What Is Risk Management

Published Date: 02 Nov 2017

Project risk management is an integral and an important part of the project management plan and it should be planned and executed in order to achieve a successful result. ‘Risk’ is something that cannot be averted completely but we should learn and manage to work around these risks and their impacts. Sometimes the risks can have positive effects too and these are called as opportunities and the project should be planned in such a way that all the opportunities can be realized and capitalized. The monitoring and controlling part of the risk management process is the most important part and this activity should be undertaken throughout the lifecycle of the project. Some contingency reserves in terms of cost, quality, time and quality should be allocated in order to nullify the negative impacts of the risks and to realize the positive effects of the risks. In this paper the author has used the Project Management book of Knowledge as basis to make these things clear in a simpler way.

Contents

List Of Figures

List of Abbreviations

EMV Expected monetary value

PMBOK Project management body of knowledge

SWOT Strength Weakness Opportunity and Threat

Introduction

Project is a one-time activity and needs proper planning so that it is executed or implemented in a successful way without any troubles or delays. No matter how carefully and detailed the project is planned, the chances are always high that a project can run into trouble. Mr. Murphy says in one of his timeless classic and pragmatically simple quotes that ‘Anything that can go wrong will go wrong’. The problems can be multi-dimensional and diversified. For example, the promised human resources team might be unavailable due to health problems and you have no control over this situation. Or some other resource, like raw material cannot be made available due to some reasons like the ship bringing the material from China was hijacked in Somalia or may be the ship capsized in a storm. Problems can also come due to natural disasters like earthquakes and floods. So what do we do to plan a project against such ‘Risks’, so that at the end you can confidently say that ‘All is well’. For that first of all we need to define ‘Risk’, identify those and then plan our risk response.

What is Risk Management?

In order to fully understand the concept of risk management first we have to clarify for ourselves the meaning and scope of the term ‘risk’. Risk is an unpleasant, unwanted and an uncertain event or condition that when occurred has a negative effect on at least one of the project objectives. (PMBOK). The objectives are usually the scope, cost, time and quality. Risk can be caused because of one or more root causes and can have multiple impacts. (PMBOK) Risk is Risk management is process of identification, analysis and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate event or to maximize the realization of opportunities. (Hubbard, Douglas (2009). The Failure of Risk Management: Why It's Broken and How to Fix It. John Wiley & Sons. p. 46.) Project risk has its origins in all projects and cannot be changed. There are 2 types of risks:

Known risks are the ones that have been already identified and analyzed, making it possible to plan responses.

Unknown risks cannot be identified and managed proactively. Due to this fact, the project management team must create a contingency plan. (pmbpok)

Risk is a hard fact and cannot be avoided. The project management team and stakeholders are always willing to accept certain level of risk in the project. This is called as risk tolerance. The risks in any project are accepted only when they are within the tolerance level and which are worth taking and the profits or gains estimated by undertaking this risk are in harmony. Risks can also be reflected due to the individuals who make the decisions. The approach undertaken to manage risks should be always consistent and the communication flow regarding risks and its effects should be balanced, open and honest. For a successful project management, risk management should be very well integrated into the planning phase with optimum preparation and thoughtful risk management. The risk management should be incorporated in all levels of project and the more attention to detail; the better it is for the project. Without proper risk planning and management, if the project is undertaken will lead to serious problems and worst can lead to project failure. Risk management is nothing but to plan the risks. The crucial step involved in planning is planning meetings and analysis. The project teams are responsible to hold these meetings and the participants may be but not limited to the project manager, other team members and stakeholders. Some of the important points discussed in these meetings are but not limited to follows:

Assigning risk management responsibilities are assigned.

Risk contingency reserves are set up and discussed.

Types of risks are discussed along with their probability of occurrence, effects on project and the countermeasures.

A risk probability and impact matrix is developed suitable to the project.

A risk management plan is developed.

A risk breakdown structure is developed.

Risk identification

Risk Identification is the process of identification of risks pertaining to the project and if required documenting their effects and characteristics. The team members, project manager, the stakeholders and the experts (if required) are responsible for identifying suitable risks. The risk identification process is a cyclic activity and an iterative one because often some risks are averted and new ones come up over the life cycle of the project. These risks must be identified in time and also need to be documented (updated). The frequency of these iterations also varies and had to be decided to avoid unnecessary chaos. Listed below are the tools and techniques to identify, analyze, counter and exploit the risks in such a way that their effects are nullified. The outcome of this analysis is the updated risk register, a list of mutually agreed risks and the counter measures or responses to stay put.

