Within every industry, every project, every task, every decision – there is always Risk. Inevitably, some risks you can avoid, and some you simply just can’t. Let’s face it – project risk management is highly contextual. Depending on your age, your industry, your role or position etc. risks don’t always manifest themselves in the same way.
The reality is, risks evolve and change over time and there’s never going to be a foolproof method to avoiding all risk. There are, however, ways to minimise it and this is where Risk Management come into play.
To get an idea of how it functions, let’s look at the following example…
After working for 25 years as a process manager, Matt is increasingly faced with the challenge of constantly delivering at a high service level or quality in an ever-changing environment.
He is faced with having to avoid potential pitfalls in his daily business operations, whilst also having to upskill and train others that are working beneath him. With this comes the risk of not only unexpected events disrupting normal daily operations, but also the potential for mistakes to occur (whether intentional or not).
This, in turn, affects his output, as more time is spent needlessly worrying about things that aren’t adding value to the business.
If it were somehow easier to identify, measure and mitigate the types of workplace risks he encounters, he’d be able to:
- define the problem more quickly,
- perhaps find an easier or predefined solution to the problem,
- and provide faster information to his colleagues.
Fortunately, best practices are available to him, and he need not look far for effective risk management strategies.
Whilst many industries have their own procedures for identifying, measuring and mitigating risks, they all encompass some common characteristics.
Here are the top 5 essential steps to effective risk management.
1. Project Risk Management Plan
Start your risk management straight away. That’s right… as soon as the project begins, so should project risk management.
The number of risks impacting a project declines throughout the project’s life as the project progresses and milestones are reached.
This means there are far more potential risks which could impact your project! To avoid early issues arising and potential financial implications or delays, start identifying risks immediately.
Some key points to take into consideration during planning are:
- Utilise risk management standards for more information like ISO 31000 and the Project Manager Institute’s PMBOK Handbook
- Identify key stakeholders and nominate who the risk owners will be
- Compile a document or database to track and record risks which will outline risks and responses and control strategies. This is crucial and will become your core project risk management strategy
- While a qualitative analysis is a key step in the process, you may wish to skip the quantitative analysis. This will depend on the size of your project and financial implications due to risks occurring
- Certain project risks at project completion will become operational risks. These should be identified along with new risks and acknowledged at project handover
- Continually review the risks throughout the project. Close risks if they have zero probability and list newly identified risks
- Ensure everyone has visibility over the risks and risk register, encourage all project members to contribute
- Determine how “Unknown”, unidentified risks will be handled if they occur
2. Identify Risks & Create a Risk Register
Developing an adequate risk register is an important step in the risk management methodology.
The PMI details that risk is “an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives such as scope, schedule, cost, or quality.”
There are three takeaways from this statement:
- A risk is an uncertain event – Risks that occur are no longer uncertain and become Issues
- Risks either have Positive or Negative implications on a project
- Risks may impact any stage of a project
Identifying project risks can be a challenging task as there are so many factors that impact the outcome of a project; social, financial, timing, etc.
The suggested approach for identifying risks is:
- Utilise existing knowledge and previous experience. One of the best ways of creating a risk register is to base it off prior documentation from similar projects such as charter, budgets, schedules, plans, etc.
- Enlist the assistance of experts who will have greater experience and breadth of knowledge
- Brainstorm within a team, or if your project is quite large and consists of various teams, have each team perform brainstorming and compile risks that they have identified
- Utilise theoretical techniques like root cause analysis or the Delphi technique
- Research case studies from other projects; these are often available in educational textbooks and other sources.
Once you have compiled your list of risks, transfer them into your risk register management software or risk register spreadsheet template and get ready to analyse.
At the end of the identification step, you should be aware that there will be unknown risks that have not yet been identified. The challenge in this step is to maximise the identification of the known risks and minimise potential unknown risks.
3. Risk Analysis
You’ve probably seen the green, yellow and red risk matrix? These matrices are a way to view the qualitative risk management step in a graphical form. This is a form of Probabilistic Risk Assessment (PRA) which is the common approach for project risk management.
This step allows you to assess the likelihood of a risk impacting your project, in a positive or negative way and provide you with a clear idea of how to go about responding to the risks.
The two factors used for ranking a risk are:
This is the likelihood of the risk occurring, usually scored between 0 – 1. Any risk that has a probability score over 0.9 is very likely to occur and should be treated as a certainty!
