What is Risk Management?
Risk Management identifies, analyses and responds to risk factors throughout the life of a project and in the best interests of its objectives. Proper risk management implies control of possible future events and is proactive rather than reactive and intertwines with change management.
Risk management assists organisations and individuals to decide:
how much risk we would accept to pursue our objectives
the necessary actions to deal with risk and uncertainty in order to pursue objectives.
It is important to recognise that risk management is not about eliminating risk but managing it.
The most important steps of risk management are:
1. Identify risks
Risk is an uncertain event or condition that, if it occurs, has a positive or a negative effect on the project objectives. Different organisations define risk slightly differently, but essentially, risk is the impact of uncertainty (‘manage’ the unknown) on corporate strategy, business plans and objectives. Risk is the possibility that something may happen and:
Affect the achievement of objectives, or
Cause uncertainty of outcome, or variability of an expected outcome
In order to identify a risk or uncertain event, we have to know the objectives or the expected/desired outcome first.
Let’s use a simplified example to illustrate the above definition of risk:
A bank has a home loan portfolio. Based on historical experience, the default rate is 1%, and the bank budgets for a 1% loss (i.e. the expected outcome is that 1% of the loan value will not be repaid by the borrowers) and it calculates upfront the 1% loss into the home loan products. If the economy unexpectedly deteriorates and more home owners cannot make their mortgage payment, the default rate may exceed 1%, and the home loan portfolio will not achieve the profitability target. An unexpected economic downturn causing more home owners not being able to make their mortgage payments so that default rate exceeds 1% is a risk.
The objective of risk identification is to identify all possible risks, not to eliminate risks from consideration or to develop solutions for mitigating risks—those functions are carried out during the risk assessment and risk mitigation steps. There are many ways to approach risk identification. Two possible approaches are:
(1) to identify the root causes of risks—that is, identify the undesirable events or things that can go wrong and then identify the potential impacts on the project of each such event—and (2) to identify all the essential functions that the project must perform or goals that it must reach to be considered successful and then identify all the possible modes by which these functions might fail to perform. The most common forms to carry out risk identification are:
Preparing cause and effect diagrams
Using risk identification checklists
Investigate historical past events in similar conditions (e.g. staff turnover rates on big projects)
2. Allocate risk owners
As the project manager, it is sensible if you allocate the owners for each identified risk.
Remember that your risk owner allocation might need to change later because you haven’t done a full risk analysis at this point. Once you know the full-scale of the risk it might be prudent to shift the risk ownership around in the team or provide extra support so you do not expose the project to problems unnecessarily.
3. Analyse the risks
The analysis process can be anything from making a qualitative statement about the problem to a full ‘Monte Carlo’ (a Monte Carlo simulation is a computerized mathematical technique that allows people to account for risk in quantitative analysis and decision making. The technique is used by professionals in such widely disparate fields as finance, project management, energy, manufacturing, engineering, research and development, insurance, oil & gas, transportation, and the environment. This simulation furnishes the decision-maker with a range of possible outcomes and the probabilities they will occur for any choice of action. It shows the extreme possibilities—the outcomes of going for broke and for the most conservative decision—along with all possible consequences for middle-of-the-road decisions.) analysis with the aid of a project manager or an expert risk manager. First, work with them to identify the best tool for analysis. There are plenty to choose from including:
Qualitative assessment: prioritizing individual project risks for further analysis or action by assessing their probability of occurrence and impact as well as other characteristics:
Using a probability and impact matrix to provide a risk score
Grouping risks by category
Using expert judgement
Using simple risk matrix
Example of qualitative risk assessment in the video game industry: In general, qualitative analysis seeks to identify risks by using scales that summarize visually and intuitively the relative dimensions of each risk, allowing to prioritize: providing a visual representation that combines the most basic factors, such as the impact that the risk would have on a project and the likelihood of it occurring. In spite of its name, qualitative evaluation implies a numerical estimate of these two variables along previously defined scales using a quick and subjective approach. It’s something like when doctors ask: From one to ten, how much does it hurt?
Similarly, to the intuitive scale of Wong-Baker’s expressions, qualitative assessments of risk have visual translations in a geometric representation that allows a systematic comparison in risk assessment matrices.
In the example that follows, the online risk assessment matrix will estimate the comparative weight of the following risks for a team of developers in a video game studio:
Inadequate graphics engine
Loss of programmers
Failure in approval process of the game build after submission
By assigning impact and probability values to these risks, the following table results.