Tools and techniques:

Brainstorming:

The entire project team along with the stakeholders and experts must engage in the brainstorming activity. The purpose of this activity is to make a comprehensive list of risks that a project can run into. Then the risks are divided into categories which lead to a risk breakdown structure. The brainstorming activity should be a tradition free atmosphere and every suggestion must be noted down. The participants should be encouraged to brainstorm for creative and out of the box ideas.

Delphi technique:

A common consensus of the experts can be reached by this technique. A questionnaire is used to solicit the ideas regarding the important risks. The participants have to then give their comments and then they are summarized and given to the experts for review and comments. It takes a few rounds to reach a consensus. By this method a transparency can be maintained and an unbiased outcome can be expected so that no one has an influence over a particular project risk.

Root cause analysis:

This analysis is a universal tool in problem solving and can also be implemented in analyzing risks in a project. When we have the root cause of any impending risk; an effective, efficient and optimum preventive action can be developed, designed and implemented. The onus is on the experts to effectively execute this tool and with experience comes better solutions.

Checklist Analysis:

A checklist of risks can only be developed when we have historical information and knowledge of the risks involved. The basic risk checklist is quite easy to make and maintain but it is equally exhaustive to prepare and maintain a detailed checklist of the risks involved. A checklist must be reviewed by the experts, project manager and the stakeholders periodically and should be updated at the time of project closure as a part of lessons learned for future reference for similar projects in the future.

Cause and Effect Diagrams:

This is the typical Ishikawa or Fishbone diagram and can be used to identify the causes of risks. This can be useful as a tool to analyze the root cause of the problem.

Figure : Classic Cause and Effect Diagram (Ishikawa Diagram)

SWOT Analysis:

This is also a classical analytical tool. By virtue of this tool, we can analyze the strengths, weaknesses, opportunities and threats. As far as the risks in a project go, they can be clearly visualized under the threats part of this analysis.

Types of Risk Analysis

We have seen the tools to identify the risks but after analysis is the most important part which is of risk analysis. Usually, the risks analyses are of 2 types which are explained in detail below.

4.1 Qualitative Risk Analysis

Qualitative risk analysis is nothing but further analysis of risks by prioritizing them and then combining their probability of occurrence and the impact that they can have on the project. The project team should concentrate on the high priority risks and this will definitely lead to high performance. The additional parameters taken into consideration should be the time frame for response or the corrective action and the organizations risk tolerance regarding the parameters like cost, scope, schedule and quality. The impact of bias can be reduced by establishing the definition of levels of risk probabilities. The quality of the information on the risk and their probability plays a major role in this analysis. The qualitative risk analysis is used as a quick and cost effective means to develop priorities for planning the risk responses. This qualitative risk analysis should be considered, evaluated and updated throughout the entire life cycle of the project.

The important tools and techniques to analyze the qualitative risks are:

Risk Probability and Impact Assessment

Estimating the risk probability is the investigating the likelihood of the occurrence of the risks. It will also investigate and assess the impact the likely risks are likely to have on the project parameters like the scope, time, cost and quality. This includes both the negative and positive effects which mean the threats and the opportunities.

Probability and impact should be assessed for all the identified risks. The project team members, stakeholders and experts are included for this step of assessment. They can conduct this during the interviews and project meetings. The impacts and their probabilities are justified and also recorded. The level of probability and the effects of the impacts for each and every risk should be discussed and the proper justification considered.

Probability and Impact Matrix

The risks are further prioritized for the quantitative analysis based on the risk ratings. The risks are rated as per certain rules which are tailored according to the project requirements and then can be applied to the certain project. The evaluation of risk is done as per the probability and impact matrix. (Fig. 1)

Figure : Probability and Impact Matrix

This matrix specifies the combinations of probability and impact which lead to the rating the risks like low, moderate and high. The high risks are represented by the dark grey colored area, likewise the moderate risk is represented by the medium risk area and the low risk is represented by the light grey area.

The project management managers rate the risks separately for each objective with respect to each objective like cost, quality, time and scope. But they always try to develop an overall rating for each risk. An overall project rating scheme is developed such that it reflects the organizations preferences for one objective over another. This scheme is also used to develop the weighting the risks that are already assessed by objective. Also, the threats and opportunities are handled in the same matrix using the different levels of impacts which are appropriate for each risk.

The risk rating is very important as it gives the clear idea of the risk levels and the risk responses. The prioritization gives a clear picture of the impacts, the threats and the opportunities. If the risk lies in the dark grey zone (high risk area) of the matrix must be given prior attention so that some response strategy is developed and the threat is nullified. The risk which appears in the medium grey zone (medium risk zone) on the matrix means this risk does not require immediate attention but still some response action has to be developed.

