In my latest article - Procurement: Understanding the process and documentation - I’ve mentioned my interest to project management. Now, here comes the most enjoyable part of project management from my perspective: risk management. Recently, due to my exams and the new job I’ve started, I couldn’t have time to study these topics. But, voila! I will share some of my notes again. Let’s start with the definitions of risk, opportunity, issue, and risk management.
No project is risk-free!
A risk is a potential event that can occur and can impact a project. When you think about risks, you will think about them as hypothetical. In other words, these aren’t events that will definitely happen, but there’s a possibility that they could happen.
The traditional view of risk is negative, characterizing risks as “threats” with adverse consequences on project objectives. But current risk thinking includes the possibility of “upside risk” or “opportunity,” which could have a beneficial effect on achieving objectives.[1]
Tactics such as adding resources to compress schedules can provide an opportunity to meet a tight deadline, but they also generally tend to raise the risk. Projects also contain at least some uncertainty that could potentially benefit the project.[2]
An issue is a known or real problem that can affect the ability to complete a task. A risk is an event that could potentially happen. If the event actually happens, then the risk becomes an issue.
Risk management is the process of identifying and evaluating potential risks and issues that could impact a project. It’s not a one-time exercise; it’s something that needs to be done regularly to address potential risks. Risk management is a crucial part of the planning process by giving you an understanding of what could go wrong with your project.
Phases of Risk Management
Risk management is a proceeding practice throughout the life cycle of a project. It typically involves these five steps:
1. Identify the risk. The first phase of the risk management process is to identify and define potential project risks with your team. After all, you can only manage risks if you know what they are.
2. Analyze the risk. After identifying the risks, determine their likelihood and potential impact on your project. Serious risks with a high probability of occurring pose the greatest threat.
3. Evaluate the risk. Next, use the results of your risk analysis to determine which risks to prioritize.
4. Treat the risk. During this phase, make a plan for how to treat and manage each risk. You might choose to ignore minor risks, but serious risks need detailed mitigation plans.
5. Monitor and control the risk. Finally, assign team members to monitor, track, and mitigate risks if the need arises.
Identifying Risks
Brainstorming is one of the most effective techniques for identifying risks with the team because it allows groups to spontaneously share ideas without judgment. During brainstorming, a fishbone diagram can be used. Fishbone diagrams show the possible causes of an event or risk and are very useful at risk management.
Risk assessment is the stage of risk management where qualities of a risk are estimated or measured. Qualities mean how likely the risk is to occur and its potential impact on a project. A probability and impact matrix is a tool used to prioritize project risks. To create a probability and impact matrix, you will need to think about the level of impact. Impact refers to the damage a risk could cause if it occurs. Impact is determined on a scale of high, medium, and low. Probability is the likelihood that a risk will occur. We also determine probability on a scale of high, medium, and low.
These two considerations come together to determine the inherent risk rating. Inherent risk is the measure of a risk calculated by its probability and impact. Measuring the inherent risk gives us a method for understanding a risk. Inherent risk is also determined on a high, medium, and low scale.
Endless Types of Risks
Though there are many different types of risks that could impact the project, the big ones are time risks, budget risks, and scope risks.
- Time risk refers to the possibility that project tasks will take longer than anticipated to complete.
- Budget risk refers to the possibility that the cost of a project will increase due to poor planning or expanding the project scope.
- Scope risk refers to the possibility that a project won’t produce the results outlined in the project goals.
While time, budget, and scope risks are very common, there are other types of external risks that you should be aware of. By external risks, we’re referring to risks that result from factors outside of the company that you have little to no control over. For example, your project could be impacted by an environmental risk, like a major storm, or legal risk, like a change in regulatory requirements.
There are endless types of risks. There will never be a prescription for how to identify and manage every single possible risk.
Single point of failure
A single point of failure is a risk that has the potential to be catastrophic and halt work across a project. These are risks that have the power to stop an entire team in its tracks, meaning that no one can make progress on their tasks until the issue is resolved.
Dependencies
Another source of risk is to be aware of the dependencies. Dependencies are relationships between two project tasks in which the completion or the initiation of one is reliant on the completion or initiation of the other. Since dependencies are the links that connect one project task to another, they are often a huge source of risk to a project. There are four common types of dependencies:
- Finish to Start (FS): Task A must be completed before Task B can start.
- Finish to Finish (FF): Task A must finish before Task B can finish.
- Start to Start (SS): Task A can’t begin until Task B begins. This means Tasks A and B start at the same time and run in parallel.
- Start to Finish (SF): Task A must begin before Task B can be completed.
Risk Response Planning
When you’re planning your project, risks are still uncertain: they haven’t happened yet. But eventually, some of the risks that you planned response on will happen. And that’s when you have to deal with them. There are four basic ways to handle a risk:
- Avoid: The best thing that you can do with a risk is to avoid it. If you can prevent it from happening, it definitely won’t hurt your project. The easiest way to avoid this risk is to walk away from the cliff, but that may not be an option on this project.
- Mitigate: If you can’t avoid the risk, you can mitigate it. This means taking some sort of action that will cause it to do as little damage to your project as possible.
- Transfer: One effective way to deal with a risk is to pay someone else to accept it for you. The most common way to do this is to buy insurance.
- Accept: When you can’t avoid, mitigate, or transfer a risk, then you have to accept it. But even when you accept a risk, at least you’ve looked at the alternatives and you know what will happen if it occurs. If you can’t avoid the risk, and there’s nothing you can do to reduce its impact, then accepting it is your only choice.
A certain risk event may require multiple strategies to be applied to sufficiently reduce the likelihood, consequence or both. An approach might include splitting risk and passing a portion to another company (transfer) and mitigating the remaining risk by reducing the likelihood. The appropriate risk response strategy may change over time due to changing business conditions, a technical breakthrough/failure, or a multitude of other reasons.[3]
Risk Management Plan
A risk management plan is a living document that contains information regarding high-level risks and the mitigation plan for each of those risks. This plan helps ensure that teammates and stakeholders have a clear understanding of potential problems and a plan to address them should they occur. Since risk management evolves throughout the project, the plan should be updated regularly to add newly-identified risks, remove risks that are no longer relevant, and include any changes in the mitigation plans. Once you’ve filled out the risk management plan, you’ll share it with your team and stakeholders to get their input and to ensure that they are aligned with your plans.
References
[1] Hillson, D. (2001). Effective strategies for exploiting opportunities. Paper presented at Project Management Institute Annual Seminars & Symposium, Nashville, TN. Newtown Square, PA: Project Management Institute.
[2] Kendrick, T. (2015). Project opportunity: risk sink or risk source? Paper presented at PMI® Global Congress 2015 — North America, Orlando, FL. Newtown Square, PA: Project Management Institute.
[3] Becker, G. M. (2004). A practical risk management approach. Paper presented at PMI® Global Congress 2004 — North America, Anaheim, CA. Newtown Square, PA: Project Management Institute.
