With each project comes risk and that’s where a risk management process comes in. Managing risk is something that all project managers are responsible for, both in terms of risk assessment and mitigation strategy. Risk assessment involves both identifying, analyzing and evaluation of the risk and its potential impact.
A risk mitigation plan is used to limit the potential damage capable and/or done by any given risk. Risk events can be defined as events that have a negative impact on the project. Identifying risk can be both a subjective and objective process, both creative and organized.
The creative side of this risk management process includes brainstorming all of the potential risks where the project could be impacted negatively. All ideas are accounted for in this phase, with the evaluation of the realistic risk possibility occurring later.
Risk Identification Process
A more detailed process uses checklists of potential risks and evaluating the chances of these risk events occurring during the project life cycle. Some organizations will develop their own risk identification checklists based on their past project experiences.
These checklists are useful for project teams and project managers in assessing immediate specific risks and expanding the casted net of potential risks of a project. The project experiences of an organization can often be a very valuable source of information and insight on identifying potential risks.
Understanding the course of risk is a deeper, effective method in identifying risk. Some examples of categories of how risk can be categorized are: technical, people, financial, contractual, environmental, etc.
The people category can be broken down and categorized further based on human involvement. For example, there is risk incurred with hiring of people without the necessary skill needed to complete the project, and the unexpected loss of key personnel on the project team.
Some organizations will use the same format for risk management as work task management, creating a “risk breakdown structure”, with a similar/same design as a work breakdown structure. However, a risk breakdown structure organizes the established work events into categories via table with increasing details for each event.
The result of this risk breakdown structure approach is a clearer idea of where the risks are most concentrated in the project. This approach helps the project team define the known risks but can be restricted and less creative in finding the unknown risk and risks harder to find within the work breakdown structure.
After the potential risks are established, the project team will then evaluate the risk based on probability of the risk event happening and potential loss that would occur with that risk event.
Risks are not equal, meaning some risks are significantly more likely to occur, and the risk of each risk event can vary largely. Evaluating the risk for probability and severity of potential loss is the next step in the risk management process.
A study was done in the construction industry that focused on the risk events and how to categorize various risks and risk types. From this study, the group deemed that “high-impact risk” were risk events that could increase project budget by 5% of the originally designed budget, or 2% of the detailed budget. Roughly 30% of risk events qualified to be in this category. However, these were the few potential risk events that had the attention of the project team as they developed a risk management plan.
Risk evaluation is about creating a firm understanding of which potential risks have the largest possibility of happening and which events can have the greatest negative impact on the project. These are often referred to as the “critical few”.
There is a direct, positive correlation that scales together, between project risks and project complexity. In other words, a project with new, upcoming technology and tools will have a high-complexity rating and a high risk to follow. The project team will assign the necessary resources to the technology managers to ensure they are able to complete the project goals. The increase in technology, the more resources are typically needed by the technology manager to complete these project goals. Additionally, each of these provided resources could also face an unexpected problem on their own.
Risk evaluation most often takes place in a workshop-type setting, where the project team and manager will shop ideas and details to get a general sense of the risk event. Using the previously established identification of the risks, each risk event will also undergo an analysis to determine the chances that it occurs and the potential cost if it does occur. The likelihood and impact are rated either high, medium or low. A risk mitigation plan will address the high-risk and high-impact risk events.
It is important to note that not all project managers will, or are required to perform a formal risk assessment of the project because there are barriers to identifying risk. One study on project managers, found that there was a low understanding of the tools and major benefits of a structured, formal risk management process and risk assessment. This lack of understanding and information was viewed as a barrier to creating and using an effective risk management plan. The amount of investment in formal risk management was also concluded to vary case-by-case based on project manager.
Some project managers are more hands-on than others, and will create their own detailed risk management plan for the project. On the other hand, some project managers will elect to be more reactive, and use their ability to handle unexpected events as they come without prior planning. Some project managers are risk averse, meaning that they prefer to choose optimism and not factor risk into the project and will avoid taking risks if they can be avoided.
For projects with low complexity profiles, the project manager can be more casual, and informally track risk events. However, on more complex projects and risk events, the project team and project manager may develop a more formal list of risk event items and track them during project review periods. For more complex projects, the evaluation process for risk events is much more formal with risk assessment meetings throughout the project life cycle to assess the risk events in different sections and times of the project.
On high-complexity projects, a third-party subject matter expert may be involved in the risk assessment process, and the risk management plan may be more involved and used during the execution phase of the project.
For complex projects, some project managers and teams will use a statistical model to evaluate risk since there are too many different possible combinations of risk that can occur which makes it nearly impossible to calculate them all one at a time.
One of the most commonly-used statistical models used on projects is the Monte Carlo simulation, which will simulate a possible group of outcomes by using each risk event’s likelihood.
The output produced by the Monte Carlo simulation gives the project manager and team the probability of the event occurring within a specific range and for combinations of events.