The table itself suggests some observations.
1. Experience, the mother of probability
Firstly, in a video game studio that launches, say, half a dozen titles a year, after 10 years of activity there is a portfolio of 60 titles that allows to draw certain conclusions about the frequency with which these risks occur. The probability estimate is based on the experience of the organization, which has suffered personnel losses in the programming area in one out of three projects.
2. Simplify and then discuss the details
This model simplifies factors in just two values, but it is important not to lose sight of the fact that the variables hide more complex realities that should appear in the quantitative phases and in the discussions with the stakeholders. For example, loss of talent can hide many different realities, depending on the number of people lost, their roles within the organization, or whether the loss is due to a transfer to another company, vacation, retirement or inability to hire according to the forecasts of the HR department.
With all these nuances, the online risk matrix results in:
Quantitative assessment is numerically analysing the combined effect of identified individual project risks and other sources of uncertainty on overall project objectives:
Using probability distributions
Expected monetary value analysis
Modelling and simulation like Monte Carlo technique
Risk based approach: quantitative methodology that will not eliminate the risk; however, it will enable the understanding of risks with the aim of mitigating the impact which requires identification of risk factors, classification and scoring.
For example, at an onshore process of chemical and petrochemical facilities and pipelines, risk assessment needs to be done comprehensively, within a structured framework. Safeti (Software for the Assessment of Flammable, Explosive and Toxic Impact) is by far the most comprehensive QRA (quantitative risk assessment) software tool available for assessing process plant and pipeline risks. It is designed to perform all the analytical, data processing and results presentation elements of a QRA within a structured framework.
4. Prioritise the risks
After the risk analysis, prioritisation of these risks can start by explaining how this risk fits into the whole project picture, and how you balance the portfolio of risks across all projects. Providing the context for the individual risk will help the owner see how and where it sits in a list of project risks and then how that list relates to the programme level risks and upwards on to the portfolio. It is very important here to explain how you decide which risks get fed upwards and how you make the judgement to exclude other risks.
A quick lesson in how your prioritisation tool works might be useful; this could range from a simple spreadsheet to project management software on how to flag the priority of a risk.
5. Identify risk response strategies
With an available prioritised risk list and once you understand the root cause of the risk, the next step is to determine the probability of the risk happening as well as the level of impact or severity in case it does happen. In other words, what will happen if this risk materializes? How will it affect time, cost, quality, business benefits, and resourcing of your project?
The best way to assess the impact and probability of a risk in a collaborative manner is to draw a risk matrix on a whiteboard with Probability along the horizontal axis and Impact along the vertical axis. it comes to deciding which risk response strategy to use.
This is a great step to hand over completely to the team and let them come up with the best method to deal with the risk, and provide some expert guidance as needed.
6. Design a risk management plan
Once the risk response strategies for each risk are identified, the risk management plan can be produced. At a project level this is the responsibility of the project manager. At individual risk level, though, you can let your team have the free reign to prepare their own mini-risk management plans including the tasks, dates and resources they need to manage their risks effectively. These plans can then be consolidated into your project risk management plan. When the full project risk management plan is completed make sure you share it with the risk owners and the wider team.
7. Check in regularly
Check in with your risk owners regularly during the execution of the risk management plan. Evaluate how they are doing and provide timely feedback so they can quickly get back on course if they are struggling. Talk to them about how they are managing their tasks and what they would do differently if they did it again, and how they have found the experience of taking on more responsibility on the project.
How does your own team make your project riskier?
Most of the time when project managers do risk management, we focus on getting the team together, reviewing tasks, identifying what might stop or impede the project from moving forward, writing it all up in a project risk register. But generally, you haven’t named your project team and how they do their jobs as ways to cause risk to the project. Risks are not always related to factors outside of your project team - some risks could be caused by your own project team.
Here are some examples of how your team makes your project riskier:
Miscommunication or not communicating clearly and effectively might lead to the risk of working on the wrong things or in the wrong order, or not doing a task that’s required in a timely way, or any number of issues that arise from failure to understand the message and make yourself understood. It also affects your wider stakeholder group. If you can’t make it clear to your sponsor that they need to make a decision, they might run to into a delay.
