Risky Business: Five Steps to Project Risk Management
Risk is to projects what gravity is to the world around us. Risk is inherent in the process of project management, whether we choose to recognize it or not. And like gravity, risk can be both beneficial and detrimental to our projects. A skier uses gravity to propel himself down the slope, while understanding that the same force necessary for this propulsion can also cause great harm to the body and weaken confidence when a sudden and unexpected fall occurs. Like the skier, those of us involved in work management, must understand that risk exists, and can have both good and bad consequences on any project.
Step 1: Risk Planning. From the start, you have to put a risk plan in place. Like all project planning, risk planning is done iteratively, and never at a single point in time. A project manager should document a risk management plan with a defined approach. This includes how risks will be identified and scored, along with how contingencies and their owners will be determined and assigned.
Step 2: Risk Identification. To forgo this exercise is to forgo risk management all together. If project managers do nothing else for the benefit of their project with regard to risk, they should at least conduct a risk identification assessment.
Step 3: Risk Analysis. In order to know which of the now identified risks require subsequent management, analysis of the threats and opportunities is needed. For our purposes, project risk analysis is done two ways, qualitative risk analysis and quantitative risk analysis. The latter is where a score or weight is assigned to each risk based on probability and potential impact, so it is know if further management is necessary. This is put into a Risk Register (see example below). An integral part of project risk analysis is risk tolerance, as some risks may require no further action beyond their identification, while others, which may be more likely, will require a contingency plan of action.
Step 4: Developing a Risk Response Plan. Risk response planning combines our efforts thus far into a viable risk response for each threat and opportunity we've identified as falling within the range of our risk tolerance threshold. Risk response planning increases the probability and/or impact of opportunities identified within the predetermined tolerance range of our risk register, and reduces the probability and/or impact of any threats.
There are four mitigation strategies to consider when developing a Risk Response Plan for both threats and opportunities.
Response to Threats:
- Avoid: Change plans
- Mitigate: reduce the probability and/or impact of the threat on the project
- Transfer: assign the risk to someone else
- Accept: do nothing
Response to Opportunities:
- Exploit: make the opportunity more likely
- Enhance: increase the value of the opportunity to the project
- Share: partner with someone who can capture the opportunity
- Accept: do nothing
Step 5: Keep Tabs on Risk. The last step is risk monitoring. The project manager monitors the risk register, executing on response plans, as well as documenting subsequent threats and opportunities as they become known throughout the project life cycle.
Risk planning is like any other project planning process, and is never really done until the project itself is complete; therefore, a project manager's risk monitoring is finished only when the project is complete.
Conclusion All projects face risks. Risks can in large part be mitigated to some degree by taking the time to develop a project risk management process to help ensure threats have a limited effect on the project outcome, while maximizing opportunities. A skilled project manager understands the potential effects that risks can have on their projects, and manages them accordingly, ultimately resulting in improved odds for project success.