Risk is to projects what gravity is to the world around us. Risk is inherent in the process of project management, whether we choose to recognize it or not. And like gravity, risk can be both beneficial and detrimental to our projects. Project risk management can dramatically impact the outcome of your project.
Risk management is the process of mitigating the potential negative impact unforeseen events can have on a project's cost, time table, or other resources. As risk is an unavoidable part of project management, it needs to be accounted for from start to finish on all projects.
All projects face risks. Risks can in large part be mitigated to some degree by taking the time to develop a project risk management process to help ensure threats have a limited effect on the project outcome while maximizing opportunities. A skilled project manager understands the potential effects that risks can have on their projects, and manages them accordingly, ultimately resulting in improved odds for project success.
Risk management occurs in 5 steps:
Risk response plan
From the start, you have to put a risk plan in place. Like all project planning, risk planning is done iteratively, and never at a single point in time. A project manager should document a risk management plan with a defined approach. This includes how risks will be identified and scored, along with how contingencies and their owners will be determined and assigned.
To forgo this exercise is to forgo risk management all together. If project managers do nothing else for the benefit of their project with regard to risk, they should at least conduct a risk identification assessment.
In order to know which of the now identified risks require subsequent management, analysis of the threats and opportunities is needed. For our purposes, project risk analysis is done two ways, qualitative risk analysis, and quantitative risk analysis. The latter is where a score or weight is assigned to each risk based on probability and potential impact, so it is known if further management is necessary. This is put into a Risk Register (see example below). An integral part of project risk analysis is risk tolerance, as some risks may require no further action beyond their identification, while others, which may be more likely, will require a contingency plan of action.
Risk response planning combines our efforts thus far into a viable risk response for each threat and opportunity we've identified as falling within the range of our risk tolerance threshold. Risk response planning increases the probability and/or impact of opportunities identified within the predetermined tolerance range of our risk register, and reduces the probability and/or impact of any threats.
There are four mitigation strategies to consider when developing a Risk Response Plan for both threats and opportunities.
Avoid: change plans
Mitigate: reduce the probability and/or impact of the threat on the project
Transfer: assign the risk to someone else
Accept: do nothing
Exploit: make the opportunity more likely
Enhance: increase the value of the opportunity to the project
Share: partner with someone who can capture the opportunity
Accept: do nothing
The last step is risk monitoring. The project manager monitors the risk register, executing on response plans, as well as documenting subsequent threats and opportunities as they become known throughout the project life cycle.
Risk planning is like any other project planning process, and is never really done until the project itself is complete; therefore, a project manager's risk monitoring is finished only when the project is complete.
Whitepaper: The High Cost of Chaos