Risk management

A risk is defined as an uncertain event which should it occur, will have an effect on the project meeting its objectives. These uncertain events can be positive in which case it would be called an Opportunity, when negative it is called a Threat.

When carrying out risk management, the purpose is to reduce the probability and impact of threats and to increase the probability of opportunities and their positive impact. It is helpful to consider that and risk is an event that may all may not occur in the future, but if it does occur it will have an impact on the project objectives.

Effective risk management entails clearly identifying each risk, and estimating it in terms of its probability and impact and controlling it by taking appropriate action and ensuring such action has the desired effect.

Before getting into the details of risks a project must determine the Risk Management Strategy which describes how risk management will be used and implemented within the project. The risk management strategy should include, amongst other things,

• tools and techniques to be used
• the responsibilities for risk management actions
• the scales to be used for calibrating and estimating probability and impact
• the risk categories as to be defined, their proximity, and risk trigger indicators.

For contingency or fallback actions, a risk budget should also be agreed. This budget is used to pay for any such risk actions should they be needed.

When using management by exception, the risk tolerance or risk appetite should be agreed between the project manager and the project board.

The Risk Register should be created early in the project, and used to capture all details and the status of each risk identified. The project manager is responsible for ensuring that risks are managed properly but there will be the need for risk owners for all risks, and these owners may be other people involved in the project.

The first step in the risk management procedure is to identify the risks, and this is normally done within a risk workshop. Other useful sources of possible risks, is to review lessons from previous projects. Yet more sources include organisational risk checklists, or the use of industry-wide checklists or tables.

Many people make the mistake of naming risks such as " the risk is that the project may come in late" -- but this is a mistake, because of that statement is not the risk itself, but its impact. It is helpful to consider that the source of the risk is called the risk cause (the potential trigger points for each risk), the risk event describing the area of uncertainty, and the risk effect which he describes the risk in fact on the project objectives.

The next step is to estimate and evaluate each risk, and there are various estimation techniques that may be used:

Cause and Effect Diagram (Ishikawa Diagram)

Also known as a fish-bone diagram. Used to "reverse engineer" the risk impact to its possible causes:

Probability trees. Links up diagrammatic representations of possible events shown as linked rectangles each with a probability and impact. When connected together, the aggregated value of project risk can be determined. These help the decision-makers to determine possible outcomes, and ends suitable actions.

Expected value. This technique multiplies the cost of the risk impact with the probability of the risk occurring. For example, if the cost of a risk was £10,000, and the probability equal to 40%, then the expected value would be £ 4000. Summing all of these expected values together will give the aggregated risk expected monetary value of the project.

Pareto Analysis. This is often called the 80/20 rule, from the observation that 20% of the risks will have the most impact on a project, and allows management to focus their attention on managing and controlling those risks.

The probability impact grid. This is a table with the vertical axis scaled in probability and the horizontal axis scaled in impact. Suitable scales are determined, typically 10% probability, as very low through to very high between 70 to 90% of ability. The impact scale usually covers from very low to very high. The great is used to provide an assessment of the severity of a risk and so enable risks to be ranked such that management effort can be prioritised.

The summary risk profile. This again is a table of probability against impact, but instead of measuring the severity of each risk (probability times impact), it plots each risk as a number much like a scatter diagram so that the spread and severity of risks can be directly seen. For example any risks which have a very high in act and probability would be seen as severe threats and this will enable appropriate actions or counter measures to be determined.

The next step is to plan the appropriate responses, both for threats and opportunities. There are many ways to describe such actions, but the following most of them used:

Threats.

Avoid. An action is planned such that the threat can either no longer have an impact on the project and/or its probability is zero.

Reduce. An action is planned to either reduce the probability of the risk occurring, and/or to reduce the impact of the event should it occur.

Fallback (often called Contingency). An action is planned but only implemented should of the linked risk occur.

Transfer. An action is planned that reduces the financial impact of the threat. Usually, the action is via some form of insurance, or I appropriate clause is in a contract.

Accept. This is the take no action option. The threat should be continuously monitored to ensure that it remains tolerable. This action is often chosen because the risk has a low probability and/or a low impact, or that the costs and effort of any actions out why he the severity of the threat.

Threat or Opportunity

Share. Often carried out within contracts using third parties, where a pain/gain formula is agreed should the threat or opportunity occur

Opportunities.

Exploit. Taking action to ensure that the opportunity will happen and that the positive impact will be realized.

Enhance. Taking proactive actions which either enhance the probability all the impact of the event.

Reject. A decision taken not to exploit or enhance the opportunity.

All of the above actions are captured and entered within the risk register, and plans include the above activities and resources.

It is helpful to include the proximity for each risk. This is the time frame of the risk event occuring from the present day. This is helpful in focusing resources on actions for risks in the near future. But it is also helpful in determining when each risk event will occur, as this will have an effect on the severity of the impact.

Throughout a project, new risks can be identified, and existing risks can change their status -- for this reason risk management should be seen as an ongoing activity throughout the entire project. It should also be remembered that as issues arise, these can in themselves impact existing risks or cause new risks.

At the end of each stage of a project, the total risk situation needs to be calculated, and used as part of the data for management to make an informed decision as to whether to proceed with the project or not. At the end of a project, as part of closure, any outstanding risks which would therefore have an impact on the end product's operational life should be found a new owner, so that such risks can continue to be successfully managed and controlled.

For more information CLICK HERE