A risk is an uncertainty and that uncertainty can mean a potential banana skin for the project, but also it could mean an extra benefit to the project. For instance, the price of oil is always uncertain. If it is on a downward trend that could have a positive effect on the project’s bottom line (assuming fuel purchase is part of the budget). However, the oil producing countries may decide that they need to make up for recent loses and jack up prices again. This would represent a serious hit for the project – again, assuming that fuel is included in the budget.

On this page:

• Risk Register
• Perform Quantitative Risk Analysis
• Risk Management Plan

Another aspect of a risk is that there is only a likelihood that this will happen. A factor like a hard deadline or a small budget is not a risk; it is a constraint. In other words, there is no element of surprise. We have to meet the deadline and that is that. The probability of this happening is 100%.

As with all the other knowledge areas in the Guide to the Project Management Body of Knowledge (PMBOK^® Guide), Project Risk Management begins with a plan. If your organization is familiar with risk management, much of your plan can be transferred from previous Risk Management Plans. While these will have the risk management procedures included, they will also provide useful hints on where to look out for risks. This is definitely one area where historical documents are well worth studying.

Once the Project Manager has decided how risks will be managed, the next step is to make a list of the risks to the project. Areas identified in earlier Risk Management Plans, as well as the review feedback on this current plan will help, but the really useful technique is to get the team and stakeholders together to brainstorm possible risks. Note that this is unlikely to be the first attempt at risk identification for the project. Before deciding to charter the project, the organization has to determine if this is a good venture to undertake. Risk may be the factor that causes a project to be turned down. Many organizations are reluctant to invest in risky ventures.

Risk Register

The identified risks are recorded in a document called a Risk Register. Depending on the project, quite a lot of risks might be identified. In that case, it is useful to prioritize them and concentrate on managing the highest ranking risks. This is the Pareto philosophy: address 20% of the risks and you are likely to have covered 80% of the problems. In the case of risks, the Project Manager assesses them in terms of probability and impact. If something is very likely to happen and/or will cause a lot of damage if it does then we need to do something about it.

Generally speaking, organizations use a simple grading system, like high, medium and low, to rate risks. Others use a numbered scale from 1 to 10. Techniques like Failure Mode and Effects Analysis (FMEA) are also employed, but the goal is the same – to prioritize identified risks. The Project Management Institute calls this prioritization work Perform Qualitative Risk Analysis.

Perform Quantitative Risk Analysis

The next step in the process – Perform Quantitative Risk Analysis – Is not often used by project managers. There are three ways we can use quantitative risk analysis:

1. Establishing the likelihood of finishing on a particular date, or meeting a certain budget. This uses a simulation technique, such as Monte Carlo, to calculate the odds of reaching a particular target. The software is fed the optimistic and pessimistic estimates from the schedule and chooses values for each activity in that range at random. It does this millions of times, arriving, eventually, at an S-Curve plotting dates (or costs) against probabilities. Few companies have access to the computing power needed to run such a simulation in a timely fashion.
2. Determine what contingency reserves to use. This uses a technique called Expected Monetary Value which calculates the contingency reserve based on the probability of occurrence multiplied by the impact. As few organizations have access to good probability figures, this is not often used.
3. Include probability into decisions. However, if it is possible to calculate Expected Monetary Value, then we can use it in Decision Trees to decide between two courses of action.

Of course, identifying risks and prioritizing them is absolutely no use if we do not do anything about them. Plan Risk Responses is where we come up with responses to the identified risks. In essence, there are four approaches we can take:

1. Decide to do something before the risk materializes. This is called Risk Mitigation and involves taking steps to reduce the likelihood or the impact of the risk if it does happen. So we might install fire extinguishers around an area where volatile chemicals are being used, or we might add onerous penalty clauses to a contract with a supplier who is known to deliver late.
2. Avoid the risk. If using a particular material or component involves possible problems, the easiest thing to do might be to use something different. If a supplier has failed to deliver in the past, it might be better to give the business to a different supplier. Of course, the option of avoiding risk might not be possible – you cannot protect your staff from domestic accidents for instance.
3. Accept the risk. If it happens, it happens. However, if we are going to accept the risk, we need to come up with a contingency plan to deal with the risk if it does happen. Oil exploration companies, for instance, have clean up teams on standby in case there is an environmental disaster at a drilling site.
4. Transfer the risk. This term is slightly misleading as what we seek to do is to transfer the consequences of the risk, rather than the risk itself. The standard example here is to take out insurance. If the risk occurs, the insurance company will bear the cost or impact of the risk.
5. Escalate the risk. If the risk we identify could have a wider impact than just this project, we should alert higher levels of management, so they can take appropriate action.

Of course, all this planning will have an effect on the bottom line. The Project Manager needs to amend the budget to account for these fire extinguishers and insurance policies. In fact, detailed risk management can often show up a project as being unviable and could cause the project to be cancelled at the planning phase.

Risk Management Plan

Assuming that we get approval for our Risk Management Plan, the important thing to realize is that risk management needs to be pursued all through the executing phase. New risks may be identified at any time and risks may need to be managed during the project as they arise – in the Implement Risk Responses process. Another important factor is to be aware of risk triggers and to take action both when a risk occurs and when it does not. For example, if we identified a late component delivery as a risk and the component arrives on time, then that risk can be taken off the risk register as it did not occur. Similarly, if we had allocated funds to implement a contingency plan, these can be freed up once the danger is past.

Companies often gain their reputation not for doing things well, but by how they respond when something goes badly. Environmental disasters are a good example here. No one might have heard about the exploration company as it goes about its day-to-day business, but the world’s media will be focused on the clean-up operation. Getting the risk contingency work right will show the world that you are a competent organization – something no one noticed when everything worked without incident.