4.2 Quantitative Risk Analysis

Quantitative risk analysis is the numerical analysis of the effect of the identified risks on the project parameters like the cost, scope, time and quality. The Quantitative risk analysis are done only for the risks that have been rated as high impact ones which have an impending threat on the project parameters like the cost, time, scope and the project quality. By this analysis, a numerical rating is given to the risks individually. It also forms the basis for the approach to make decisions in the presence of any uncertainty. The quantitative risk management is done in a similar way as the qualitative risk management. Sometimes after the qualitative risk management, it is not required to perform the quantitative risk analysis at all and sometimes it is really necessary to plan against some high impact risks. The risk management is clearer after this type of risk analysis.

The quantitative analysis is usually done by interviewing since it is one of the simplest techniques. The interviews are based on the experience and the historical data. The information is gathered on the basis as low (optimistic) and high (pessimistic). With the three point estimate technique, the reliability and credibility of the analysis can be then developed. The other important tools and techniques to analyze the quantitative risks are:

Probability Distribution

The continuous probability distribution is used to represent the uncertainties in values such as durations of the activities which are scheduled and the costs of the projects components. And the discrete probability distribution can be used to represent the risks or events that are uncertain. Figure below represents two examples. These curves are widely used in the continuous distributions. The distributions represent the shapes that are developed after the typical quantitative analysis.

Figure : Continous Probability Distribution

Sensitivity Analysis

Sensitivity analysis is used to determine the risks which have the worst impact on the project parameters. With this we analyze the extent to which the risk can damage our project and its parameters.

Expected monetary value analysis

This is a statistical concept which is used to calculate the average outcome if the future has some scenarios that may or may not occur. The Expected monetary value (EMV) of opportunities is always positive and that of threats is always negative. The EMV requires an assumption that is neutral of risk, i.e. neither risk nor threat. EMV is calculated after multiplying the value of each possible outcome by its probability of occurrence and then the products must be added together.

Modeling and simulation

In the simulation phase, the simulation makes a model and this model translates the specific and detailed uncertainties of the project into the impact they can have on the project parameters or objectives. The simulations can be iterative which iterates the project values which are randomly chosen and are done using the Monte Carlo technique. With this the probability distribution is calculated. Figure below shows the curve for the cost risk simulation. The cost risk simulation uses the cost estimates.

Figure : Modelling and Simulation

Plan Risk Response

To plan the risk response is to develop the options and actions such that they enhance the opportunities and the threats to the project parameters are reduced. It comes after the Qualitative and Quantitative Risk Analyses. The integral part of the risk response plan is to identify and assign the responsibility for each agreed and funded risk response to one person only and this person is called the ‘risk response owner’. This plan addresses and undertakes the risks as per their priorities. The planned risk response must be in coherence with the risk significance, cost effectiveness, realistic nature with respect to the project parameters, should be agreed upon by all the people involved and of course taken care of by a responsible person. Usually there are several options or plans or strategies but the optimum plan or response should be selected and agreed upon.

It is usually a difficult task to come up with the optimum strategy or a strategy mix as a risk response. Usually the optimum strategy or a strategy mix is used to devise an effective action plan. A detailed plan is used to come up with the strategies. Usually there are primary and backup strategies, if necessary. The backup strategy is developed only in case when the primary strategy fails to be effective against the impending risks. It is like a worst case back up plan. A contingency reserve is allocated for the costs and time incurring. Following are some tools and techniques to select the best option.

The risk response plan is very important and gives some outputs which are essential to ensure a surety to the project and its objectives. The most important output is the risk register updates. The prioritization, the impacts and the strategies should be documented and included in the risk register and by this it is communicated to all the members of the project. The high and moderate risks are given more focus and documented in a detailed way. The risk register documents the risk owners and their responsibilities. Also the risk register my but not limited to include the following points – risk response strategies, action plans, triggers and symptoms of risk occurrences, budget and other activities for the response, contingency reserve plans, details about the primary and secondary risks including their symptoms, strategies and contingency reserves respectively. The other important outcome of this process is the project management plan updates like the cost, schedule, quality, time and human resource plans.

5.1 For negative Risks or Threats

Avoid, Transfer and Mitigate

Risk avoidance deals with avoiding the plan to eliminate the threat for the project management plan completely. It includes the process of isolation of the project objectives that are exposed to risk. The worst case is to completely shut down the project to avoid the jeopardy. If the risk or threat comes up at the start of the project, it is avoided by changing the project parameters like the scope, time, cost or quality by clarification of the requirements or by improving the communication and by expert advice.

