Guide to the Risk Management Process

risk management matrix

Could your projects use additional risk management?  Experts agree that it is one of the most underutilized areas of project management.  As project managers we like to think we know the primary risks to the project that we have them under control.  But a small amount of risk management planning at the outset of every project generally reaps disproportionate dividends for most of us.

5 Steps to Risk Management

The risk management process involves five components:

  1. Planning for risk
  2. Identifying risks
  3. Analyzing risks
  4. Developing risk response strategies
  5. Monitoring and controlling risks

Good risk management is proactive, not reactive, and seeks to reduce the probability of an adverse event occurring as well as the magnitude of its impact.

Planning for Risk

The project manager should develop a written risk management strategy which includes the methods used to execute a project’s risk management plan.  This should be included as part of a larger project management plan.  The key to writing a good Risk Management Plan is to provide the necessary information so the project team knows the objectives, goals, tools and techniques, reporting, documentation, and communication roles and responsibilities.

Identifying Risks

working fallingRisk is a function of two components:

  • The Probability of occurrence
  • The Consequences (what’s at stake)

Project risks should be examined to a level of detail that permits an evaluator to understand the significance of the risk and its root causes and to potentially examine those root causes.  Surveys of customers, end users, and other stakeholders could be beneficial.  Some typical things that can happen to a project are:

  • Cost – the cost of the project is higher than forecast, or increases during the project (scope creep)
  • Schedule – customers or end users are not given the final product within the agreed upon time frame
  • Technicalperformance objectives are not met
  • Feasibility – the product is does not turn out to meet financial and/or business objectives.
  • Logistics – components do not arrive in time
  • Human Resources – project staff are not available, or lose availability
  • Production – concerns over packaging, manufacturing
  • Support – maintainability, operability, and trainability
  • Engineering – technical requirements for the product are too onerous, or not physically possible
  • Business – the financial metrics of the project change (demand slows, market prices change, etc.)
  • Contract – third party consultants/contractors/suppliers do not perform as anticipated, or did not interpret the contract the same way
  • Funding – the project cannot be funded to completion, or funding is removed part-way
  • Management – meddling in the project causes complications
  • Political – regulations change, or were not fully considered
  • Threat – Security, survivability, and vulnerability
  • Test – product tests are not set up correctly

Cost and Schedule risk are listed first as they are present on almost every project and often require significant project management resources.

Analyzing Risks

Risk analysis is the systematic process to estimate the level of risk for identified and approved risks.  Normally, this involves the creation of a risk matrix which quantifies the probability and consequence of the defined risks and a conversion to an overall risk level.

Risk analysis falls into two categories:

  1. Qualitative Analysis
  2. Quantitative Analysis

Qualitative Analysis

A commonly used qualitative risk analysis method involves risk scales for estimating probability of occurrence and a risk mapping matrix.  For each identified risk a probability and a consequence is assigned in the form of letters A to E.  Each letter should be defined by a verbal description.  Then a risk mapping matrix is drawn up to categorize each risk.

Quantitative Analysis

Two primary methods exist in order to perform a quantitative risk analysis:

  1. Decision Tree Analysis
  2. Monte Carlo Analysis

In a decision tree, the various outcomes are analyzed according to probability to come up with overall probabilities of all of the possible permutations.

The Monte Carlo process is an attempt to create probability distributions for potential risks and randomly sample them to quantify the risk.  The process starts with a random number.  You must isolate the variable which contains the risk and calculate the other variables from it.  For example, if you are performing a Monte Carlo analysis on the schedule risk, you would define the critical path and create a spreadsheet column for each of the critical path tasks.  The first (leftmost) column is a random number, whose range you must predefine and which represents the actual duration of the activity.  All of the other tasks get calculated, and you can take a look at how often your completion date changes.

Developing Risk Response Strategies

rock climbingIn the Risk Management Plan (within the Project Management Plan) the most important risks should be identified and risk response strategies should be developed for them.  There are four ways to handle risk:

  1. Acceptance:  Also known as retention, the project manager or organization is willing to live with the risk without further mitigation.
  2. Avoidance:  The project can avoid the risk by removing whatever requirement caused it to appear.  The risk is sidestepped.
  3. Control:  Also called mitigation, this involves recognizing the risk is there and performing actions to minimize it, developing contingency plans in case the risk comes to pass, or developing fall-back provisions.
  4. Transfer:  Sharing of the risk with another party, or outright transfer.

 Monitoring and Controlling Risks

The Risk Management Plan should also contain provisions to systematically track and evaluate the effectiveness of the risk response actions against established metrics.  Some techniques that can be used for monitoring and controlling risk:

  • Earned Value:  This method compares the value of work completed to date (earned) with the value of work supposed to be performed at that point in the schedule.  It is a technique to manage budget and schedule risk.
  • Program Metrics:  Formal, periodic performance assessments evaluating whether the risk management plan is achieving its objectives.
  • Technical Performance Measurement (TPM):  A way to measure the technical performance of a project and compare with the specifications required for project success.

Projects contain their fair share of risks.  Hopefully this has given you a good overview of the risk management process. Good luck in your projects and make sure you leave a comment below to let us know how your experience has been!

About Bernie Roseke, P.Eng., PMP

Bernie Roseke, P.Eng., PMP, is the president of Roseke Engineering. As a bridge engineer and project manager, he manages projects ranging from small, local bridges to multi-million dollar projects. He is also the technical brains behind ProjectEngineer, the online project management system for engineers. He is a licensed professional engineer, certified project manager, and six sigma black belt. He lives in Lethbridge, Alberta, Canada, with his wife and two kids.

View all posts by Bernie Roseke, P.Eng., PMP

Leave a Reply

Your email address will not be published. Required fields are marked *

*