De-mystifying Risk Management

Believe it or not, we think about risk management every day. Wearing your seatbelt before you start driving is a form of risk mitigation, as is buying home insurance.

This article will de-mystify the risk planning process and break it down into four separate stages.

Murphy’s Law

So, let's begin with the story of Captain Edward A. Murphy, an engineer working on Air Force Project MX981 in 1949. He was in charge of a project measuring how much sudden deceleration a person could withstand. This project involved strapping an enlisted soldier to a chair with a rocket attached at the back—something you wouldn’t see today!

After one of the experiments, it was found that a measuring transducer wasn’t connected properly. Incredulous, Murphy criticized the technician and said, “If there is any way to do it wrong, he will find it.

Aerospace engineers picked up on the phrase, and it was adapted to be the well-known phrase, “If anything can go wrong it probably will”

As this phrase is linked to projects, it is apt that we use it to identify their risky nature. The risk management process, along with the WBS, schedule, costings, and stakeholder engagement, is critical to project planning.

What is Risk?

So now it's time to look at some definitions for risk.

The Project Management Body of Knowledge (PMBOK) defines risk as “…. an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives.”

A risk must have a trigger event, which is an event that causes the risk to occur. For example, going back to our seatbelt example, not putting on the seatbelt is a trigger event for a serious injury.

When a trigger event causes a risk to become real, then it is known as an issue.

When we think of risk, we often think of it in negative situations; however, there can also be positive risks. These are the opportunities that may eventuate if the risk were to occur.

For example, launching a new fashion line is risky. However, if the launch is successful, positive risks may flow from it, including increased brand recognition, revenue growth, and market expansion.

The Risk Management Plan

The risk management plan is a critical document that plays an important role in ensuring the success of any project or endeavor. Systematically identifying, assessing, and addressing potential risks enables organizations to anticipate challenges and proactively implement strategies to mitigate their impact.

This proactive approach not only minimizes the likelihood of negative events occurring but also enhances the organization's ability to respond effectively in case they do.

Your risk strategy is your approach to planning your organization's risk management.

Risk tolerance is the amount of risk and the potential impact of that risk that a project manager or key stakeholder is willing to accept.

The methodology describes the tools, data sources, and approaches that will be used to manage the project's risks.

A mitigation strategy is a plan or action that reduces the likelihood or impact of identified risks on a project or organization.

Risk Appetite is the amount of overall risk that a stakeholder is willing to accept.

Risk Management Process

Phase 1 - Identify

During the "Identify Risk" stage of risk planning, the primary focus is on recognizing potential threats and opportunities that could impact the project or organization.

This phase involves comprehensive brainstorming sessions, data analysis, and consultation with relevant stakeholders to gather insights into various risk factors.

Critical success factors include:

Early identification

Even though uncertainty is greatest at the start of the project, the cost of making changes is relatively low, so the earlier you begin the risk identification and management process, the better.

Comprehensive identification

A broad range of sources of risk should be considered to ensure that as many uncertainties as possible are identified.

Recurrent identification

Since not all risks can be identified at the start of the project, it is essential that risk identification continues throughout the project lifecycle. 

This should be programmed periodically, such as at key milestones or when significant change occurs.

Multiple perspectives

Engage as many stakeholders as possible in the risk identification process, including risk and subject matter experts. 

Limiting risk identification to the project team is unlikely to expose all foreseeable risks.

Recognise limits

Be prepared to challenge your assumptions – assumptions are risks in and of themselves!

Phase 2 - Prioritise

To determine the priority of a risk we need to multiply the likelihood of a risk occurring with the impact it may cause if it were to eventuate.

There are two ways for us to calculate this, through a qualitative or quantitative approach. As we are project managers and not statisticians we will focus on the qualitative approach.

Qualitative Approach

The qualitative approach to risk management can provide invaluable insights, helping the project team rto achieve successful project outcomes. While quantitative methods provide numerical assessments of risks based on probability and impact, the qualitative approach drills deeper into the nature and context of risks.

It allows project teams to explore the nuances of each risk, considering factors such as root causes, potential triggers, and stakeholders' perceptions.

Even though there is still an element of subjectivity (and potential stakeholder argument) as to whether or not a risk may occur once every 10 or 25 projects, when consensus is achieved, what we mean by ‘possible’ or ‘likely’ is commonly understood by all.

It should finally be noted that the same risk will have different probabilities on different projects, and should be independently assessed. 

For example, there might only be a low probability of rain disrupting a one-week tennis tournament, whereas the probability of rain (the same cause) interfering with a 12-month construction project will be quite high.

For this reason, we can never perfectly copy and paste our risk analysis from one project to the next, a lesson that applies equally to our assessments of impact.

We approach the impact in a similar way, but this time, we identify what is impacted, and we assign a qualitative level of priority to it.

By multiplying probability versus impact we can now build a matrix that clearly shows the priority of our identified risks.

The discussion on risk prioritization wouldn’t be complete without considering the quantitative approach to measuring the probability and impact of a risk occurring.

This statistical approach includes:

• Simulation - including the Monte Carlo simulation which is used to model the impact of uncertainty by simulating a large number of possible outcomes based on probabilistic inputs, providing a range of possible outcomes
• Sensitivity Analysis
• Decision Tree Analysis
• Mean/Median/Mode
• Regression/Anovas
• Three Point Estimates

Phase 3 - Mitigate

The terms risk appetite and risk tolerance refer to the degree of uncertainty someone is willing to accept, usually in anticipation of a reward. 

For example, fast-tracking a project’s schedule is a risk often taken to achieve the reward created by an earlier completion date.

The shading in our matrix above shows us the levels of risk tolerance that we are willing to accept. The risks identified with green shading show that we can tolerate those risks. The risks shaded in red, however, tell us that something needs to be done to reduce the risk.

Risk Responses

The purpose of a mitigation strategy is to lessen the value of probability or impact (or both) in order to move our risk down to a level that we are comfortable with.

An example of a mitigation strategy is the implementation of software updates and patches to address vulnerabilities and reduce the risk of cyberattacks and data breaches.

Contingency Reserves - The contingency reserve is an allocation of time or money to respond to the risks that were identified in the risk analysis process. 

Properly applied, contingency reserves:

•Discourage project managers from padding estimates

•Motivate them to perform comprehensive risk analyses, and

•Give them the autonomy to respond to anticipated issues as they arise.

Management Reserves - For projects run as part of a program or portfolio, the management reserve is often a single pot of cash set aside to cover all of the projects in the group.

This general allocation decouples management reserves from individual projects, giving executives greater flexibility in responding to problems, especially across diverse projects where the risks are varied.

Phase 4 - Track

I have had the opportuntiy to view many project plans, many containing wonderful examples of beautifully shaded risk matrices. In many cases this is where the risk management finishes and risk isn’t thought about again!

I cannot emphasise enough that you should continue to monitor and track your identified risks throughout the life of the project.

You can do this by using a risk register. Ideally storing the document in a centralised area where all project team members and highly important stakeholders can easily access it.

Learn more + free template

Want to delve deeper into the art of risk management? Check out OPEN, our online project management learning library.

Also, save yourself some time by taking advantage of our downloadable risk register template, a vital tool for any project.

This article was originally published on The Project Pulse - subscribe for more great content all about projects.