How to avoid this risk? Work towards a team culture that is good at communicating (= change management strategy). Encourage your team to talk to each other, discuss problems and to say openly when something is not understood. Pass messages on, up and down. For larger projects, provide a clear communication plan that is known and understood by all stakeholders: when to have which meetings, allow time for feedback sessions, and foster new ideas from the project team (e.g. implement reward culture on new ideas).
Poor estimation or planning can add a risk to your project schedule.
How to avoid this risk? Give your team enough time to properly work through their planning for estimating tasks. You can also encourage them to work together to check each other’s estimates. Look back at past projects and see where they overran. Use the data in your project management tools to inform your new estimates and try to make the best use of the information you have available. As a minimum, you can add contingency to project tasks where the uncertainty around the estimate is high, make sure that it is transparent on your schedule and that you take it out when it is no longer needed.
Resource risks present themselves in a couple of ways:
Allocating the wrong people to tasks which can delay the work, add extra cost or introduce quality issues.
Adding the wrong people on to the team so you don’t have the right skills to complete the work.
Failing to deal with conflict or other people problems so the team starts to fall apart.
How to avoid risk? Check in with the team and see if they are happy with what they’ve been allocated, or get them to work out the split of tasks between themselves. Be alert for conflict and have a couple of go to strategies that you can try out when you detect it.
The final area where your team can add unplanned risk to the project is in reporting. For example, during the set-up of your weekly report for a project, you forgot to include a major problem that the project had suffered that week, in fact it was resolved by the time the report was written, but should have been included.
How to avoid the risk? Put a process in place for managing reporting and stick to it. Make sure everyone knows what is expected of them and that they can fulfil their obligations to give you timely data for your reports.
What are the Best Ways to Mitigate Risk on Projects?
If risks are detected, it comes to introducing specific measures to minimize or eliminate unacceptable risks associated with its operations. Risk mitigation measures can be directed towards:
reducing the severity of risk consequences,
reducing the probability of the risk materializing, or
reducing the organisations exposure to the risk.
Talking about mitigating risk, we think about a column on our risk logs for mitigation strategies. But what does it actually mean?
The most common ways to mitigate risks are:
1. Clarify the requirements
Make full use of feasibility studies, workshops and user groups to test out the ideas before making a full commitment. Agile techniques can ensure end users and clients are engaged at every step of the way, feeding into the outcomes and making sure that what is delivered is really what is wanted.
How to do it? Hold workshops. Interview stakeholders. Produce a comprehensive scope document and project brief, even if it takes much longer than you wanted to spend on this exercise.
2. Get the right team
People with inadequate skills make your project take longer because they are slower. People who aren’t available when you need them also impact your project timescales. If possible, ringfence the resources that you need into the team. This mitigates a lot of the people-related risks.
How to do it: Use resource allocation techniques to identify the resources you require for the project and then to secure them. Make sure that you know when your resources are available for project work and book their time accordingly.
3. Spread the risk
Risk transference is a recognised and useful risk management strategy, but it has to be used with caution. Mitigating your own risk by dumping it on someone else isn’t always the best approach. For example, you can transfer risk to another party but that might incur a great deal of cost which in many cases isn’t the most appropriate use of company funds.
How to do it: Quantify the risk. Think about cost of transfer and likelihood of occurrence. Look for ways to manage risks jointly with contractors or other stakeholders to spread out the actions and also the impact should the risk occur.
4. Communicate and listen
Communicate widely, consult widely and listen to the responses you get. These can help you identify residual risks and strategies to engage more effectively with the stakeholders concerned.
How to do it: Plan your communications and take third parties into account too. Consumer, environmental or other external groups can have a huge impact on your project (positive and negative) so involve them early and consistently.
5. Assess feasibility
Make use of feasibility studies and prototypes to test out ideas and solutions before you move to development. This is a simple way of de-risking a project because you can use this early stage as a test bed for checking your concepts, methodology and solution.
How to do it: Break your project down into phases and include time at the beginning for a feasibility or investigation stage. This is a short period of time where you can fully scope out the initial underpinning or enabling work and test out your solution in a limited way prior to a full rollout. The learning can be incredibly helpful for shaping the rest of the project, and it can prove (or disprove) the business case without having to commit the full investment.
6. Test Everything
Testing is an important part of making sure that your project risk is lower and manageable. Test everything: training materials, implementation plans, and obviously software and the deliverables. Test frequently and allow longer than you expect.
