Managing Risk

Projects are by nature risky undertakings. The very fact that they are generally both time constrained and resource constrained means that there is little margin for error when planning a project. Unforeseen events can result in time lost or a drain on resources, either of which could be detrimental to planned outcomes. The complexity of the project itself presents us with a large number of variables to consider, many of which are unknown quantities at the outset and can at best only be estimated.

It is unlikely that we will be able to eliminate either the project constraints or the element of uncertainty. The only realistic course of action when considering potential risks is to try to anticipate what might happen and either reduce the chances of a risk occurring or formulate a plan to deal with it if and when it does occur. A proactive approach to risk management will increase your chances of completing the project on time and achieving all of the project's objectives.

The first step in any risk management process is to identify potential risks. This can be done in a number of ways. One method is to ask each project team member to write down ten possible risks. The results should be used to derive a master list, with any duplicates removed. Depending on how long the final list is, it may be necessary to shorten it to include only those risks that would have a significant impact or a reasonable probability of occurring.

Once you have a definitive list, you can carry out a risk assessment of each item on the list to determine its risk characteristics in more detail. The risk assessment looks at two things. The first is the probability of the risk occurring, and the second is the impact that it could have on the project. These factors can then be assessed using a risk matrix like the one shown below.

A simple risk management matrix

A simple risk management matrix

Both the impact of the risk and the probability of the risk occurring need to be assessed (in the example above, each factor is given a value on a scale of one to four). The risk matrix is then used to assign a level of priority to the risk. Note that if the probability is high but the impact is low, the risk is classed as having a medium priority level. If the probability is low but the impact is high, then the risk is assigned a high priority. This is an attempt to reflect the fact that a remote chance of a major problem is worthy of more consideration than a good chance of a minor inconvenience.

Once the priority level of each risk has been established, the next step is to determine a strategy to either minimise the likelihood of the risk occurring (risk avoidance), or to deal with the risk in an optimal way if it does occur (risk mitigation).

Risk avoidance is not always possible but could include simple measures such as finding an alternative supplier for critical materials in order to eliminate (as far as possible) the risk of not being able to get hold of the required materials because your original supplier has let you down. In an extreme case, it could even mean cancelling a project if all the indicators point to it being doomed to failure.

Risk mitigation usually means having a fallback plan that can be implemented should the risk occur, in order to reduce its negative impact on the project. This could entail modifying one or more of the project objectives to get around a shortfall in time or resources, or simply re-scheduling work to accommodate changes in personnel or unforeseen delays.

In some cases the decision may be to take no further action, if the impact to the project is likely to be minimal. Whatever strategy is devised for dealing with a risk, monitoring the status of the risk and carrying out the necessary actions should it occur will be the responsibility of the risk owner (the person assigned to manage the risk). In most cases this will be the project manager, although a risk could be assigned to any project team member.

We have talked about the need to identify and assess the risks that may affect a project, and to formulate a strategy to deal with each risk identified. The final element required for the effective management of risk is to put in place a system for monitoring the status of each risk identified throughout the project's implementation phase.

Each risk, the result of its risk assessment, and the actions to be taken in response to an occurrence of the risk, must be recorded as part of the risk management plan. The risk owner is tasked with reviewing the risk at frequent and regular intervals during implementation. The risk owner should ensure that he or she can recognise the warning signs that might signal an imminent occurrence of the risk, so that they can initiate a response in good time.