Risk Management and Project Risk

Whenever we undertake a project, risk is inevitable, since projects enable change – and whenever you have change, it introduces uncertainty and hence risk.A risk is defined as an uncertain event which should it occur, will have an effect on the project meeting its objectives. These uncertain events can be positive in which case it would be called an Opportunity, when negative it is called a Threat. Both have the common thread of uncertainty.When carrying out risk management, the purpose is to reduce the probability and impact of threats and to increase the probability of opportunities and/or their positive impact. It is helpful to consider that risk is “an event that may all may not occur in the future, but if it does occur it will have an impact on the project objectives”.The Business Case will contain information weighing project cost and risk against the business benefits. Put simply, that the aggregated project risk is worth the benefits. If this is so, then the Business Case remains viable, desirable, and achievable. This one fact highlights the importance of proper risk management. Whenever a new risk is identified, an existing risk changes its characteristics, an issue is identified, or at important control points such as end stage assessments — the Business Case should be checked for viability — and this includes the aggregated value of all of the risks.Effective risk management entails clearly identifying each risk, and estimating it in terms of its probability and impact and controlling it by taking appropriate action and ensuring such actions have, and continue to have, the desired effect.Before getting into the details of risks, a project must determine the Risk Management Strategy which describes how risk management will be both used and implemented within the project. The risk management strategy should include, amongst other aspects:- particular tools and techniques to be used
– the responsibilities for risk management actions
– the procedure for risk management, such as Identify, Assess, Countermeasures/actions, implementation and communication.
– the scales to be used for calibrating and estimating probability and impact
– the reporting and timing of risk management activities, such as at the end of each project stage
– the risk categories as to be defined, the action categories, definition of risk proximity, and risk trigger indicators.
– for contingency or fallback actions, a risk budget should also be agreed. This budget is used to pay for any such risk actions should they be needed.
– when using management by exception, the risk tolerance or “risk appetite” should be agreed between the project manager and the project board.It is worth discussing that last bullet in more detail:Tolerance is an allowable variation of typically time and cost that the project manager can “use” to allow for small deviations and estimating errors. Should at any point, the project or stage be forecast to exceed this tolerance, the project manager must escalate the situation up to the next level of management – who need to make a decision on what to do next.However, the tolerance used may be risk tolerance. In such case, discussions should be had between the project board and project manager, about how much risk can be tolerated (“risk appetite”). Factors such as particular risk impacts increasing beyond a particular value, or their probability increasing in the same way. It might be risks under a particular category – such as those affecting corporate image, that may be the escalation triggers.The Risk Register should be created early in the project, and used to capture all details and the status of each risk identified. The project manager is responsible for ensuring that risks are managed properly but there will be the need for risk owners for all risks, and these owners may be other people involved in the project. They should be chosen as the best person to keep an eye on the risk. The owners may be the person required to implement risk action, or to act as a “forward scout” to report risk status back to the project managerThe first step in the risk management procedure is to identify the risks, and this is normally done within a risk workshop. Other useful sources of possible risk identification, is to review lessons from previous projects. Yet more sources include organisational risk checklists, or the use of industry-wide checklists or tables.Many people make the mistake of naming risks such as ” there is a risk is that the project may come in late” — but this is a mistake, because the statement is not naming the risk itself, but its impact. This is where “Fish-bone” or Ishikawa Diagrams can be useful in separating the risk event, it’s cause, and the effect (the risk impact)It is helpful to consider that the source of the risk is called the risk cause (the potential trigger points for each risk), the risk event describes the area of uncertainty, and the risk effect which describes the risk impact on the project objectives.The next step is to estimate and evaluate each risk, and there are various estimation techniques that may be used:Probability trees. These are diagrammatic representations of possible risk events shown as linked rectangles each with a probability and impact. When linked together, the aggregated value of project risk can be determined. These help the decision-makers to determine possible outcomes, and ensures suitable actions can be implemented.Expected value. This technique multiplies the cost of the risk impact with the probability of the risk occurring. For example, if the cost of a risk was £10,000, and the probability equal to 40%, then the expected value would be £ 4000. Summing all of these expected values together will give the aggregated risk expected monetary value of the project. This is helpful in determining a potential Risk Budget.Pareto Analysis. This is often called the 80/20 rule, from the observation that 20% of the risks will have the most impact on a project, and allows management to focus their attention on managing and controlling those risks. It gives the best “Risk ROI”The probability impact grid. This is a table with the vertical axis scaled in probability and the horizontal axis scaled in impact. Suitable scales are determined, typically 10% probability, as very low through to very high between 70 to 90% of ability. The impact scale usually covers from very low to very high. The grid is used to provide an assessment of the severity of a risk and so enable risks to be ranked such that management effort can be prioritised.The summary risk profile. This again is a grid of probability against impact, but instead of measuring the severity of each risk (probability times impact), it plots each risk as a number much like a scatter diagram so that the spread and severity of risks can be directly seen. For example any risks which have a very high impact and probability would be seen as severe threats and this will enable appropriate actions or counter measures to be determined.The next step is to plan the appropriate responses, both for threats and opportunities. There are many ways to describe such actions, but the following are most often used:For Threats:Avoid. An action is planned for the project to do something different, such that the threat can either no longer have an impact on the project and/or its probability is zero.Reduce. An action is planned to either reduce the probability of the risk occurring, and/or to reduce the impact of the event should it occur.Fallback (often called Contingency). An action is planned but only implemented should of the linked risk occur.Transfer. An action is planned that reduces the financial impact of the threat. Usually, the action is via some form of insurance, or an appropriate clause in a contract so that the other party bears the financial pain.Accept. This is the “take no action” option. The threat should still be continuously monitored to ensure that it remains tolerable. This action is often chosen because the risk has a low probability and/or a low impact, or that the costs and effort of any actions outweigh the severity of the threat.Threat or Opportunity:Share. Often carried out within contracts using third parties, where a pain/gain formula is agreed should the threat or opportunity occurOpportunities:Exploit. Taking action to ensure that the opportunity will happen and that the positive impact will be realized.
Enhance. Taking proactive actions which either enhance the probability and/or the impact of the event.
Reject. A decision taken not to exploit or enhance the opportunity.All of the above actions are captured and entered within the risk register, and project or stage level plans have the above activities and resources added.It is helpful to include the proximity for each risk. This is the time frame of the risk event occurring from the present day. This is helpful in focusing resources on actions for risks in the near future. But it is also helpful in determining when each risk event will occur, as this will have an effect on the severity of the impact.Throughout a project, new risks can be identified, and existing risks can change their status — for this reason risk management should be seen as an ongoing activity throughout the entire project. It should also be remembered that as issues arise, these can in themselves impact existing risks or cause new risks.At the end of each stage of a project, the total risk situation needs to be calculated, and used as part of the data for management to make an informed decision as to whether to proceed with the project or not. At the end of a project, as part of closure, any outstanding risks which would therefore have an impact on the end product’s operational life should be found a new owner, so that such risks can continue to be successfully managed and controlled.

