How should an organization decide whether or not to accept a risk and launch if the risks cannot be quantified?
When risks cannot be quantified, we can use qualitative risk analysis to help us make decisions on whether risks can be accepted or not. Qualitative Risk Analysis is a measure of risk or asset value based on a ranking or separation into descriptive categories such as low, medium, high; not important, important, very important etc. or on a scale from 1 to 5. Qualitative Risk Analysis includes methods for prioritizing the identified risks for further action, such as Quantitative Risk Analysis or Risk Response Planning. Organizations can improve the project’s performance effectively by focusing on high-priority risks. Qualitative Risk Analysis assesses the priority of identified risks using their probability of occurring, the corresponding impact on project objectives if the risks do occur, as well as other factors such as the time frame and risk tolerance of the project constraints of cost, schedule, scope, and quality.
Once we have made an assessment of risks, there are four things that can be done. These strategies are:
1) Avoid the risk: Something should be done to remove it.
2) Transfer the risk: Make someone else responsible for it. For example any vendor can be made responsible for a particular kind of risk.
3) Mitigate the risk: Take actions to lessen the impact or chance of risk occurring.
4) Accept the risk: The risk might be some small the effort to do anything is not worthwhile.
A risk response plan should include the strategy and action items to address the strategy. The actions should include what needs to be done, who is doing it, and when it should be completed. The final step is to continually monitor risks to identify any change in the status, or if they turn into an issue. It is best to hold regular risk reviews to identify risk probability and impact, remove risks that have passed, and identify new risks.
Did it appear that the risk response method selected by NASA was dependent on the risk or on other factors?
It appears that risk response of NASA was not dependent on risk but on other factors like political pressure, monetary concerns, and poor management. Facing a highly constrained budget, NASA sacrificed the research and development necessary to produce a truly reliable and reusable shuttle. Secondly, they sacrificed on fuel by using solid rocket boosters instead of safer liquid-fueled boosters because they required a much smaller research development effort. With primarily qualitative analysis of risk, the aforementioned factors appeared to have more significance at NASA.
What methods of risk response were used at NASA?
Risk, for NASA, is anything that has the capability to effect personal life, loss or damage of system, equipment or property. A risk response plan was not extensively used as risk and failure had always been documented as an inbuilt part of space exploration. Instead, NASA used a rather simplistic Safety (Risk) Classification System. A quantitative method for risk assessment was not in place at NASA because gathering he data needed to generate statistical models would be expensive and labor intensive. If the risk identification procedures were overly complex, NASA would have been buried in paperwork due to the number of components on the space shuttle.
The necessity for risk management was apparent right from the start. Prior to the launch of the first shuttle in April of 1981, hazards were analyzed and subjected to a formalized hazard reduction process as described in NASA Handbook, NHB5300A. The process required that the credibility and probability of the hazards be determined. A Senior Safety Review Board was established for overseeing the risk assessment process. To some level, NASA used risk mitigation, risk avoidance, and risk acceptance. For the most part, the risks assessment process was qualitative. The conclusion reached was that no single hazard or combination of hazards should prevent the launch of the first shuttle as long as the aggregate risk remained acceptable.
Who should have final say in deciding upon the appropriate response mechanism for a risk?
A collaborative discussion should occur between stakeholders and experts to decide upon the appropriate response for a risk, though, the final say should always come from senior management as they are ultimately responsible for the end results or consequences. It is a good idea to also specify a risk owner. Risks should be assigned to individuals or group to take responsibility. The risk owner role should be given to someone who will help develop risk response and will be assigned to carry it out or own the risk. The risk response should be inline with the significance of the risk–cost-effective, and realistic. Primary and backup strategies in the risk management plan and risk register allow the risk owner to then take predetermined action when risks occur. The result is faster action and less cost, time, and impact on the project.
It is critical to have an open channel of communication between operating managers, risk managers and all the stake holders before making any decision. Generally, they should agree upon all the strategies and all outlooks should be taken into consideration. In the case of the Challenger, the engineers were the people who knew whether or not it was safe to launch under the given situation. These employees had the know-how on the structure of the shuttle. The executives should have considered the input from the engineers instead of making decision based their own judgment. With that, senior management should be entitled to make such decisions, but not without full-time involvement of employees who are directly linked up with the processes of the project.
How does an organization decide what is or is not an acceptable risk?
Risk is the part of everything an organization does. Risky elements that are acceptable in one situation might be unacceptable in another situation. The term “acceptable risk”, or residual risk, describes the likelihood of an event whose probability of occurrence is small, whose consequences are so slight, or whose benefits (perceived or real) are so great, that organizations are willing to take or be subjected to the risk that the event might occur.