Transferring the risk involves the shifting of the negative impact of risk to a third party. The important point is that transferring the risk or the impact only transfers the management and does not eliminate the risk. This technique is most effective to deal with the financial risks. It usually involves paying a risk premium to the party which is ready to take the risk. The transfer can be done using certain tools which can be very much diverse which can include but are not limited to insurance, warranties, bonds and guarantees. Also some forms can be used to transfer the risks to the party which is ready to take the risks.

To mitigate a risk impact is to reduce the probability of the risk or the impact within the acceptable boundaries. An early and planned action has to be taken to mitigate the probability of any type of risk because it is always preferred instead of taking corrective action later. It usually requires a prototype development for risk reduction.

5.2 For positive risks or opportunities

Exploit, Share and Enhance

Positive risks are the impacts that can be used as opportunities which must be as a soon as possible realized. With this strategy, the uncertainty can be eliminated by ensuring that the opportunity capitalized in the best way possible.

Sharing is very much similar to the mitigation strategy of dealing with the negative risks. The opportunity is shared with a third party who is ready to take the responsibility of the impact.

Enhance

This strategic plan increases the probability of positive risks and impacts of an opportunity. The key drivers of these risks must be enhances to achieve the maximum effect of the opportunity.

5.2 For both positive and negative risks (Accept)

This strategy is used only when it is impossible to eliminate or reduce the risks involved in the project. This means that the project management team including the stakeholders has decided to accept the risk because no other option is available that can reduce or eliminate the risk in the frame of the project parameters. This can be passive acceptance or passive acceptance. Passive strategy is to do nothing and just let the project team tackle the risk and just document the risk. Active strategy is to set up some contingency reserve in terms of time, money and quality to deal with the risks.

Monitor and Control Risk

As the name says the process deals with monitoring and controlling the risks and their impacts. The prioritized risks and their impacts are tracked from time to time and the other residual low priority risks are also monitored. This process activity is undertaken throughout the project life cycle. Also new risks are identified in this process and the entire cycle is repeated. The risk identification process is also evaluated and checked for its geniality. The information can be then taken up as reference as historical data for the future projects. This process is very important and should be undertaken throughout the project life cycle to identify new risks and their potential impacts. This process usually applies techniques like variance and trend analysis. These tools require the information collected throughout the lifecycle of the project. Other tasks are to determine the validity of the assumptions made during the estimation, if the risk management principles and procedures are followed and executed in a proper way. Also the contingency reserves can be modified in coherence with the assessment of the current risk management. Monitoring and controlling risks involves choosing between alternative strategies, if necessary evaluating and executing the contingency reserves, planning and undertaking corrective strategies and if required changing the project management plans. The responsible persons often report to the project manager and usually update him with the assessments and effectiveness of the risk probabilities and discuss the impending risks and the corrective actions. The major task on this step to develop the organizational assets, include the new lessons learnt and update the database for future projects.

The tools and techniques used to monitor and control are

Risk Reassessment

The first an important step is to identify new risks and reassess current risks and also closing the risks that have been already avoided or outdated. The risks assessments are usually scheduled and carried out in a planned fashion. The detailed nature of the assessment depends on the project, the risks and the project objectives.

Risk Audits

Risk audits are normal, mundane, pragmatic and scheduled audits. This audit examines and documents the effectiveness of risk responses with the risks and also their root causes. It is the duty of the project manager that the audits are performed honestly at predefined intervals as defined in the project management documents. The format, procedure and the points must be discussed in the project management meetings and must be discussed upon before the audit is conducted.

Variance and Trend Analysis

The variance analysis is used to compare the planned results and the actual results. The trends in the risks should be reviewed by using the performance information. The methods that can be used to monitor the overall project performance are the project variance and trend analysis. The outcome form these analyses can be used to forecast the potential deviation from the project parameters like the cost, quality and time till the time the project is completed. This deviation from the standard or the expected value can be then used to calculate the potential impact of the risk as threat or opportunity.

Technical Performance Measurement

Technical performance measurement deals only with the technical things. It measures and compares the technical accomplishments during the execution part of the project to the project management schedule for the technical accomplishments. Definitions are required for the objective and quantifiable measures of the technical performance so that the actual results can be compared to the targets. The technical performance parameters can be defects, delivery time, quality, capacity and weight. The project deviation can also be measured and analyzed for the future reference.

Conclusion

Project Risk Management is an important process or part of the project which has to be planned in advance during the planning stage of the project. Here the risks, threats and opportunities have to be estimated, analyzed, prioritized, and acted upon to mitigate the risk or capitalize on opportunities. The most important part of risk management is to estimate the impending risks and to monitor and control the risks. A properly planned and executed risk management plan makes the project and its objectives less prone to the risks and its negative impacts. What’s more, the opportunities that come up are just the positive risks and can be easily realized and capitalized on.