Each of us takes risks everyday. Everything we do, from getting out of bed in the morning to returning there at night, carried risk. It is not surprising that projects, which are started to create unique service or product, attract many risks. Project risk management is concerned with identifying all the foreseeable risks, assessing the chance and severity of those risks, and then deciding what might be done to reduce their possible impact on the project.
Project risks can be predictable or completely unforeseeable. Risks could be technical, political, commercial, economic or operational in nature.
In this article, we will look at project risk management process. We will start with risk definition, followed by risk identification, planning, response and finally monitoring process. After reading this article, you should be comfortably able to carry out risk management on your project.
Definition of Project Risk
As per the PMI, the formal definition on risk is:
Project risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on a project objective. A risk has a cause and, if it occurs, an impact.
Risk Management in Portfolios, Programs and Projects: A Practice guide
Each project risk has three essential factors:
- The Risk event
- The risk probability (how likely the risk will occur)
- The impact (amount at stake or what could potentially be lost or gained)
Risk can occur at any stage in a project. Some are associated with particular tasks and others originate from outside the project. However, not all risks are bad, and not all risks have negative impact. Theses risks are called as opportunities.
Generally speaking, a risk event that occurs late in a project can be more costly in terms of time and money than a similar event that occurs during the start of a project.
Project risks are different than the issues. A project risk is anything that could impact a project success. A project issue is anything that already has impacted a project success. A risk is future event, while an issue is past event that has already occurred.
The essence of risk management is to identify, analyse, and respond to risks that occur on a project. Good risk management practices help you bring your project to successful ending because you will have plans in place to deal with potential show stoppers before they occur. A good risk management practice also lets you to identify potential opportunities that may bring more business to your organisation, or new ways of performing the work of the project.
Identifying the project Risks
The risks can be threat or an opportunity. But if you don’t identify a risk, you won’t know that either exists. Why should you identify risks?
Risks can cause rework, which means that you have to go back and repeat some activities you have already completed. Rework involves schedule delays and additional costs, or both. If you use additional resources to correct the rework, you will incur additional costs because the extra time they are spending on your project prevents them from doing work on other projects. This will lead to schedule delays on the other projects as well.
Identifying the project risks is very important first step in project risk management
Types of Project Risks
All projects have risks, and several risks are common to all projects. Most project risks fall into three categories:
- known risks with predictable outcomes
- Unknown risks
- known risks with uncertain outcomes
Known risks are events that your project team know have the potential to occur, and they have predictable outcome. For e.g. if project construction site is situated in flood effected zone, which means there is potential risk of project site getting flooded by severe rains. This is known risk (we are working in flood effected area) with predictable outcome (construction site will experience inrush of flood waters)
However, in the same example, the amount of rain precipitation in the area is unknown until early weather warning systems predict its severity. So the preparedness required to deal with the storms is still unknown activity until weather system predicts its severity.
Obviously, there is not much to say about the unknown risk category. Since they are unknown, you can’t identify them up front or create specific plans in the event they will occur.
Common project Risks
One of the first places to start identifying risks is with the project’s known risks. Business risks are another area to consider when identifying risks. These include marketing concerns, timing of the product releases, and public perception.
Schedule risks
Schedule risks are the risks associated with the project schedule. The risks include vendor delays, equipment failures, rework due to lack of experienced resources on projects, stoppage of work due to weather or other forces of nature and so on.
Schedule risk also leads to delays, which can result in missed timelines and a loss of competitive advantage. Risks that occur to project schedule also have the potential to impact the project budget.
Budget Risks
Budget risk is the additional project costs that were not calculated. . Theses risks are associated with project cost overruns. If vendor delays, or equipment failure occurs, it may require additional budget to hire another vendor or purchase new equipment to expedite the shipment.
These risks are also due to poor budget planning, not managing resources correctly, inaccurate cost estimation, and scope creep.
Risks related to project success
Risks related to project success include:
- Lack of understanding of project goals by key stakeholders, project team, management team, and project manager. If understanding of project goals is not clear, project will not produce the results expected by the stakeholders, and therefor project will be unsuccessful. This could result into loss of business for your company or contractual issues that require legal interventions.
- Poorly defined scope will result into misdirection for the project team, leading to continual scope changes, missed deadlines, rework and increased cost.