During Risk mitigation planning, we identify, evaluate, and select options to classify risk as acceptable or not. Acceptability of risk involves consideration of various different factors including where and when the risk can occur, the probability of it to happen, and the severity of it. Other factors may be an organization’s legal and regulatory compliance responsibilities, its threat profile, and its business drivers and impacts. Defining the company’s acceptable risk level falls to management because they intimately understand the company’s business drivers and the corresponding impact if these business objectives are not met.
Acceptability of a risk basically depends on the acceptability of its consequences. If an organization choses to accept risk, measures should still be taken to properly document and revise assessment of the risk throughout the project. What was thought of as an acceptable risk may not have the same ranking during execution.
How does risk identification plan change from experimental to operational design?
Suppose that a risk identification plan had been established at the Beginning of the space program when the shuttle was still considered an experimental design. If the shuttle is now considered as an operational vehicle rather than as an experimental design, could that affect the way that risks were identified to the point where the risk identification plan would need to be changed?
Risk Identification ascertains which risks have the potential of affecting the project and documenting the risks’ characteristics. Risk Identification begins after the Risk Management Plan is constructed and continues iteratively throughout the project execution.
The Risk Identification process naturally progresses as the project moves from the experimental phase to the operational phase hence the risk identification plan can change eventually. The tools and techniques used for the Risk Identification process are designed to help the project manager gather information, analyze it, and identify risks to and opportunities for the project’s objectives, scope, cost, and budget.
The information gathered is entered on the Risk Register, which is the primary output of Risk Identification. The Risk Register continues to change as the project moves from experimental to operational phase. Experimental phase risk versus operational risk certainly have different potentials for disaster.
The risks need to be equally assessed for both experimental and operational vehicles but the end decisions may vary slightly. If the worst case for experimental is losing equipment then that may be necessary to discover flaws. In operational phases risk must be heavily scrutinized and proved to be obsolete before use.
How should one identify or classify the risks associated with pressure resulting from making promises that may be hard to keep?
In the challenger disaster case study, political factors added to the implementation of a weak design during the original approval process. Unattainable promises were made with respect to performance in order to keep the manned space flight program alive. NASA was under pressure to launch a predefined number of shuttles every year. NASA had a very ambitious launch schedule, pressure was on and delay cost money and jobs at stake. They knew the danger but took calculated risk from their point of view. These pressures are hard to avoid as many higher authorities were involved and the contractor was in pressure from NASA and NASA was in pressure of Govt to launch. So it is difficult to pin point with whom the mistake lies. By looking at the operational capacity or the production level and comparing them with the promises made would help in identifying any such promises which are hard to keep.
How should one identify or classify trade-off risks such as trading off safety for political acceptability?
Risks to the project from factors like political acceptance are external to the project and the project manager can not control them. For external risk measures, It is better to prefer risk measures that are robust with respect to modeling assumptions, and are based on data (could be a mixture of historical data and simulated data generated according to a well-defined procedure) rather on some subjective internal models.
How should one identify or classify the risks associated with using solid rocket boosters on manned spacecraft rather than the conventional liquid fuel boosters?
For overall risk assessment and risk management of the propulsion system, a comprehensive method for identifying potential failure modes and hazards associated with the system must be included. A specific, quantitative methodology for identifying and estimating the safety risks of the system must be implemented.
A risk management process by which the safety risks can be brought to levels or values that are acceptable to the final approval authority must be chosen. Based on the established acceptable risk levels and the system validation & certification, one of the propulsion system can be chosen. Some factors that contribute to the decision of using one booster over the other include: Technological Advancements, Funding Available, and Strategic Planning.
Should senior management or sponsors be informed about all risks identified or just the overall “aggregate” risk?
While the involvement of senior management is arguably critical to the success of any initiative, it is absolutely essential for risk management. The reason is simple – certain aspects of risk management run counter to human nature. Without a demonstrated commitment to the risk management process from the highest management of the organization or the sponsors, a culture for success and managerial invincibility will prevail where past achievements provide protection from future risks and good management is enough to prevent troubles from arising.
If there is proactive risk management systematically incorporated into corporate strategy and strategic planning activities then it should be enough for the senior management to know about the aggregate risk. The upper management should not be over concerned with every aggregate risk, they need to have confidence in the risk managers and in their results. That said, risk managers need to be absolutely sure of their findings and be completely honest with upper-management.
How should problems with risk identification be resolved if there exist differences of opinion between the customer and the contractors?
Risk is largely subjective. If it wasn’t subjective, it would be possible to accurately identify the risk and account for its effect, or even take the appropriate measures for eliminating the risk. To successfully perform a risk assessment one needs to quantify the known risks. Not all risks are created equal.
