IMHO, I would classify risk management as “very subjective”.

Consider a website development project that has been funded, and is estimated to take 100 man hours (approx 13 man-days) and has a team of 3 people working on it – a project manager and 2 developers (approx 5-6 man-days per person).

* Now it’s upto the project manager to ensure there is no financial/expense risk by bidding high enough

* Ensure there’s no time risk by padding the delivery timeline quote adequately. Also in the event there is an illness, power outage, etc

* There has to be a time buffer. There have to be measures like maybe a UPS or medication (maybe flu medication if flu season is around)

Sometimes its possible one team member is suddenly not able to perform – job change, accident, death – anything. The project manager is responsible to ensure this capacity is filled and the limitation (maybe training of the new entree) here is overcome. Overall, a good risk management policy is one that helps reduce the focus on risk from 80% to 20%.

If you keep good power backup, additional on-call employees, medication on hand, your risk to manpower loss is limited – and you spend less time trying to wrap up that end of the spectrum. Likewise if you have bid high enough to cover your expenses you have less trouble there – and you dont need to either be in a hurry or re-quote or otherwise risk your reputation on deliverability.

I dont think it’s possible to eliminate risk 100%. I figure a re-iterative 80-20 process (just like we use for quality management in 6 sigma) would be the most functional and effective.

But then again – to each their own. This is MY belief and methodology. If you find this of use and wish to publish or write about it feel free; I’m happy to elaborate more and provide much more detail; I would just like to know where it is and have my name mentioned on it in a wee corner.