Saturday, July 30, 2011

Project Risk Management



Risk management is a process that is rarely implemented within projects and indeed the wider business for that matter. This is surprising because a tight risk management process will save time and money for your project and is not hard to implement.

What is Risk?

We can clear up much of the uncertainty regarding risk management by setting a clear definition of a risk.

"A risk is an uncertain event or set of events that, should it occur, will have a negative or positive effect on project objectives."

Yes, that's correct, positive or negative! Risk is characterized by the word "uncertainty" which is by definition either positive or negative. This definition carries many advantages for the individual carrying out risk management. The main benefit is that negative risks can be counterbalanced by positive ones.

Risk Management Process

A well defined risk management process is the basis of world-class risk management. As a minimum it should involve the following:

  • Identify
  • Assess
  • Plan
  • Implement
  • Communicate

Identification of risk is vital. This is not an activity that the project manager should perform solo, rather the whole project management team should be involved on a continuous basis. This in turn requires that the project manager educates the team in the activity of risk identification. Many methods exist, but few are better than the brainstorming technique perhaps with a prompt list to encourage more diverse risk identification. With identification also comes capture - that is logging the risk in a risk register. Whether this risk log is paper based, an Excel spreadsheet or an Access database is up to the project manager, but some electronic basis is preferred by most project managers. Remember to use the format "There is a risk that CAUSE EVENT EFFECT" when writing risk descriptions. When logging the risk remember to identify an appropriate risk owner to monitor and report on the risk and the success or otherwise of any response actions.

Once the risk is identified and captured the next step is to assess it. Assessment of a risk should consider three factors that relate to the risk - impact, probability and proximity. Impact is the (usually financial) effect on the business whether positive or negative that the risk will produce should it happen. Probability is the likelihood of the risk occurring in the current project circumstance. Impact and probability can be measured in qualitative terms (eg. High, Medium, Low) or quantitative terms (eg. $1000, 10%). Proximity describes when the risk is likely to happen in the project life cycle (imminent, within the stage or phase, after the project) and helps the project management team to prioritize risk actions.

Now that the risk is identified and understood we can start to think about the responses that we might plan. The responses for a positive risk event can be categorized:

  • Exploit (eg. bulk discount deals)
  • Enhance (eg. paying more in the hope of earlier delivery)
  • Share (eg. joint venturing to win a contract that one party could not win alone)
  • Reject (eg. deciding not to try to win a new contractbecauseit will negatively affect current work)

Responses to negative risks can also be categorized:

  • Avoid (eg. do something differently to ensure that the risk cannot happen)
  • Reduce (eg. employ an expert to reduce the probability or impact of the risk occurring)
  • Transfer (eg. take out insurance against a flooding risk)
  • Share (eg. joint venture to spread risk among partners where risk is too great for any one party to bear)
  • Accept (eg. take no action against a low impact low probability risk - the action will cost more than the potential impact)

Now that the responses have been identified and categorized it is time to implement one or more of them. This may require some degree of replanning the stage, phase or even project depending on how drastic the response is. Senior management may want to be involved.

Lastly, communicate and involve the risk owner, risk actionee(s) and all interested parties at each stage of this process.

The risk management process detailed above should be defined at the start of the project in a Risk Management Plan which should be approved by senior management at that early part of the project. Many organisations have a standard risk management process guide that is used on all projects.

Further Information

For further information about risk management in projects, and project management in general, aPRINCE2 coursesis very useful. It will include training in all project management topics and certification exams. Most PRINCE2 courses are of 5 days duration although 3 day and 2 day courses are available depending on which certification level is required.

PRINCE2 is a Registered Trademark of the Office of Government Commerce in the United Kingdom and other countries.



No comments:

Post a Comment