Programme Risk Management

 If you have approached your project or programme well, you will have developed a Risk Plan/Strategy document. Risk needs to be proactively managed, as opposed to allowing it to manage you and the environment around you. 
Many people are afraid of risk management and some Project and Programme Managers are often reluctant to publicise risk to executive management. The reality is that things change, assumptions become false, expectations are not met and suddenly you can find yourself facing a very different looking environment.  For a risk plan to really help (and play its role) it needs to be accompanied by a ‘proactive’ approach by applying Risk Avoidance, Transference, Mitigation and Acceptance.
Most well run organisations will have risk managed at four distinct levels which are;

Corporate or Strategic
To do this effectively, a framework for managing risk needs to be designed and implemented to address the following list of 9 hows:

how risks are identified;
how information about their probability and potential impact is addressed;
how risks are quantified;
how options to deal with them are identified;
how decisions on risk management are made;
how all these decisions are implemented;
how actions are evaluated for their effectiveness;
how appropriate communication mechanisms are set up and supported;
how stakeholders are engaged on an ongoing basis
But this is just the beginning because it’s all very well having a thorough framework documented and sitting pretty on the shelf with a tick in the box, but risk management needs to instilled within the people of the organisation. A healthy culture of risk management needs to exist and for this to happen, everyone involved needs help in appreciating and understanding risk within the organisation.This often requires sponsorship from the top down and if leaders at the corporate level understand this too, they will take the time to ensure that risk is taken seriously and subsequently managed well. Setting up a good risk culture is a real challenge and the UK OGC suggests that it involves at least the following:

strategic planning;
legal requirements;
agreements and contracts;
communication techniques and information management;
staff matters, including how staff can be motivated and involved;
education opportunities and continual professional development;
continuous improvement and/or analytical techniques;
how the organisation is monitored and evaluated;
resource management, including equal opportunities and delegation.
The subject of risk management is vast and if you need help with some guidelines for a framework, a great place to start is the OGC’s Guidelines for Managing Risk.More detail can also be found in the following publications:
Managing Successful Programmes
OGC Management of Risk Guidelines
OGC’s Achieving Excellence Guides
Management of Risk : Practitioner guide
Some if not all of these can be purchased from the TSO in London.
If you need a list of generic pain points that risk management will address to support your case for better risk management within your organisation, you could start with these:

increased certainty and fewer surprises;
better service delivery;
more effective management of change;
more efficient se of resources;
better management at all levels through improved decision making;
reduced waste and fraud and better value for money;
management of contingent and maintenance activities.
To build your case, don’t forget the more specific pains that your organisation is already suffering.I read an interesting article about risk and opportunity in the aerospace industry. Whilst PMBOK considers risk as both negative and positive, the folk in aerospace consider risk as negative and opportunity as positive. Good risk management is not about fear of failure, but removing barriers to success.
After all, project and programme management is success oriented, focused on producing products and services for customers. When the success orientation is combined with risk management, opportunity management emerges, which is the identification of opportunities to help attain project goals, and the identification and implementation of actions to capture those opportunities.
Below are the keys to success taken from a Space Risk Management Symposium. Whilst their view on risk is slightly different from others, the points are not rocket science and can help most people who are responsible for complex projects or programmes.

Sound risk and opportunity management cannot save a poorly planned program with bad processes;
Prevent the competition between risks and opportunities;
Prevent unhealthy competition between teams;
Risk and opportunity management provide diminishing returns if overused;
The costs of pursuing opportunities and managing risks must be weighed against the expected benefits;
An environment should be created to encourage risk and opportunity management;
Risks and opportunities are not just normal variations in plan;
Recognise the difference between risks and opportunities;
Opportunities are not ‘positive risks’.
No matter where you sit within the organisation, if you see that risk is not being appropriately addressed, take the initiative, pluck up the courage and set out to facilitate some change. Remember that managing risk is the alternative to being managed by risk.