How to do it: It’s probably not a popular view but I would estimate the time needed for testing and then double it. That’s the time I would put in my plan for the task. For non-IT project related stuff: ask a lot of ‘what if’ questions to test all possible scenario’s.
7. Have a ‘Plan B’
The best way to plan for the unplannable is to have alternatives in your back pocket. This could be:
‘Float’ in the plan
Additional resources on standby
Options to break the project into segments and/or reduce scope
A plan B isn’t something that you particularly set out to use it immediately, but it’s there as a back-up should any of your risks materialise in ways that you didn’t expect or new risks come along that took everyone by surprise (non-planned risks)
How to do it: Agree tolerances and contingency with your sponsor before the project starts. Talk about what additional funding you can secure to deal with unforeseen issues and how you will access them when the time comes.
Risks and Opportunities: Are Risks Always Negative?
Risk management isn’t just about avoiding potential roadblocks. A negative risk is a threat, but a risk can be positive and considered an opportunity so instead of mitigating or avoiding, you will want to exploit or enhance. A good example is the risk of having too many visitors on your new website on the day of the launch. Having lots of visits is positive, so it is not a threat unless it is poorly planned and can crash the server, so you have to take it into consideration.
You may want to enhance the risk by for example planning a marketing blast to attract even more visitors or by exploiting or using cloud hosting that can adapt resource accordingly. You could simply accept and make sure the website simply displays a temporary message if too many people are visiting at once.
Risks can therefore be positive and come in the form of opportunities. Positive risks are as important to handle well as negative risks because they represent opportunities to deliver even more value to the client. It is when we challenge the status quo and find ways to continuously improve and innovate that we exploit opportunities. Consequently, positive risks can be managed in the same way that you would manage negative risk: record risks and the action plans that go with them, remember to allocate an owner to the risk, add a date that the risk was first noted and any follow up actions that happen. Build up your risk log with all this information, this is not a separate risk log for positive risk.
Top Risk Management Trends in 2018
Risk management continues to evolve every day. New threats, opportunities and drivers necessitate a different strategic approach than the challenges of yesteryear. The future may be tough to predict, but there are signs of things to come in the risk management landscape in 2018:
1. Project Risk Management applies to all types of project
Assessing project risk can prevent projects from failure. It saves organizations potential, significant embarrassment as well as time and money. The trend in risk management is to apply it to all types of projects, whether managed through Waterfall, Agile or a Hybrid Project Management approach. While there may always be some unanticipated things that will occur, most of these, through sound risk management, can be managed, rather than reacted to.
2. Bringing Efficiency into Project Risk Management
Processes have sometimes been built without a clear view of what the desired state is in project risk management. Consequently, potential benefits of project risk management tools remain under-utilised. Due to our risk averse nature, companies have perfected the art of defence by deploying various tools and methodologies for control & auditing, but are not so proficient in using project risk management as a tool to support rapid growth in uncertain times. An often-used example is that to drive fast one needs good & reliable brakes.
You can make use of efficient project risk management tools such as Microsoft Project for visualizing the critical path and Wrike or WorkZone, 2 other popular project management softwares, which offer more sophisticated visualization and planning capabilities that can help organisations to grow rapidly in successfully deploying their projects.
How to become Risk Management Masters?
In summary, far too many project managers treat risk management as a mechanical tick boxing exercise that ends up adding no value.
Risk management works best when all team members collaborate and share their knowledge and insight. When risks are analysed, planned and assigned in collaboration, not only does it improve the process, it also reinforces accountability and ownership.
To become risk management masters, we have to fully engage the team and create a risk-awareness culture were all risks are taken seriously, including people-related risks and positive risks.
Project managers sometimes assign themselves to most of the items in the risk register.
But that doesn’t leverage the team or create a shared sense of responsibility. It is important to have the courage to assign the right owners and to gain their buy-in and acceptance for fully managing a risk. In addition, we have to regularly take a step back, assess the overall risk profile of the project and take great care to communicate the most severe risks and the mitigating actions to the project’s steering committee.
About the author
Sandy Everaerts, has 19 years experience, and worked for leading companies in the Banking & Insurance sector. She has a background in both Business and IT as PMO, project manager & SCRUM Master.
4-lingual NL/ENG/FR/GER with a Master’s degree, relevant project management certifications Sandy joined Initio in 2017 as Senior Manager in charge of Competence Center Project, Change & Performance Management