Project Risk Management – Part 1
One definition of risk management is that it is the management of threats to the project (negative impacts) and opportunities (positive impacts). This involves the identification and management of these issues.
As part of project planning risks should be considered at all stages. Risk management techniques will be used to help define cost or budget allowances, allowances for schedule risk and any other types of risk that a project faces.
You can see the risk management needs to be integrated with all other management processes and is a central part of the planning, monitoring and control of a project.
You need to be clear that there is a strong relationship between change and risk in that change inevitably produces more risk or greater opportunity. Just consider the fact of changing scope and the possibility that this will add risk into the schedule, and the greater the amount of change, the more risk is introduced.
Risk management purpose
Risk management is required in order to anticipate threats and opportunities, and manage them to ensure the best outcome of the project. Such an outcome may be expressed in many terms, and here are a few:
- Commercial outcome – the best possible value for money being achieved
- Commercial outcome – no surprises
- Safer execution of the works
- Reputational outcome
- Delivery to time constraints
- Avoiding events that may delay the planned progress of the work
- Incorporating opportunities to save cost or time
- Including alternative methods to better coordinate the work
The risk management plan
The risk management plan sets out how the thorough assessment of risk associated with the project will be implemented. This process will be undertaken by working in collaboration with all relevant project stakeholders.
The risk management plan aims to implement this procedure in such a way so that:
- Risk’s are minimized
- Opportunities are maximized
- Risks are owned and managed at the appropriate level
- Risk mitigation actions are appropriate and effective
- Mitigation actions are monitored and managed effectively
- Risk to the project are communicated effectively
- The risk management process
The key stages of the risk management process are shown in the diagram below:
Planning for risk
Before the commencement of a formal risk process, a risk management plan should be created, reviewed and accepted by all relevant parties. Regular risk workshops and review sessions will be planned and held throughout the life of the project.
As part of the preparation for initial risk workshops, project deliverables will be clearly identified. Such documents that could be consulted may include the following:
- Contract documents
- Tender documents
- Project schedule and associated schedules
- Project execution plan and associated documents
- Risk checklists consisting of a list of topics and regularly encountered threats and opportunities for consideration for the workshop
- The assumptions register
This information will be used to prompt discussion and consideration of potential threats and opportunities.
Risk management throughout the project lifecycle
During the project, the objectives of the risk management strategy are as follows:
- Identify new risks and risk mitigation actions
- Quantified assess risks
- Establish risk owners
- Ensure management of risk mitigation actions are undertaken successfully and to schedule
- Ongoing reviews at all levels
- Monitor and relate the management of risk and risk mitigation
Step one – risk identification
This step concerns the capture of threats and opportunities to the project objectives, and the following techniques may be used to do this:
- Risk workshops
- Interviews with relevant people to benefit from their knowledge and experience
- Risk review meetings
- Time issues and known about or arise from progress reporting
- Investigations and surveys
- Lessons learned register and information
- Relevant entries in interfacing risk registers
- Risk’s noted during development of methodology
- Assumptions and exclusions
- Subcontractor risk registers
- Research and defined as part of the change process
A detailed description of each key risk is recorded within the risk log, together with the cause, affects, and owners. Where receive been identified with owners or actions falling outside the remix of those present, the relevant stakeholders will be notified.
Here is an example of risk identification in a typical risk log:
Step two – risk assessment
To align with the project objectives, individual risks and opportunities will be considered against project specific impact and probability ratings. An example of such a diagram is shown below:
Part of the assessment step estate in on the register what the existing control measures are, if any. These are accounted for in the current/premeditation impact and probability ratings.
Each cell shown as in the diagrams above, may be given a numerical value and this is known as the severity rating score which is then used in creating a hierarchy of risks to highlight those needing the most attention.
The criteria for making these assessments will depend on the type of risk: monetary values for commercial risks, periods of time for schedule risk, and so forth. In the case of these two examples, there may be an assessment based on 3. Estimates and distribution criteria which are discussed later within this series of articles.
In other cases, there may be a set of qualitative statements; for example, a safety risk might be categorized by the potential for harm to individuals against reported accidents for example. These categories will vary between organizations based on the risk appetite.
It should also be borne in mind the risk may have a time envelope within which they may occur, and another way of defining priority will be those risks likely to occur in the near term future, whether these be threats or opportunities.
The assessments made, maybe categorized entered into the risk log.
It is good practice to capture the justification behind the scoring (the basis of estimate) – it is often challenged, particularly where the risk mitigation actions need a cost benefit analysis.