Part of planning for risk involves allocating each identified risk to a project milestone. Very often a milestone is attached to a payment, so a risk can also have an accurate value attached to it. By its nature, each risk will impact, if at all, at a certain time. For example, Milestone 1 is "Delivery of Software X, Issue A to the Customer".
If this risk impacts, we will not receive the Milestone 1 payment from the Customer. This payment has been planned to cover costs of staffing, materials, sub-contractor payments and a variety of other project expenses including finance charges up to this point. The cost of this risk, or any other associated with this Milestone, impacting is basically the cost of borrowing that amount of money, from the time it should have been received up until the time when it is actually received.
In order to manage this risk, regular project meetings will be held, a part of which will cover the progress of identified risks. The risk owner will report on each risk with their assessment of the likelihood its occurring. If the likelihood of any risk impacting increases, steps will be taken to implement the mitigation measures already identified.
In the case of this example, the mitigation measures might be "Introduce interim acceptance testing to identify problems early".
Let us assume that the introduction of this mitigation measure has become necessary and the interim acceptance testing has shown that the software is far from ready for delivery. This will mean that fall-back or contingency plans must be implemented.
This is a very undesirable state of affairs but such plans might be: "Introduce additional software engineering effort to identify and resolve bugs" or, assuming we don't have the personnel available to throw extra resources at the problem "Put project software engineers on overtime in order to identify and resolve bugs".
In themselves, these contingencies will, of course, have a cost but this must be weighed up against the possibility of delaying the milestone payment and worse, failing to meet the milestone timescale. Once one milestone is late, it's very hard to catch up and much rescheduling is needed in order to still meet the end delivery date. Failing to meet milestones is usually very unpopular with the Customer and not at all likely to do the company's reputation any good.
On the up side, if a risk does NOT impact and the milestone with which it is associated is met, that risk can be deleted and forgotten, leaving time and space to concentrate on the next one.
Next in this series, we'll look at managing the risks associated with suppliers or sub-contractors.