Project Risk Management

Project management is a complex set of processes and procedures performed to achieve features planned in the project. In other words, project management is a process of planning, initiating, executing and controlling a set of activities done in harmony to achieve functionalities of the project planned.

Risk in any unexpected or uncertain condition that can impact project negatively, a risk can affect resources, technology or anything involved in the project. Risk is not the bugs or issues in the project in fact it is something that can impact project in verity of ways, or in other words, risk is “potential” when it is identified and categorized it is translated to “issue”.

There are important characteristics associated with risk which needs to be considered and tracked include risk event, timings of risk, probability and impact.  Risk management is the process of identifying, analyzing, response, controlling and monitoring the risk that occur during the lifecycle of the project.

Since risks can occur throughout the lifecycle of the project, an effective risk management plan in their project hold key to success of the project. Risk management plan is more proactive than reactive, which means it is process of actively looking for potentials of risks rather than tackling which risk happens with natural progression of events.

Risk management cycle
Risk management cycle

The figure-1 is a high-level overview of risk management lifecycle, which consist of five steps risk identification, analysis, prioritization, treatment, monitor and control.

Risk Identification

Risk identification is the process of finding risks, the goal of this process is to identify as many risks as possible at early stages of the project. There are number of techniques can be used to identify risks these include but not limited to brainstorming sessions, talking to experience people, looking at the history of similar projects, looking at Work Breakdown Structure (WBS) documents, and conducting root-cause analysis of risk condition etc. Risk identification is something happens throughout the lifespan of the project and almost all status reports about the project includes risk identification as well.

The risk register is used to log and track the risks which is stored centrally within the organization. The risk management domains also play a very handy role in identifying risks, these include such as following figure.

Risk management domains
Risk management domains

Although risk identification can vary from project to project, but there are general guidelines or framework to identify risks in projects to make sure none of the risks is overlooked, risk sources and categorization are primary ways to group risk identification efforts.

Identifying risk source is an important tool to locate risk this includes number of steps such as finding risk repository of historical similar project and identify risks, questionnaire analysis this includes conducting the survey and asking project people to write down anything they think can be risk. Thirdly interviewing experts or experience people about asking what they think can be a risk.

Lastly the project documents are very good source of risk identification as well, these include status reports, project plan, and WBS etc. The second form is risk categorization, in which risks can be categorized into various categories such as technical, external, organizational and management risks.

Technical risks are related to technology, requirements and quality, external risks are related to customers, suppliers and market, organizational risks are related to budget and dependencies, and project management risks are related to project scheduling monitoring and control etc.

Risk Analysis

Once risks are identified risk analysis is the next step, in which it is analyzed based on various factors and quantified accordingly. The goal of this step is to analyze each risk and see how it is going to impact the project's outcome.

Project risks are analyzed qualitatively and quantitatively here, risks probability, impact and exposure are the three main things analyzed that this step.  

Risk probability is actually determines how probable it is for risk to occur, the probability table is used to measure the different levels such as High, Medium and Low, for example if the probability of risk occurrence is between 80%-100% it is categorized as High, while 30%-80% is considered as Medium and anything lower than that is can be listed as Low.

Risk impact is another key factor in this process, which is based on complex matrix, with four area cost, schedule, scope and quality, each one is assigned ranking A, B, C based on various quantitative measures etc. The outcome on risk impact is either Low, Medium or High impact tags associated with each risk. Risk exposure is another key metric calculated here, which is Cartesian Product (multiplication) of probability and impact.

Exposure is in the form of matrix with row as impact and columns as probability and the diagonal of matrix is exposure levels which are High-Exposure, Medium-Exposure and Low-Exposure, for example high probability and high impact is considered as high exposure.

Risk Prioritization

Risk prioritization is the process of ranking it up or down for taking action. All risk identified and analyzed earlier might have different priority and likelihood of the occurrence.

Risk time frame plays an important role in prioritizing risks, risk time frame is the expected time in which risk can turn into issue, it can be labeled as Near, Mid and Far; for example if risk is expected to happen in next month or so its near and if it is expected six months later than it can be considered as far.

Risk Exposure computed during analysis also the key factor of prioritizing risk as high exposure risks needs to be tackled first as compared to medium and low. Some risks need immediate attention while others don’t, risk severity is mechanism use to categorized risks based on priority.

The severity levels usually tagged as Critical, High, Medium and Low; severity levels are pretty much self-explanatory, for example in typical projects Critical is handled first followed by High, Medium and then at very last Low.

Project stakeholder's involvement is also important factor in risk prioritization, as each stakeholder might have different opinion about certain risks, project management makes sure that concerns of each party addressed properly before prioritizing the risks.

Risk Ownership

Project manager has the highest responsibility scale in the entire project, which means anything and very thing happened to the project ultimately goes to project manager.

When it comes to risk management, each risk can be assigned to different role other than project manager that then those people can report the status of risk to project manager.

The direct responsibility of each risk is different based on classification and categorization of the risk, risk owner is the one who drive risk resolution and report back to project manager.

The risk ownership can be determined with an example, the risks associated with project planning, schedule are assigned to project manager, while anything related to hardware or networks normally system administrator is responsible for, but the status still needs to be reported to project manager.

Risk trigger is a condition or event which initiate the risk, to assist risk owner risk triggers are also documented in the risk register which helps them better prepared for risks and their countermeasures.

Risk Response Plan

After risks are identified, each one of them needs to document response plan, the risk response plan is the process of declaring strategy to tackle the risk. The risk response plan is normally targeted to eliminate or mitigate the risk, the key goal however includes risk elimination, risk mitigation, risk probability reduction, and risk impact absorption.

The risk response plan normally required actions to tackle risks which impact project timing, cost, estimation and scheduling. Therefore, risk plan estimation needs to be accurate as much as possible to avoid derailing the project.

That is where effectiveness risk analysis and planning come into picture, the more precise these risk calculations are the more chances of handling the risks effectively and safely.

The effective risk plan request combination with stakeholders to accurately calculate time for risk countermeasures and based on the result of communication risk can be ranked higher or lower.

Risk Monitoring and Control

Finally, the risk monitoring and control is the process of continues monitoring the existing risks and looking for new ones as well as controlling them. Risk monitoring is a continuous and iterative process that goes throughout the lifecycle of risk management endeavor.

This phase of risk management focuses of four major area monitoring existing risks identified, identify new risks during the natural progression of events with project, classify or re-classify risks based on change in conditions and risk reporting. Identifying new risks is equally important as keeping track of existing ones, as new risk conditions may rise during the project.

Monitoring and re-assessing risks is another focused area of this phase which tacks identified risks and re-evaluate as necessary, and for long-running risks it manages the risk plan accordingly.

Some risks need to be reclassified based on various conditions and progressions happened in the project which might change the probability, exposure level or severity of some risks. Risk reporting and reviews needs to be done continuously to effectively keep track of the risk, the frequency of reporting depends upon update status meetings or any other collaboration meetings throughout the project.

Risk monitoring and control is continuous process when needs to be done throughout the lifespan project in order to effectively manage the risks.