As projects are, by definition, unique and temporary endeavors, risk can only be seen as a project second nature.
All projects must contain an element of risk, whether financial, schedule, contractual, environmental, etc.
Project risk management aims to bring the risk to a level acceptable to the project stakeholders and create a risk contingency under the different project management plans, including time and cost.
Why is Managing Project Risk Crucial?
Project risks can often be unnoticeable to the stakeholders. Without a thorough risk management process, risks could easily be missed.
That means the project would move into the execution phase carrying unknown risks, which depending on their probability, can materialize and cause a negative impact on the project outcome.
For example, if the project team does not consider the price inflation risk of goods during the planning phase, it could result in budget pressure and, most likely, cost overrun.
Or in construction projects, if the team does not consider the inclement weather risk, it could result in schedule delays and, consequently, cost overrun.
How to Manage Risk in Project Management?
There are four primary risk management processes:
1. Identifying the Risk
Project risk identification is best made by involving as many stakeholders as possible. One of the ways of doing so is by conducting risk workshops and getting the team’s input through brainstorming.
Developing risk categories is a good practice during the identification process, allowing it to be more structured. Some examples of risk categories are technical risk, external risk, project management risk, etc.
Within each category, sub-categories can be developed—for example, time, cost, and scope under project management.
At the end of the risk identification process, a risk register containing the identified risks would be generated and structured by the risk category.
2. Analyzing the Risk
Not all risks have the same threat level to the project. Now that we have gone through the risk identification, we need to sort project risks out by analyzing and rating them.
The two factors determining a risk rating are:
- Risk Probability: The likelihood of the risk event to eventuate.
- Risk Impact: The severity of the risk.
The risk rating is the multiple of the risk probability and risk impact.
Risk Rating = Risk Probability X Risk Impact.
For example, if there is a high probability a new construction site could contain contaminated material, the impact of this risk on the cost and schedule would be extreme.
The resulting risk rating is high by multiplying the risk probability and impact using the four-by-four risk matrix below.
Probability / Impact Risk Matrix
Tip: to avoid stakeholder bias in evaluating the risk impact and probability, the organization should develop a reference defining each of the impact and probability range.
For example, a schedule delay of 1-3 days could be a low impact, whereas a schedule delay of 5-10 days is considered a high impact.
Similarly, a cost overrun of 3% of the budget could be low impact, whereas 15% would be severe.
The risk analysis process explained is referred to as qualitative risk analysis.
Depending on the organization and the size and scale of the project, quantitative risk analysis can also be performed based on a reiteration of computational modeling. The simulation technique is often referred to as Monte Carlo simulation.
The simulation uses the random values of each variable range, for example, cost or duration, to generate a probability distribution curve.
3. Plan Risk Response
In this step, we would have identified the risks and rated them. Now, we need to manage the risks.
According to the PMI PMBOK®, four strategies can be used to control threats or risks, as shown below:
3.1 Avoid
This strategy is based on avoiding the risk by not performing the work. This might not always be feasible, but it might be considered if it is an option.
If the project team thinks they are better off not performing a particular scope due to its risk, they shouldn’t.
3.2 Transfer
Transferring the risk to another party is a widely used strategy that requires a good understanding of the contractual relationship between the client, the delivery organization, the supply chain, and all other parties involved in the project.
If the delivery organization identifies a high risk through the risk assessment process, they could transfer it to the client by qualifying it under the Contract.
For example, they could use a cost-plus arrangement instead of a fixed price to transfer the cost risk.
3.3 Mitigate
If the risk can’t be avoided or transferred, the next step is to mitigate it.
As the risk rating results from the risk probability and impact, the mitigation process aims to reduce the overall rating by lowering one or both of these factors.
For example, the use of redundant systems to reduce the probability of system failure.
Tip: in most cases, it is easier to reduce the risk probability than to reduce the risk impact.
After the mitigation measures are planned, the risk should be re-rated. The risk rating following the planned mitigation is defined as Residual Risk.
3.4 Accept
This is a last resort strategy once all other strategies are exhausted.
Accepting the residual risk following the mitigation goes hand in hand with creating the risk contingency. The contingency could be time, cost, or both.
4. Monitor and Control Risk
At this stage, the project team would have identified the risks, analyzed and rated them, planned a risk response based on one of the four strategies, and allowed for a risk contingency.
As the project moves into the execution phase, the team must monitor and control the risks. The reasons for that are:
1. New risks could surface as the project develops.
2. Risks could be triggered and require implementing the risk plan or applying the contingency.
3. Risks would not materialize and could be closed out in the risk register.
4. The risk contingency might need to be drawn from or topped up.
Generally, It is a good project management practice to update the risk register periodically during the execution phase of the project through the project close-out.
What Software is Used in Risk Management?
Several tools and software can be used in the risk management process. At the top of these are spreadsheets, given their ease of use and versatility.
Most risk registers and rating matrices can be created using MS Excel, Numbers, or Google Sheets.
However, specific software is needed for the reiteration of quantitative risk analysis. Oracle Primavera and Crystal Ball are good tools for that.