A simple example of this is, when the Monte Carlo Simulation will state that there is a 12% chance that one of five major equipment pieces will be delivered behind schedule and the weather will be an issue by the time all of the major parts are delivered.
After the existing risks are defined and analyzed, the project team is able to develop a risk mitigation plan, which is used to limit the impact of a risk event.
The factors used by the project team to mitigate risk are: risk avoidance, risk sharing, risk reduction, and risk transfer.
Each of these mitigation styles can be effective in reducing the risk of the project in different ways. The risk mitigation plan demonstrates the risk mitigation approach for all of the listed risk events and the actionable items for the project team for each risk event.
Risk avoidance will most often involve developing a different solution for a risk event, which usually has a higher probability of success but will also cost more to complete the task.
One of the more common techniques for risk avoidance is to use proven, existing technologies instead of developing a new technique even if new methods have proven to be the better selection and lower cost.
Using the methods that have proven effective in the past gives most project managers more confidence that they will be able to use these tools efficiently and have the desired results, even with the additional costs that occur with them.
For example, a project manager may choose a subcontractor who they have worked with before for a higher price than using another vendor with more advanced software capabilities and lower cost, simply because the project manager knows what they will get from the subcontractor they have a history with.
Risk sharing involves working with other people and groups to spread out responsibilities of risk events. Many project managers and firms who work on international projects will try to reduce their political, legal, and all other risk event types related to international projects by creating a joint venture with a local company in the country of the project.
Working with these local companies to share associated risk for parts of the project is attractive when the local country has expertise and experience that the project team does not have themselves. If the risk event does occur, the local partner absorbs some or all of the negative impact. This local group will also take some profit or benefit that stem from a successful project.
Risk reduction is simply the designation of project funds to reduce the risk on a project. In international project environments, firms will often work with the local government to ensure the guarantee of a currency rate to reduce the risk of fluctuation in the exchange rate.
Project managers will also often hire a third-party expert to review the technical plans or budget estimations on a project to gain confidence in the plan and reduce the risk of unexpected cost changes.
Designating highly-skilled project team members to manage only the high-risk activities is another popular method among project managers. Experts managing a high-risk activity can also often foresee issues to come and develop solutions that prevent the risk event from negatively impacting the project. Some project managers or firms will eliminate risk by handling human resources carefully, such as not having key executives and stakeholder/decision-makers travel together.
Risk transfer shifts the risk from the project away to another party. The most common example of this is purchasing insurance on certain tools and items used in a project. This transferred much risk of the project from the project team and stakeholders to the insurance company.
Different types of insurance may be purchased based on the environment and industry of the project. For example, a firm working near the coast of Florida may purchase hurricane insurance that would cover the cost of a hurricane impacting the project construction site. Insurance is mostly seen purchased for factors outside the control of the project team, such as weather, political impacts, and labor strikes.
Since the project management team is unable to control these events from happening, they will use insurance to cover themselves in the event that something happens.
The project management plan balances the impact of mitigation against the benefit of the project. The project manager and team will often find an alternative method for achieving project goals when a risk event has been identified and poses a legitimate threat to project success. This is what is known as a contingency plan.
A common example of this is avoiding a labor strike by using machines to complete many project tasks. Delayed materials can be mitigated by adjusting the project schedule to factor in the late delivery.
A contingency fund is money reserved by the project team to handle unexpected events that may increase project costs. Projects with more high-risk events will usually have a large contingency budget to cover these high-risk events.
Contingency is typically managed as one item in the project (or one lump sum), even though the project team will identify the various risk events and their potential impact on the project.
Some project managers will assign contingency budget funds to the risk events with the highest risk rather than developing one line item in the budget for all possible contingencies. This is useful for the project team as they are able to track how the contingency funds are spread out against the risk plan. This approach also makes the managers responsible for managing the risk budget and the different risk events.
The main negative to having contingency funds in one lump sum is that the availability of funding increases the use of these funds to solve problems, rather than finding alternative, less-expensive solutions. Most project managers will manage these contingency funds at a project level, meaning the project manager will give approval before any of the contingency funds are used.
All projects will come with some amount of risk, depending on the project complexity, environment and industry. Therefore, project managers and teams are tasked with preparing for these potential risks, and should develop a risk management process and plan to handling these risk events.
The first step in this risk management process is, identifying all of the potential risks of the project and their potential impact on the project. This is how the project team can begin to sort and prioritize these various risk events. The project team will then evaluate the risks and determine how impactful they are and how much planning the risk event will need.
There are many forms of risk management, including risk mitigation, risk avoidance, risk transfer, risk sharing, and risk reduction. Each of these approaches is effective for different scenarios, and project managers should know and understand when each method should be used.
Additionally, a contingency fund should be designated for the project, in order to manage risk events that occur unexpectedly. There are a few common ways that project managers will handle their contingency funds, with some having one large sum in the budget to be used on risk events. While others will split up the contingency reserve and record on the budget how much money went into mitigating each risk.