Risk quantification is the process of evaluating and determining the effect a risk has on your project. By quantifying the risk you can, to the best of your ability, prepare for unwanted circumstances. In order to fulfill the company’s responsibility of prudent decision making, an earnest attempt must be made to project/calculate the potential perils of various decisions. This will help to reduce differences of opinion between the customer and the contractors.
Regardless of who discovers the risk, both teams need to acknowledge the potential problem. If one team disagrees with the risk stated by the other team, it is ultimately the customer’s choice on what decision to make. The best a contractor can do is offer their data and recommendation and hope the customer takes their advice.
Does there appear to have been a structured process in place for risk identification at either NASA or Thiokol?
NASA and Thiokol are government bureaucracies working with ultra large scale technical systems within which rules, procedures, and routines rule all elements of organizational life. Based on the case study, It does not appear that either NASA or Thiokol had a structured process in place for risk identification even though the basic organizational elements for assessing and managing risk were in place.
NASA did not employ a quantitative method of risk assessment. The main reason is the expense associated with the data collection and statistical model generation. Thiokol managers held misconceptions regarding the safety issues related to the O-rings. They believed that the Solid-Fuel Rocket Boosters could be operated at temperatures ranging between 31 F and 99 F, although Thiokol engineering noted that there was no real-condition testing at these temperatures.There was no way to get rid of the subjective nature in evaluating risk since at both NASA and Thiokol there was no method for quantifying risk.
Everything in the process was unstructured including lack of problem-reporting, requirements collection, insufficient trend analysis, distortion of criticality, lack of enough resources devoted to safety, lack of safety personnel involvement in important discussions and decisions. Risk was recognized as an inherent part of the organizations
What is the difference between a risk and an anomaly? Who determines the difference?
A risk is a circumstance or factor that may have a negative impact on the operation or profitability of a given operation. A risk can be the result of internal conditions, as well as some external factors related to the operations. An anomaly is an uncontrollable event. Despite all planning and preparation, anomalies can still occur. An anomaly is the the quality or state of being irregular.Usually a baseline of normal behavior or risks is recognized and when an event falls outside that norm, it is anomaly. Analysis of anomalies that occur during operations is an important means of improving the quality of current and future operations.
Both risk and anomalies cause changes to documentation and to operational procedures to prevent the same situations from recurring. For example in case of challenger case study there were many risks involved one of them was using the solid rocket busters which, once ignited could not be easily controlled or shutdown unlike the liquid rocket booster. This would be considered as a risk because this has been identified from the previous experiences and can have a contingency plan.
On the other hand an anomaly that affected the challenger case study was the unusual low temperature and ice present on the day of the launch. The project manager and the risk management team define risks affecting a project. The quality control and assurance team report operational anomalies to the project manager. Hence the project manager must decide the difference on what becomes a risk to the project and what stays as an anomaly.Engineers, safety officers define anomaly or people with deep knowledge of the subject matter define it.
Anomalies are defined and negotiated depending upon the occupational context and the evaluation systems that have been developed to meet unexpected deviations in the work flow. A mistake or anomaly is never defined in isolation, but always is relative to the local and institutional context of work.
A project manager has just finished the risk response plan for a $387,000 engineering project. What should the project do next?
A project manager has just finished the risk response plan for a $387,000 engineering project. What should the project do next?
1. hold project risk reassessment
2. determine the project’s overall risk rating
3. begin to analyze the risks that show up in the project drawings
4. add work packages to the WBS
Answer 4. add work packages to the WBS
During which risk management process is a determination to transfer a risk made?
During which risk management process is a determination to transfer a risk made?
1. risk monitoring and control
2. quantitative risk analysis
3. risk response planning
4. risk identification
Answer 3. risk response planning
Workarounds are determined during which risk management process?
Workarounds are determined during which risk management process?
1. risk monitoring and control
2. risk response planning
3. risk identification
4. qualitative risk analysis
Answer 1. risk monitoring and control
An output of risk response planning is?
An output of risk response planning is:
1. risks are identified
2. prioritized list of risks
3. impacts identified
4. residual risks
Answer 4. residual risks
During project execution a team member identifies a risk that has not been documented. What should be done?
During project execution a team member identifies a risk that has not been documented. What should be done?
1. analyze the risk
2. get further information on how the team member identified the risk
3. inform the customer about the risk and its potential impact
4. disregard the risk, because all risks were identified during project planning
Answer 1. analyze the risk
Evaluating the exact loss of a risk
You are having a difficult time evaluating the exact loss(es) of a risk. You should evaluate the risk on a(n):
1. quantitative basis
2. qualitative basis
3. numerical basis
4. econometric basis
Answer 2. qualitative basis
Factors in the assessment of risk
All of the following are factors in the assessment of risk EXCEPT?
1. insurance premiums
2. amount at stake
3. risk probability
4. risk event
Answer 1. insurance premiums
