3.5 Risk Management Processes

Information (Inputs) that is needed to plan how risks is to be managed is found in the; project management plan; the project charter and; the stakeholder register. The project’s environment (internal and external environmental factors) also need to be considered. The environment includes but is not limited to the risk attitude of the organization, how risks are categorized; definition and terms; templates and formats that direct how risks are documented and roles, responsibilities and decision-making authority.

A Risk Breakdown Structure enables risk categories to be more easily remembered. For example:

According to the Practice Standard for Risk Management there are six steps in the risk management processes:

1. Planning Risk Management Process
   • The objectives of the Plan Risk Management process are to develop the overall risk management strategy for the project, to decide how the risk management processes will be executed, and to integrate project risk management with all other project management activities.
2. Identifying the Risks
   • Some uncertainties are easy to identify, such as the potential for a damaging storm in the Caribbean, while others are less obvious, such as the potential for a project team to experience poor health. Many industries or companies have risk checklists developed from past experience. The value of a checklist is the stimulation of discussion and thought among team members about the potential risks of a particular project.
3. Perform Qualitative Risk Assessment
   • Assess and analyze each identified risk by estimating its likelihood (probability of occurrence) and impact on project goals. The outcome from this process is a prioritized list of project risks with values (e.g. high, medium, low) that represent the likelihood and potential impact. The probability/impact matrix is a key tool in risk assessment and assist in ranking risks.
4. Perform Quantitative Risk Assessment
   • Quantitative risk analysis is a numeric estimate of the overall effect of risk on the project objectives such as cost and schedule objectives. The results provide insight into the likelihood of project success and is used to develop contingency reserves.
5. Developing Risk Responses
   • Accept the risk (do nothing to prevent it from happening), eliminate it (change something in the project to avoid its occurrence), transfer it (to a third party by purchasing insurance), or mitigate it (reduce its likelihood and/or impact).
6. Monitoring and Control Risks
   • After selecting the appropriate response for a particular risk, the project team must balance the cost of the response against the anticipated benefit for the project. Monitoring is important because new risks emerge and understanding the effectiveness of implemented risk response strategies ensures project risks are effectively managed throughout the project’s lifecycle.

Let us examine each aspect of effective risk management processes in more detail.

Risk Management Plan

By the time a risk turns into an issue on a project, it is often too late to effectively respond to it. The risk management plan allows the project team to reduce the likelihood of negative surprises, proactively take advantage of positive risks (opportunities), and ensure risk management is considered when schedules, budgets, and other management plans are developed. Creating and maintaining a risk management plan significantly increases the likelihood of project success.

The risk management plan identifies the processes and procedures to be used in managing risk throughout the life of the project. It includes a number of key sections: project description, methodology, risk management organization, stakeholder risk tolerance, risk sources, categories, assessment, definitions (e.g. very high to very low), probability/impact assessment (matrix), roles and responsibilities, budget and schedule estimates for risk-related activities, criteria for success, tools and guidelines for use, risk communication plan, RBS, and the risk register. The risk management plan is integrated into the project management plan (or, in the absence of this plan, into the execution approach for the project) and the response strategies are assigned to the appropriate individuals in the organization.

A risk register is a key tool that helps project teams keep track of the status of risks, ensure response plans are effectively implemented, and new risks are managed. The register is often created during the initiation phase of a project’s life and it is maintained throughout the remaining phases.

Risk Identification

Since risks are uncertainties, a good place to start in identifying risks is the assumptions that have been made in the project justification document and project charter. Project teams hope the proposed assumptions will materialize, but this is not certain. Often, these assumptions represent significant risks.

