Risk management process

The key elements of the continuous risk management process in projects include risk identification, risk assessment, risk response action and risk monitoring.

Important tasks and activities
The continuous risk process is NOT a task for the risk manager only. This is a bottom-up process in the project team where all team members contribute.

The process is initiated and followed up through project meetings. These meetings should be performed on a regular basis, at least before each status report.

0. Prepare
Before you start the continuous risk management process project it is recommended to carry out arrangements which involve and prepare as many project members as possible on possible upcoming threats (risks) and project potentials (opportunities).

It is recommended to use the risk checklist to give ideas and to discover different project risks and opportunities.

Examples of arrangements:

  • Kick-off meeting with focus on risk
  • Workshop with brainstorming sessions on risk

Risk responsible will normally be the project manager, but for large projects a risk manager has to be nominated by the project manager.

Other preparing tasks for the risk manager:

  • Take a look at similar projects to get ideas of possible risks or opportunities. Encourage and facilitate cross-learning trough similar projects for all the project members.
  • Set up an environment for risk management in the project.
  • Use the given tools as risk table, risk checklist and risk matrix.

1. Identify risks
The project team must continuously identify both the threats and opportunities that can affect the project objectives.

 

Each risk must be well defined and relate specifically to an undesired event (threat) or to a desired event (opportunity). Any new risks or issues should immediately be communicated to the risk manager

Risk identification must be an ongoing process and project members should be encouraged to openly communicate risks, not only in the meetings where risks are discussed.

Identified risks need to be described and registered. The risk register must be updated regularly as the project develops, and not just prior to passing each decision gate. Use the project risk table to register the identified risks. It is important to include potential project opportunities and not only project risks. Project opportunities have to be analysed and monitored in the same way as project risks.

For large projects with many registered risks it is recommended to group the risks into sub-groups.

2. Risk assessment
The purpose of the risk analysis is to gather information about identified risks. You can then use this information to rank the risks by weighting them with the factors probability and consequence.

 

Risk analysis is a continuous process conducted throughout the project life-cycle. As the project progresses the analysis for a risk event might change due to changes in the environment.

The project team evaluates all registered risks of current interest in regular risk meetings. This is called risk assessment, where project members evaluate/weight and rank project risks.

The outcome of the risk assessment is entered into the project risk table. The project risk table should be used actively by the risk manager throughout the project.

Once risks are identified and assessed, a specific set of actions needs to be taken to mitigate threats and pursue opportunities in the project.

Each risk is registered and managed under the responsibility of a risk owner. However various actions to efficiently mitigate risks can be delegated to other team members who then would be assigned the responsibility of action owner.

The risk status must be communicated to the steering committee in a risk matrix. The risk matrix is part of the status report which the steering committee receives on a regularly basis.

It is of great importance that the project team works continuously with the risks and gets all risks into the “green area” of the risk matrix.

Risk analysis includes:

Evaluating
Estimate the probability that a risk event will occur and the resulting consequences. Then you use these estimates to determine the severity of the risk to the project.

Prioritizing
After determining risk severity, you decide the order in which the risks require attention. The highest ranked risks or opportunities are reported to the steering committee.

Weighting of impacts and probabilities

Consequence/Impact

3. Risk response strategies
Once risks are identified and assessed, a specific set of actions needs to be taken to mitigate threats and pursue opportunities in the project.

Each risk is registered and managed under the responsibility of a risk owner. However various actions to efficiently mitigate this risk can be delegated to other team members who then would be assigned the responsibility of action owner. For each mitigating action a deadline (due date) must be specified. It will be the responsibility of the risk owner to secure that actions are completed on time.

Risk strategies (PMBOOK® Guide, chapter 11.5.2.1)

Strategies for negative risks or threats

1. Avoid: Risk avoidance involves changing the project management plan to eliminate the threat posed by an adverse risk, to isolate the project objectives from the risk’s impact, or to relax the objective that is in jeopardy, such as extending the schedule or reducing scope. Some risks that arise early in the project can be avoided by clarifying requirements, obtaining information, improving communication, or acquiring expertise.

2. Transfer: Risk transference requires shifting the negative impact of a threat, along with ownership of the response, to a third party. Transferring the risk simply gives another party responsibility for its management; it does not eliminate it. Transferring liability for risk is most effective in dealing with financial risk exposure. Risk transference nearly always involves payment of a risk premium to the party taking on the risk. Transference tools can be quite diverse and include, but are not limited to, the use of insurance, performance bonds, warranties, guarantees, etc. Contracts may be used to transfer liability for specified risks to another party. In many cases, use of a cost-type contract may transfer the cost risk to the buyer, while a fixed-price contract may transfer risk to the seller, if the project’s design is stable.

3. Mitigate: Risk mitigation implies a reduction in the probability and/or impact of an adverse risk event to an acceptable threshold. Taking early action to reduce the probability and/or impact of a risk occurring on the project is often more effective than trying to repair the damage after the risk has occurred. Adopting less complex processes, conducting more tests, or choosing a more stable supplier are examples of mitigation actions. Mitigation may require prototype development to reduce the risk of scaling up from a bench-scale model of a process or product. Where it is not possible to reduce probability, a mitigation response might address the risk impact by targeting linkages that determine the severity. For example, designing redundancy into a subsystem may reduce the impact from a failure of the original component.

4. Accept: The project has decided to do nothing with the risk.

Strategies for positive risks or opportunities

1. Exploit: This strategy may be selected for risks with positive impacts where the organization wishes to ensure that the opportunity is realized. This strategy seeks to eliminate the uncertainty associated with a particular upside risk by making the opportunity definitely happen. Directly exploiting responses include assigning more talented resources to the project to reduce the time to completion, or to provide better quality than originally planned.

2. Share: Sharing a positive risk involves allocating ownership to a third party who is best able to capture the opportunity for the benefit of the project. Examples of sharing actions include forming risk-sharing partnerships, teams, special-purpose companies, or joint ventures, which can be established with the express purpose of managing opportunities.

3. Enhance: This strategy modifies the “size” of an opportunity by increasing probability and/or positive impacts, and by identifying and maximizing key drivers of these positive-impact risks. Seeking to facilitate or strengthen the cause of the opportunity, and proactively targeting and reinforcing its trigger conditions, might increase probability. Impact drivers can also be targeted, seeking to increase the project’s susceptibility to the opportunity.

4. Monitor and control
As a result of the risk assessment and suggested response actions, project plans must be updated.

Risk monitoring is the process of keeping track of the identified risks, monitoring residual risks, and evaluating their effectiveness in reducing risks. Status on risks, opportunities and response actions should be followed up and documented regularly in order to secure efficient and effective risk management control.

The risk manager should establish standard routines for monitoring and control to ensure that all identified actions are mitigated with regards to action responsibility and deadline.

Reporting system allows leadership to be aware of main risks as well as possibilities and enable control of the quality of work.

Documents