Project Risk Management

25 April, 2016

A risk is an uncertainty and that uncertainty can mean a potential banana skin for the project, but also it could mean an extra benefit to the project. For instance, the price of oil is always uncertain. If it is on a downward trend that could have a positive effect on the project’s bottom line (assuming fuel purchase is part of the budget). However, the oil producing countries may decide that they need to make up for recent loses and jack up prices again. This would represent a serious hit for the project – again, assuming that fuel is included in the budget.

Another aspect of a risk is that there is only a likelihood that this will happen. A factor like a hard deadline or a small budget is not a risk; it is a constraint. In other words, there is no element of surprise. We have to meet the deadline and that is that. The probability of this happening is 100%.

As with all the other knowledge areas in the Guide to the Project Management Body of Knowledge (PMBOK® Guide), Project Risk Management begins with a plan. If your organization is familiar with risk management, much of your plan can be transferred from previous Risk Management Plans. While these will have the risk management procedures included, they will also provide useful hints on where to look out for risks. This is definitely one area where historical documents are well worth studying.

Once the Project Manager has decided how risks will be managed, the next step is to make a list of the risks to the project. Areas identified in earlier Risk Management Plans, as well as the review feedback on this current plan will help, but the really useful technique is to get the team and stakeholders together to brainstorm possible risks. Note that this is unlikely to be the first attempt at risk identification for the project. Before deciding to charter the project, the organization has to determine if this is a good venture to undertake. Risk may be the factor that causes a project to be turned down. Many organizations are reluctant to invest in risky ventures.

The identified risks are recorded in a document called a Risk Register. Depending on the project, quite a lot of risks might be identified. In that case, it is useful to prioritize them and concentrate on managing the highest ranking risks. This is the Pareto philosophy: address 20% of the risks and you are likely to have covered 80% of the problems. In the case of risks, the Project Manager assesses them in terms of probability and impact. If something is very likely to happen and/or will cause a lot of damage if it does then we need to do something about it.

Generally speaking, organizations use a simple grading system, like high, medium and low, to rate risks. Others use a numbered scale from 1 to 10. Techniques like Failure Mode and Effects Analysis (FMEA) are also employed, but the goal is the same – to prioritize identified risks. The Project Management Institute calls this prioritization work Perform Qualitative Risk Analysis.

The next step in the process – Perform Quantitative Risk Analysis – reminds me of the old saying: “damned if you do; damned if you don’t”. The Project Manager might have to make a choice between two or more courses of action. The risk probabilities might be the deciding factor. Techniques like Expected Monetary Value can be used to decide which course of action to take. This calculates the likely cost of each choice based on risk probabilities. To engage in this sort of analysis, you need to be able to put a price on the risk – not always easy.

Of course, identifying risks and prioritizing them is absolutely no use if we do not do anything about them. Plan Risk Responses is where we come up with responses to the identified risks. In essence, there are four approaches we can take:

  1. Decide to do something before the risk materializes. This is called Risk Mitigation and involves taking steps to reduce the likelihood or the impact of the risk if it does happen. So we might install fire extinguishers around an area where volatile chemicals are being used, or we might add onerous penalty clauses to a contract with a supplier who is known to deliver late.
  2. Avoid the risk. If using a particular material or component involves possible problems, the easiest thing to do might be to use something different. If a supplier has failed to deliver in the past, it might be better to give the business to a different supplier. Of course, the option of avoiding risk might not be possible – you cannot protect your staff from domestic accidents for instance.
  3. Accept the risk. If it happens, it happens. However, if we are going to accept the risk, we need to come up with a contingency plan to deal with the risk if it does happen. Oil exploration companies, for instance, have clean up teams on standby in case there is an environmental disaster at a drilling site.
  4. Transfer the risk. This term is slightly misleading as what we seek to do is to transfer the consequences of the risk, rather than the risk itself. The standard example here is to take out insurance. If the risk occurs, the insurance company will bear the cost or impact of the risk.

Of course, all this planning will have an effect on the bottom line. The Project Manager needs to amend the budget to account for these fire extinguishers and insurance policies. In fact, detailed risk management can often show up a project as being unviable and could cause the project to be cancelled at the planning phase.

Assuming that we get approval for our Risk Management Plan, the important thing to realize is that risk management needs to be pursued all through the executing phase. New risks may be identified at any time and risks may need to be managed during the project as they arise. Another important factor is to be aware of risk triggers and to take action both when a risk occurs and when it does not. For example, if we identified a late component delivery as a risk and the component arrives on time, then that risk can be taken off the risk register as it did not occur. Similarly, if we had allocated funds to implement a contingency plan, these can be freed up once the danger is past.

Companies often gain their reputation not for doing things well, but by how they respond when something goes badly. Environmental disasters are a good example here. No one might have heard about the exploration company as it goes about its day-to-day business, but the world’s media will be focused on the clean-up operation. Getting the risk contingency work right will show the world that you are a competent organization – something no one noticed when everything worked without incident.

By Velopi Seamus Collins

© 2018 Velopi : PMBOK, PMI and the R.E.P. logo, PMP, PgMP, CAPM, PMI-SP and PMI-RMP are registered marks of the Project Management Institute, Inc.

Web Development by Granite Digital