- Not using standard project management practices could result into lack of communication regarding project activities, ultimately unsuccessful project.
Business Risks
The business risks include external economic conditions, fluctuation in raw material prices, new product demand in a market, increase in competition and so on.
Management risks are also related to business risks. Management risks that may pose risks to your project include changes in corporate strategic direction, reorganization of business units, layoffs and cutbacks, mergers and acquisitions, and budget restrictions.
Vendor delays and contract issues are another type of business risks. If you are relying on vendor to deliver critical equipment, then you should note the failure to deliver these items on time as a risk. Contract issues can also delay project schedules or impact the project budget.
External Project risks
External project risks include tings that are outside the control of the project team and the organisation itself. Political issues, legal issues, environmental issues, and social issues are few examples. If company decides to set up a power plant in poor African nation, then political instability in a region is one of the critical external project risk to look for.
Risk identification techniques
In this section, we will cover few techniques you can use to identify as many project risks as possible.
Historical Information
One of the first place you should start looking for risk is past projects. You can check project repositories and project documentation of a project that is similar in nature, scope and complexity.
Brainstorming
Brainstorming is a process in which project team members, subject matter experts, stakeholders, and anyone else who have the information or knowledge about the project meet together and list down the risks they see in this project. A facilitator documents the items on a list or a whiteboard, while the participants keep calling as they occur to them.
Each of the participant will come to the meeting thinking about the risks that may impact its particular function or area. When you bring all stakeholders together, they will all hear the risks the others are naming, which will bring to light new risks that they might not have thought about if they were doing it individually.
Interviewing
An interview is a question-and-answer session held with key stakeholders, team members, functional managers, subject-matter experts, and others who have an interest in the project or who have previous experience on projects similar to yours. These folks can tell you what risks are likely to occur on the project, based on their experiences with similar projects.
Checklist of common project risks
the most common project risks are those risks associated with project scope, cost and time. If you focus on these areas, you will probably discover a great many of the risks that affect your project.
I have created a checklist which will help you begin to identify risks for your project. The first column mentions the risk category, the next column briefly notes the impact of a risk. The last column is check off area where you can indicate that you have examined this risk category and documented a risk associated with it. You can download the risk checklist here.
This checklist acts as guideline to help you start thinking about risks and impacts. This checklist can be developed based on historical information. If you work on projects on a consistent basis that are similar in nature and scope, construct a checklist to help you identify risks on future projects.
Project Risk Analysis Techniques
In project risk management, we have both quantitative and qualitative risk analysis techniques. In this article we will look at quantitative risk analysis technique. This technique is widely used in the industry.Risk analysis takes into consideration the probability that the risk will occur and its impact if it does. The end result of this process is prioritized list of risks that you can use to determine which risks need response plans.
Risk probability and impact
Probability is the likelihood that an event will occur.
Probability is likelihood a risk event will occur, and it can be assigned using simple high-medium-low scale. Below table shows the example of risk probability chart.
Risk Number | Risk event | Probability |
R001 | Vendor will delay the dispatch of critical equipment | High |
R002 | Customer will reject the equipment during final inspection | Low |
R003 | Key resource on a project will be transferred to new project | Medium |
Risk 1 has high probability rank, which means this risk should have a response plan developed to avoid the risk or reduce its impact if it occurs. Risk 3 will also probably need a response plan. Risk 2 been a low risk, can be observed and may not need an immediate response plan.
You can also assign probability as a value. The probability that event will occur plus probability that event will not occur always equal to 100 percent, or 1.0. For e.g. if there is 40% probability of raining in this evening, then there is 60% probability of not raining in the evening, and total of both probabilities will equal to 100%, or 1.0.
Impact values can be assigned to risk in the same way as probability scores are assigned.You can use high-medium-low value to indicate the impact the risk event has on a project.
You can also develop Impact table, which will help you to rate the impact using high-medium-low scale like to the one shown below.
Rank | Value |
Very low | 0.05 |
Low | 0.20 |
Medium | 0.40 |
High | 0.60 |
Very High | 0.80 |
Any risk event with a combination of high probability and high impact should have a risk response plan developed to deal with the risk.