Another important method for identifying project risks is the project team itself. The individuals responsible for specific components of the work are in the best position to identify the risks and opportunities associated with the task(s). Risk management should be a standing agenda item during project status meetings

The third source of risk is risk checklists developed from past projects. These checklists can be helpful to the project team in identifying specific risks on the checklist and expanding the thinking of the team. Some industries publish their own risk management checklists that, when feasible, should be utilized. Checklists are often organized by risk category. The categories themselves can add helpful insights during brainstorming sessions. Examples of common risk categories include:

• Technical (related to technology and equipment)
• Cost (specific labour and non-labour estimates)
• Schedule (activity durations and methods of completing work)
• Client/Customer (their willingness to use a new product/service)
• Procurement (vendor performance)
• Weather (adverse weather can impede progress)
• Financial (related to funding sources)
• Environmental (new/changing government regulations)
• Resources (skills, availability, and effectiveness of teamwork on the project)
• Stakeholders (fulfilling expectations of specific stakeholders)
• Communications (related to its effectiveness)

Notice that the categories are broad. Successful project delivery is a multi-disciplinary approach.

Risks can also be categorized according to the deliverables of the work breakdown structure (WBS). This is commonly referred to as a risk breakdown structure (RBS). Using the RBS approach helps the project team identify known risks but it may prevent the team from thinking beyond the list to creatively identify unknown risks that are not easily found inside the WBS. It is important to document all relevant information available for each identified risk.

Tools and Techniques for Identifying Risks 

Qualitative Risk Assessment

A qualitative risk analysis prioritizes the identified project risks using a pre-defined rating scale. Risks will be scored based on their probability or likelihood of occurring and the impact on project objectives should they occur.

After the potential risks have been identified, the project team evaluates each risk based on the probability that the risk event will occur and the potential impact (cost/benefit) associated with it. Not all risks are equal. Some risk events are more likely to happen than others and the cost/benefit of a risk can vary greatly. Having criteria to determine high-impact risks can help narrow the focus on a few critical risks that require responses.

For example, suppose high-impact risks are those that could increase the project costs by 5% or more. Similarly, high-probability risk events are those that carry a likelihood of occurrence of 50% or more. Only a few potential risk events are likely to be high-impact and high-probability. These risks become the “critical few” and, therefore, promptly identifying the risks within this category is helpful in deciding early on where the funds and time should be allocated for risk-related activities. See Exhibit 3.2.

Qualitative risk assessment must be performed always and the exercise is usually quick and subjective.

There is a positive correlation between project complexity and project risk. This means that both variables increase or decrease together. A project with new and emerging technology will have a high complexity rating and a correspondingly high project risk. The project management team will assign the appropriate resources to the technology managers to ensure the accomplishment of project goals. The more complex the technology, the more resources the technology manager typically needs to meet project goals, and each of those resources could face unexpected problems.

On projects with a low-complexity profile, the project leader may informally track items with risk potential. On more complex projects, the project management team may develop a list of items perceived to be higher risk and track them during project reviews. On projects of even greater complexity, the process for evaluating risk is more formal with risk assessment meetings occurring throughout the project’s lifecycle to assess relevant risks during different project phases. On highly complex projects, an outside expert may be included in the risk assessment process, leading to the risk assessment plan taking a more prominent place in the project implementation plan.

Quantitative Risk Assessment

Individual risks are evaluated in the qualitative risk assessment and analysis, however, quantitative assessment and analysis allows us to evaluate the overall project risk from the individual risks plus other sources of risks. For more critical decisions, quantitative risk analysis provides more objective information and data than the qualitative analysis. Quantitative risk assessment can be considered for large and complex projects, projects that requires a large contingency reserve and projects where upper management wants more detail about the probability of completing the project on schedule and within budget.

Tools used in quantitative analysis include Three Point Estimate, Decision Tree Analysis, Expected Monetary Value (EMV), Sensitivity Analysis and Fault Tree Analysis (FMEA).

In addition, statistical models are sometimes used to evaluate risk because there may be too many possible combinations of risks to calculate them one at a time. One example of the statistical model used on highly complex projects is the Monte Carlo simulation, which simulates a possible range of outcomes by evaluating many different combinations of risks based on their likelihood. The output from a Monte Carlo simulation provides the project team with the probability of a risk event successively occurring with other combinations of risk events.

