It always fascinates me when the worlds of Project Risk Management and Financial Risk Management collide. I've been asked by financial accountants on numerous occasions to provide a risk profile and when I provide them a risk waterfall chart, amongst other risk profiles, they are confused. If you dig a little deeper, what they're actually after is something to base annual budget plans on. In other words, they want to know when you plan to spend any costs related to risk events.
Anyone that knows a little bit about risk will know that you don't plan to spend money on risk, instead you plan to mitigate risk events from incurring in the first instance. Based on this should financial budgets be profiled against the traditional risk data outputs? Personally, I would advise against it.
So what then should financial budgets consider when setting annual budgets to accommodate for any risk related events? My answer is simple, hold a contingency (or allowance) that is based on a risk exposure value for the year at an agreed confidence level - use a higher confidence level if the project is high risk, a lower confidence level if less risky. However, DON'T profile this over the course of the year and DON'T measure the project based on the subsequent actual spend (or lack thereof). Instead, my recommendation is to hold a rolling balance and review the annual exposure periodically against this, starting with the original annual contingency (or allowance) at the start of the year, and if the variance triggers agreed thresholds (positive or negative) you can decide whether or not to release or add to the rolling balance.
Not only will the confidence level have to be agreed on, the other consideration you will also have to decide on is whether you use the target (post-mitigated) exposure or current (pre-mitigated) exposure value as a basis for your budget. I've seen both used in different organisations and different projects and I guess it depends on how you are integrating risk with your project schedule.
The logic says that if you are scheduling in your mitigation actions and costing them up in your programme, resulting in a cost forecast increase, then you should be using the target risk exposure value; however you should then perhaps also have gone through change control to draw down on that risk as you are mitigating it which should see the residual current risk exposure value drop as a result. So provided that your integrated control system is fully functional, you should be able to use the pre-mitigated exposure level as a basis but if not, you want to consider if using the the post-mitigated exposure level will leave a gap in your project cost forecasts.
I'd love to hear if you agree, disagree or would like to offer a different view...