Probability Impact Matrix
You will put together probability and impact of each risk in a table called probability impact matrix. You multiply the probability score with the impact value to come up with the overall risk score. The higher the overall risk score, the higher the risk to the project. The following table shows an example of probability impact matrix
Risk Number | Risk | Probability | Impact | Risk score |
R001 | Vendor will delay the dispatch of critical equipment | 0.5 | 0.8 | 0.40 |
R002 | Customer will reject the equipment during final inspection | 0.1 | 0.8 | 0.08 |
R003 | Key resource on a project will be transferred to new project | 0.7 | 0.5 | 0.35 |
The risk management policies that your organisation has in place may define that all risks with overall risk scores greater than or equal to 0.30 need risk response plan. This means both risks 1 and 3 need risk response plans.
The matrix can be graphically shown as below:
Project Risk Register
When all the risks have been listed, assessed, and ranked it is time to consider preparing a risk register (or risk log). An example of risk register is shown below.
The risk register is comprehensive list of all the risks that may occur in a project. Here are some new terms used in risk register:
- Detection difficulty: Risk detection difficulty refers to the ability to identify and recognize potential risks or hazards before they lead to negative outcomes. It is a critical factor in risk management processes, as it influences how effectively an organization can monitor and respond to risks. You can give the risk difficulty rating on a scale of 1-3, with 1 being easy to detect and 3 being difficult to detect.
- Recommended risk mitigation or avoidance plan – This explains how to deal with a risk, if it occurs on a project.
Methods for dealing with project risks
when all risks have been identified, assessed and ranked it is time to consider the response plan should the risks occur. The resulting decision must be entered in two right hand columns of risk register.
There are range of options to deal with risks.
Avoid the risk
The only way to avoid a risk is to remove all the possible causes, which could even mean deciding not to do the project or a job. For e.g. if a project contract payment terms are such that it would lead to very high impact on project cash flow, the management may decide not to bid for the contract. This way the effect of risk exposure is eliminated.
Accept the Risk
This strategy is straightforward. Accepting a risk means you are also willing to accept the consequences of a risk. If the risk occurs, you would let risk take its course and see what happens. If and when risk does occur, you can implement an unplanned response to deal with a risk. For e.g. if project team member resigns and leaves the organisation, you will have to accept the risk and initiate a hiring process immediately.
Transfer the risk
Risk transfer is transferring the responsibility for the management of the risk event to third party. The classic example of risk transference in insurance. Your own car insurance policy is perfect example. The insurance company takes on the risk of paying for damages caused by an accident in exchange for money. If the project requires using specific technology or skill set, which your organisation does not have, you can hire a expert and outsource the work to him. This is another example of risk transfer.
Please note risk transfer always involves exchange of money. Therefor you should account this cost in project estimates.
Mitigate the risk
This strategy attempts to reduce the impact of risk event by reducing the probability of risk occurrence or reducing the impact of risk event to an acceptable level. For e.g. you can select your most skilled and experienced vendor to perform a job which is very critical for project success. This way you mitigate a impact of rework, rejections and schedule delays.
Escalate
Risks that require escalation are generally outside the boundaries of a project, or the risk response plan is beyond the authority of the project manager to implement and resolve.
It involves risk owner, a person responsible for monitoring and managing risks and implementing risk response plan. In case of escalations, risk owner could be a project sponsor or senior management person.
The risk owner is responsible for monitoring of the risk event, alerting the team if it occurs, and implementing the risk response plan. Once risk is escalated, it is no longer the responsibility of the project manager or project team and should be monitored and managed by the risk owner.
Exploit
When you exploit a risk event, you are looking for opportunities to ensure positive impacts. This response strategy is used when you have identified positive risks that you want to make certain will occur on the project. For e.g. exploiting risk include reducing the amount of time to complete the project by bringing on more qualified resources.
Share
Share strategy is similar to transferring because you will assign a risk to third party owner who is best able to bring about the opportunity the risk event presents. For e.g. forming a joint venture with design firm to capitalize on positive risk will make the most of the opportunities.
Summary
Risks exist on all projects. Don’t skip the risk management process, because not taking the time to identify and document risks could end up jeopardizing a project.
In this article, we defined risk, identified various types of risks. We then prioritize the risks by assigning a probability and impact rating to each risk.
Finally we learned some risk response strategies which can be implemented if the risks occur on a project.