One definition of risk management is that it is the management of threats to the project (negative impacts) and opportunities (positive impacts). This involves the identification and management of these issues.
As part of project planning risks should be considered at all stages. Risk management techniques will be used to help define cost or budget allowances, allowances for schedule risk and any other types of risk that a project faces.
You can see the risk management needs to be integrated with all other management processes and is a central part of the planning, monitoring and control of a project.
You need to be clear that there is a strong relationship between change and risk in that change inevitably produces more risk or greater opportunity. Just consider the fact of changing scope and the possibility that this will add risk into the schedule, and the greater the amount of change, the more risk is introduced.
Risk management is required in order to anticipate threats and opportunities, and manage them to ensure the best outcome of the project. Such an outcome may be expressed in many terms, and here are a few:
The risk management plan sets out how the thorough assessment of risk associated with the project will be implemented. This process will be undertaken by working in collaboration with all relevant project stakeholders.
The risk management plan aims to implement this procedure in such a way so that:
The key stages of the risk management process are shown in the diagram below:
Before the commencement of a formal risk process, a risk management plan should be created, reviewed and accepted by all relevant parties. Regular risk workshops and review sessions will be planned and held throughout the life of the project.
As part of the preparation for initial risk workshops, project deliverables will be clearly identified. Such documents that could be consulted may include the following:
This information will be used to prompt discussion and consideration of potential threats and opportunities.
During the project, the objectives of the risk management strategy are as follows:
This step concerns the capture of threats and opportunities to the project objectives, and the following techniques may be used to do this:
A detailed description of each key risk is recorded within the risk log, together with the cause, affects, and owners. Where receive been identified with owners or actions falling outside the remix of those present, the relevant stakeholders will be notified.
Here is an example of risk identification in a typical risk log:
To align with the project objectives, individual risks and opportunities will be considered against project specific impact and probability ratings. An example of such a diagram is shown below:
Part of the assessment step estate in on the register what the existing control measures are, if any. These are accounted for in the current/premeditation impact and probability ratings.
Each cell shown as in the diagrams above, may be given a numerical value and this is known as the severity rating score which is then used in creating a hierarchy of risks to highlight those needing the most attention.
The criteria for making these assessments will depend on the type of risk: monetary values for commercial risks, periods of time for schedule risk, and so forth. In the case of these two examples, there may be an assessment based on 3. Estimates and distribution criteria which are discussed later within this series of articles.
In other cases, there may be a set of qualitative statements; for example, a safety risk might be categorized by the potential for harm to individuals against reported accidents for example. These categories will vary between organizations based on the risk appetite.
It should also be borne in mind the risk may have a time envelope within which they may occur, and another way of defining priority will be those risks likely to occur in the near term future, whether these be threats or opportunities.
The assessments made, maybe categorized entered into the risk log.
It is good practice to capture the justification behind the scoring (the basis of estimate) – it is often challenged, particularly where the risk mitigation actions need a cost benefit analysis.