To start with the basics: what is risk? As defined by PMBok, risk is “an uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives”. Therefore, risk management “is a process that allows individual risk events and overall risk to be understood and managed proactively, optimizing success by minimizing threats and maximizing opportunities and outcomes.”
According to PMI “Risk analysis involves examining how project outcomes and objectives might change due to the impact of the risk event. Once the risks are identified, they are analyzed to identify the qualitative and quantitative impact of the risk on the project so that appropriate steps can be taken to mitigate them (risk).”
To being, it is important to introduce critical concepts helpful in risk assessment: opportunity, impact, probability, and a risk response plan.
An Opportunity is an event or condition that has a positive effect. As a project manager, opportunities should be leveraged for positive project impact.
The Impact is the effect of risk or opportunity. The effect may influence feasibility, costs, duration, overall risk level, and availability of resources. Risk can be assessed qualitatively as low, medium, or high impact. Impact can also be described as a monetary or duration value as impact could affect profits, delivery time, resources, and/or quality.
Probability is the likelihood of risk or opportunity to happen. Again, it can be qualitatively quantified as low, medium, or high probability or quantitatively quantified as a percentage
Risk Response or Risk Response Plan is the action that will be taken to avoid or mitigate risk.
Seven Steps of Project Risk Management Process – Overview
Risk Management can be viewed as a seven-step process, with each step representing a different process. What follows is an overview of the seven risk management steps.
1. Plan Risk Management
As all in project management, everything begins with planning. In this case, we plan because:
1. Risk Management uses all the project documentation, processes, and workflows as inputs. Everything is a source of risks.
2. Risk is not managed alone, and stakeholders must be engaged.
3. Organizational assets and knowledge must be organized from the outset of a project to avoid creating a wheel.
A simple Project Risk Management Plan is required, and it should cover the details addressed below for each step that follows. Always remember there is no such thing as a universal risk management approach. Tools, techniques, and processes for each project should be individually selected per project considerations.
2. Identify Risks
To identify risks, look for any uncertain condition or event that could negatively affect the project. There are multiple risk causes depending on the project, industry, and environment, and risk can dramatically vary on a case-by-case basis. The best starting point is “Lessons Learned” from previous projects. Examples of risk identification include:
1. Honest self-assessment of personal effort;
2. Changes such as schedule, scope, quality, requirement, budget, and policies;
3. Stakeholder lack of knowledge, new stakeholders, or unstructured decision making process form stakeholder groups;
4. Lack of management support;
5. Inefficient decision making from owners or sponsors;
6. Financing delays;
7. Conflicts, lack of motivation;
8. Procurement delays or changes;
9. Government response delays; and
10. Acts of God
Collecting lessons learned requires effort, but is most useful in the long run, and the main by-product is a List of Risk Categories. Always keep maintain a Risk Register as simple table where you describe your project risks, probability and its impact, such as the following:
Tables should be easy to read and detailed. Below is another example taken from PMBok 6th edition that illustrates how to rate probabilities and impact:
Identify project risks with techniques described in the Risk Management Plan, and use those techniques to alleviate risk identified in the plan.
3. Perform Qualitative Risk Analysis
Be aware that risk evolves for both Impact and Probability during the project lifetime, and analyses should be regularly updated to reflect that evolving risk. There is no need to overcomplicate Qualitative Risk Analysis. If risk can be prioritized using only three levels of Impact and Probability, proceed anyway.
The totality of risk can never be fully calculated, so prioritize risks that can have the most severe and adverse effects on the project, incorporating probability. By performing Qualitative Risk Analysis in this way, hundreds of potential risks may be reduced to a handful, and Risk Responses are planned.
4. Perform Quantitative Risk Analysis
The above is detailed decision-making chart used in quantitative risk analysis. For smaller projects, such a Quantitative Risk Analysis may not be necessary, as cost impact will be minimal to effort expended. For larger projects requiring more detail, risks may be analyzed further by identifying specific numbers for probability and monetary impact.
By multiplying those two numbers, monetary impact of a risk, of the Expected Monetary Value (EVM), is generated.
5. Plan Risk Responses
Once risks are established and prioritized, the choices are to:
· Do something to avoid risk.
· Do something to reduce Impact and/or Probability of a threat.
· Do nothing, accept the risk, but use the reserves to minimize the negative impact.
· Do nothing and accept the risk and its effects. Doing nothing is still a decision with consequences.
When planning responses, do not be limited to only standard, by-the-book responses, and look beyond just Gantt Charts, the budget, and the team that you have.
6. Implement Risk Responses
Each Risk Response Plan is a part of the larger Project Management Plan that includes an amount of budget allocated for the specific risk and a separate task for someone to perform so that any risk response can occur the moment it is needed.
The project manager is responsible for:
· Assigning a Risk Owner. Each risk should have an owner. This person will monitor and work specifically on allocated risk.
· Communicate with stakeholders about the upcoming risks and planned responses.
· Collect data about risk including number of occurrences, efficiency of risk responses, and the overall impact of risks on schedule, budget, scope of work, and client satisfaction.
· Identify residual risk after implementation of a risk response
Once established, responsibility for risk response becomes like a micro sub-project. Remember, risk responses are a part of the project plan. They are tasks, reserves, processes, and experts. and NOT external to the project.
7. Monitor Risks
As with all controlling processes in project management, risk must also be monitored so that risk responses are efficient and timely and so that new risk can be assessed as they arise.
As a final point, delegate ownership for implementing risk responses as much as possible. Once risk analysis is performed, the project manager should focus on the bigger picture of project progress, overall risk levels, and new sources of risks.