You can determine the probability using:
- Event Tree Analysis or Fault Tree Analysis
- Similar techniques to risk identification, past experience, experts, etc.
- Utilise a rating chart for a more simpler, standardised approach
The image below shows an example of a rating chart, a very common method used by many companies. The chart is a simple way of estimating probability and reduces the need for higher-level technical and mathematical skill.
Impact represents the severity of positive and negative effects on the project if a risk eventuated. The impact can be scored from 0 to 1 or estimated on using a scale of Low, Medium, High, Extreme; which can be later plotted on a risk matrix.
What constitutes a severe impact (and its associated score) should be determined by the type of project, financial ramifications, safety and other factors important to your business.
To calculate the risk rating, simply multiply the probability and impact. The results will provide you with a clear range of risk ratings which can be responded to appropriately in step 5.
Alternatively, if you choose to utilise a probability rating chart and impact chart to simplify your process, put your results into the risk matrix to identify the risk ratings.
Advanced Predictive Probability
The qualitative analysis can be further expanded to take into consideration, the future impact date and critical dates. The date should be expressed as a probability multiplier applied to the probability x impact calculation.
The resulting figure will provide a predictive approach to risk management which will constantly change, and increase as the project approaches critical risk dates.
If your project is highly dependant on financial impacts and particular assets, then you may benefit from applying quantitative analysis. One method for the quantitative analysis consists of identifying the ‘Annualised Loss Expectancy’ (ALE) which is derived from the ‘Single Loss Expectancy’ (SLE) to an asset if a risk occurs, multiplied by the estimated annual rate of occurrence.
The ALE figures provide financial decision-makers with a justification to plan an appropriate response to certain risks.
There are criticisms of the quantitative analysis, and it is worth exploring this topic in further detail to learn if it is required for your risk management.
4. Plan Responses to Risks
There are generally four response strategies that may be applied to reduce negative risks and enhance opportunities or positive risks:
Avoidance: Eliminate the risk
Mitigation: Reduce severity or probability
Transfer: Transfer ownership to another party
Acceptance: Do nothing
The type of response applied to risk is dependant on the risk rating determined during the risk analysis. You should decide during the planning stage, the risk rating level that each of the response strategies will be applied to, e.g. for an extreme risk rating (highly likely with severe impact), avoidance would likely be the most suitable strategy.
A risk matrix provides a simple, graphical way of identifying which action or response to take.
Avoidance Strategies – High-Level Risk
- Cancel activities which may cause the risk
- Engage in alternative activities
- Remove root causes
Mitigation Strategies – Medium Level Risk
- Reduce scope
- Increase staff
Accept Strategies – Low-Level Risk
- Make no attempt to minimise the severity or probability
- Understand the risk may happen and accept to deal with issues as they occur
5. Monitor & Control
Lastly, you need to consistently monitor, identify and review risks on a regular, ongoing basis throughout the entire life of your project. During planning, decide on a reasonable frequency to perform risk reviews – this will depend on project complexity, the length of the project and past experience with similar projects.
- Review existing risks; remove any risks that no longer pose a threat
- Are there any new risks? Analyse, respond and add them to the risk register?
- Is the probability of existing risks changing as the project progresses?
- Are any risks likely to occur in the near future?
You can monitor the effectiveness of your risk management using audits, reserve analysis, variance and trend analysis. Use the results from these analysis techniques to complement decision making and assist with implementing improvements to your overall risk management process.
So there you have it!
By incorporating these 5 key steps into your project risk strategy, you can effectively reduce the likelihood and impact of risk.
What do these essentially provide?
If we look at Matt’s story again, we can see how he’s now more capable to manage risk.
By implementing this strategy, he’ll be able to start immediately identifying and compiling risks with minimal disruption to his daily operations, meaning less likelihood of the risks materialising. He’ll also have a fairly good idea of the types of risks he’ll encounter, which means his risk register shouldn’t take long to fill up.
Once he’s created his risk register, he’ll then be able to effectively analyse the probability and impact of each risk; he’ll have a sound metric to evaluating risk levels. In turn, by having relevant information about the risks and their severity, he’ll then be able to more effectively devise appropriate mitigation strategies through prioritisation and teamwork.
This process is also ongoing, meaning he’ll be able to measure how effective these strategies are over a period of time.