For example, the typical output from a Monte Carlo simulation may indicate a 10% chance that a key piece of equipment will be late and that the weather will be unusually bad upon equipment arrival. Quantitative risk analysis relies on accurate statistical data to produce actionable insights. High-risk industries in such as — mining, oil and gas, or construction rely heavily on quantitative risk analysis which is a legal requirement.

Risk Responses

Negative Risks

After the risks have been identified and assessed, the project team develops appropriate risk responses. As previously mentioned, the project team responds to negative risks in various ways:

• Risk avoidance
• Risk mitigation
• Risk transfer
• Risk acceptance

Each of these responses can be an effective tool in reducing individual risks as well as the overall risk profile of the project. The risk response plan captures the risk management approach for each identified risk event and actions the project management team will take to manage the risk.

Risk avoidance usually involves developing an alternative strategy with a higher probability of success, but, usually, the associated cost of task completion also becomes higher. A common risk avoidance technique is using proven and existing technologies rather than adopting new techniques, even though the new techniques may show promise of better performance and/or lower costs. A project team may choose a vendor with a proven track record over a new vendor that is providing significant price incentives to avoid the risk of working with a new vendor. Alternatively, a project team that requires drug testing for team members is practicing risk avoidance by attempting to evade damage done by someone under the influence.

Risk mitigation is a response to a risk that cannot be avoided or if it is unwise to avoid it (due to risk avoidance strategies being too expensive, too time-consuming, etc.). In this case, the project team is attempting to reduce the likelihood and impact of a risk. For instance, assigning highly skilled resources to an activity reduces the likelihood and impact of errors occurring.

Risk transfer is a risk reduction method that shifts the risk from the project to another party. The purchase of insurance on certain items is a risk-transfer method. The risk is transferred from the project to the insurance company. A construction project in the Caribbean may purchase hurricane insurance that would cover the cost of a hurricane damaging the construction site. The purchase of insurance is usually connected to risks that can significantly impact the project while being out of the project team’s control, such as weather, political unrest, and labour strikes.

Risk acceptance involves doing nothing in response to the risk. The acceptance response is a good one when the likelihood and impact of a risk are low. In some cases, little else can be done about the risk, leading to acceptance being the only feasible option. When this response is chosen, many project leaders have developed a strategy to deal with the risk if it does materialize. This often involves setting aside funds (contingency reserves) in the project budget.

Positive Risks

As previously mentioned, positive risks (opportunities) are uncertainties that, if materialized, will have a positive impact on the project. Project teams have other alternatives to deal with opportunities:

Risk sharing involves partnering with others to share responsibility for the risk. Partnering with another company to share the risk associated with a portion of the project is advantageous when the other company has the expertise and experience that the project team lacks. This increases the likelihood of the opportunity materializing and, if it does, both organizations share the gains.

Risk exploitation attempts to eliminate the uncertainty and ensure the occurrence of the opportunity. An example of this could be pursuing a bonus that is available only if an activity is completed early. In this case, the project team will reallocate resources in order to ensure the activity finishes early and the bonus is obtained.

Risk enhancement attempts to increase the probability of the opportunity materializing but it does not seek to ensure its occurrence. This requires less investment than the exploitation response and is appropriate when the positive impact is not as great.

Risk acceptance involves doing nothing in response to the risk. This acceptance response is a good one when the likelihood and impact of a risk is low.

Monitoring and Controlling

The objectives of risk monitoring and controlling are to track identified risk, monitor residual risk, identify new risks, ensure that risk response plans are executed at the appropriate time, and evaluate their effectiveness.

Understanding where or when risks occur in a project is important information for managing the project’s contingency funds. Most organizations develop a plan for financing the project from the existing organizational resources, including financing the project through a variety of financial instruments. In most cases, there is a cost to the organization to keep these funds, including the contingency budget, available to the project. As the risks decrease over the length of the project, if the contingency is not been used, then the funds set aside by the organization can be allocated for other purposes.