Successful Risk Management Is An On-Going Iterative Process You Can’t Ignore
Risk management is often overlooked by new project managers, but it’s something that every successful project manager understands and pays close attention to. In this post, I describe the basic sequential–and iterative–process of managing project risks.
An easy way to understand risk management is to think of the process as a sequence of steps that need to be repeated over and over during the course of a project. The image above shows this process cycle, starting with the identification of risks that threaten the success of your project.
1. Identify Risks
In this first step of the risk management process, you and your project team identify as many potential risks, events, factors, and other items that threaten the success of your project. These are threats to the scope, quality, schedule, budget, personnel, procurements, and other things of importance. The goal of the first pass through this Identify Risks step is to create a master list of all potential risks to the project.
Multiple methods can be used to identify these risks, including team brainstorming, systematic methodologies, and examining what happened on other similar projects. It’s also often useful to seek the counsel of outside experts and other PMs who have managed similar projects to yours.
Risks identified should include programmatic, technical, external, corporate, and other types. I.e., these are not just one type, such as technical. Instead, the goal is to find all types of risks that threaten your project in any manner. Don’t worry about whether a potential risk is too small or unlikely to occur at this point; just write everything down.
Risks that are similar to each other are sometimes rolled up into single combined risks. High-level categories are then used to group individual identified risks together into broader logical areas. Frequently, these categories align with the higher level PBS or WBS areas of the project, but they may include other categories, too, such as stakeholders and general procurements.
The first time you perform this step should result in the creation of a preliminary risk register that contains all identified risks. Often this is created in a spreadsheet format. In future passes through the process cycle, new risks are identified during this repeated step, and are added to the risk register.
2. Analyze & Prioritize Risks
In this second step of the risk management process, an analysis of each identified risk from the previous step is performed by you and your team. This is done in two parts. The first analysis performed is qualitative in nature, and helps create an initial gut-level sorting or “triaging” of the list into a prioritized ranking. Then a more formal quantitative analysis is performed on the identified risks, starting with the higher priority risks, and then working down through the list.
A qualitative likelihood (i.e., probability) of each identified risk is estimated, such as “unlikely,” “moderately likely,” or “highly likely” to occur. This is a subjective analysis to initially just categorize each risk.
A qualitative assessment of the impact of each risk is also performed. This is essentially the “damage” that will result if the risk is triggered and becomes an actual issue. Typically, three subjective categories are used to categorize the impact of a risk, such as “minor impact,” “moderate impact,” or “major impact” impact.
The initial qualitative assessment of likelihood and impact are then plotted on a risk assessment matrix, which helps determine the overall “seriousness” of each identified risk. This step helps focus your attention on the more important risks that threaten your project, and not waste time or effort analyzing less important risks. For example, a risk that has a high probability of occurring, but a very low impact, probably has an overall lower seriousness than a risk with a medium probability risk and high impact.
Each risk element in the risk register is updated with this risk seriousness ranking. The risk register can then be sorted on this factor, allowing the project management team to focus its efforts appropriately in a prioritized manner.
Frequently, the more serious risks are analyzed further, with more objective quantitative evaluations of probability and impact. For example the expected cost impact of a risk can be estimated by multiplying its probability of occurrence by its impact.
Trigger dates for each risk in the risk register (or at least the more serious risks) are also identified and addd to the risk register.
In future iterations through the risk management process cycle, new identified risks are analyzed and prioritized during this step in an identical manner as the previously analyzed risks, and the risk register updated accordingly.
3. Plan Risk Responses
In this step, responses are developed for the various risks in the risk register. These responses are essentially the individual plan or plans that you and your team will implement to minimize the likelihood and/or impact of each significant risk. The threshold for developing formal responses is usually determined by way of the seriousness ranking of the individual risks.
For risks above a specific threshold, formal risk responses are developed by the project team. These responses usually employ one or more standard techniques, such as avoidance, mitigation, risk transfers (e.g., buying insurance), or just acceptance and monitoring of the risk.
There can be more than one response plan identified for each single risk. These responses might be applied in parallel or serve as backups to one another.
At this point, contingency reserve budgets are also often created (or at least informed) from the expected cost estimates in the risk register. Some projects use the risk register as a type of list of liens against the contingency budget to help ensure that adequate funds are available to address the more serious and/or costly risks.
All risk responses are included in the risk register.
4. Monitor Risks
Once the risk register is complete, the role of project management is to monitor the individual risks contained therein and update the register on a period basis and/or as new risks surface. It’s often very important to analyze and address serious risks as soon as they arise, immediately applying the appropriate risk response plan.
A regular schedule of systematically and formally reviewing the status of each risk in the register is implemented during this step. This evaluation includes assessments of probability, impacts, seriousness, trigger dates, and response plans. As projects evolve, it’s very easy to let the risk register “go stale” and assume that the state of the project’s risks last month or last quarter is still valid this month or quarter. This can be a dangerous attitude to take, and it’s suggested that you schedule regular formal and informal reviews of project risks.
Risks can be retired during this monitoring phase, often as a result of a trigger event or date occurring without the risk being realized. When this happens the risk in the risk register is often marked as retired and/or removed from the main page of the register.
5. Communicate with Stakeholders
A primary role of Project Management is communicating to key stakeholders the the status of project risks, their collective cost/schedule/quality/scope exposure, response plans, and the resolution of issues as they arise. As the project progresses, the communication step includes a description of changes and the addition and subtraction of new risks to the register.
6. Respond to Issues
If/when a risk is realized, it is no longer technically considered to be a “risk,” but instead is now referred to as an “issue.” In the diagram above, this is illustrated by the fact that the Respond to Issues step is technically outside of the Risk Management process; it is now an issue that the project needs to schedule/budget/plan-for. If appropriate, a previously identified response to that risk (or a variation of it) is implemented at this point.
Rinse and Repeat
A key aspect of this Risk Management process is its continuous nature. Said another way, once the initial risk register is created and in place, your job as project manager is not over– in fact, it’s just beginning. The secret to risk management success is repeating the steps of the cycle on a regular cadence, adding new risks as they arise, retiring expired risks, and continuously updating the risk register and communicating its status to stakeholders. The goal is to stay ahead of risks, before they overtake you and your project.
The Bottom Line
It’s vitally important that you identify, analyze & prioritize, and plan appropriate responses to project risks. Failing to do so is like an ostrich putting its head in the sand, hoping the dangers that threaten it pass by. Don’t be the ostrich project!
Like this post? Hate it? Have something to add? I encourage you to join the conversation in the comments box, below. You can also drop me a line if you prefer. I’d love to hear from you in either format. My email address is MarkHWarner@gmail.com or you can find me on LinkedIn.
MW | Tucson