Project Risk Management

Project risk management is an important aspect of project management. According to the Project Management Institute's PMBOK, “Risk Management” is one of the ten knowledge areas in which a project manager must be competent. Effective risk management in a project will considerably improve the chances of completing the project on time, within budget and with expected quality.

Risks are defined as “uncertain conditions, or events or situations, if they occur, they will impact either or all of the project objectives of time, cost and quality, in a positive or negative way.''

Hence risks are probable future conditions which may happen. Some of the conditions bring positive impact and are referred as “opportunities”, while some of the conditions have the potential to bring negative impact on the project and are referred as “threats”.

Thus, project risk management as per PMBOK guide, includes all the processes for identifying and analyzing the risk conditions, prioritizing them, developing risk responses, implementing the risk responses and monitoring risks through the project life cycle.

Risk management is a proactive process. Every risk condition will have a probability of occurrence and an impact associated with it. The team needs to identify all the risk conditions and analyze the probability and impact of each risk management to decide appropriate risk responses.

Risk management will focus on minimizing the impacts of threats and maximizing the impacts of opportunities.

Project Risk Management Processes

Following are the project risk management processes as per PMBOK guide:

1. Plan risk management -> Planning Process Group
2. Identify risks -> Planning Process Group
3. Perform qualitative risk analysis -> Planning Process Group
4. Perform quantitative risk analysis -> Planning Process Group
5. Plan risk responses -> Planning Process Group
6. Implement risk responses -> Executing Process Group
7. Monitor risks -> Monitoring Process Group

First the team develops an overall guideline for risk management in the form of a “Risk Management Plan”. The Risk Management Plan will contain all the required guidelines such as a methodology for risk management, budgeting for risk management, list of applicable categories of risks to be identified by the team, identified scale for assigning value to probability and impact for qualitative risk analysis, risk reporting formats etc.

Risk identification is the first major process. Risk identification requires a collaborative team effort wherein every team member, every stakeholder and if needed experts are invited and involved for the risk identification process. Risk conditions for all the applicable categories of risks and for all the work packages in the WBS are systematically identified by the team. And another important document called “Risk Register” is prepared. Risk Register will list down all the risk conditions diligently. Emphasis is given to identify both threats as well as opportunities.

One the risks are identified, the team now needs to assign values of probability and impact for each of the risk conditions already listed. A Qualitative Analysis Method is used first where the team starts assigning value from a preselected relative scale with limited values. For example a scale may have values such as “low, medium, high” or “1,2,3,4,5” or any other preselected scale with finite values. Upon assigning the values for probability and impact for each risk condition, the team then calculates the risk score, which is a simple multiplication of probability and impact of each risk condition. The risks are then prioritized based on their risk value or risk score.

A more rigorous quantitative analysis method may also be used for risk analysis if needed. Probability and impact of each risk condition is ascertained more mathematically and statistically. Impacts are calculated in terms of money. Monetary value of each risk condition, in this case, is calculated by multiplying the probability and impact. Quantitative analysis method is quite difficult and effort intensive process. Hence this process may not be applied in every project. Only in scenarios of high value and high risk projects, the team may take a conscious decision to quantitative analysis for some of the risk conditions. In this process, various tools and techniques such as Monte Carlo Simulation, Sensitivity Analysis, Expected Monetary Value and Decision Tree analysis are used.

Once risk analysis and risk prioritization is done, the team then starts to identify meaningful and practical risk responses for all the threats and opportunities. Some of the strategies for threats include, “Escalate, Avoid, Transfer, Mitigate and Accept” whereas some of the strategies for opportunities include, “Escalate, Exploit, Share, Enhance and Accept”. The team identifies appropriate strategy ensuring that they are practical, cost effective, timely and agreed upon by all.

The planned risk responses are implemented ensuring that the stakeholders are aware about all such responses and ensuring that they all wholeheartedly participate in the implementation of these responses.

The Risk Register document includes all the above information for all the risk conditions. The risks and the risk responses are continuously monitored throughout the project lifecycle thereafter. The risks are continuously re-assessed, new risks are identified, the effectiveness of risk responses audited, risk reserves are monitored throughout the project life cycle.

Conclusion

Project Risk Management is a very important function in project management. It is a proactive process to be carried out through the project life cycle.