源于多重事故同时爆发。

欢迎访问译言网。在这里,您可以。。。

阅读
发现
翻译