What is Risk Management? Processes of Risk Management


Risk Management - Overview

This article includes detail discussion about risk management and risk management processes including importance as well as its limitations. Practicing risk management, you will be able to decrease likelihood or impact of threats and increase likelihood or impact of opportunities.


    Risk management refers to the practice of identifying potential risks, analyzing those identified risks, implementing proper response to risk factors and monitoring risk on a project. Effective risk management always helps project manager & project team to manage and control future outcomes proactively and helps in achieving defined goals and objectives of the project. 


    What is Risk Management in project management?

    Risk management is the process of planning, identifying, analyzing, response planning, response implementation, monitoring and controlling risk or uncertainties on a project over its whole life cycle. Since, Risk Management should be conducted throughout life cycle of the project, it is also called as an ongoing and iterative process.

    Risk management department available in an organisation is responsible to identify risks, assessing each risk and creating risk response strategies. Risk management is a broad topic which plays major role for project's success. 

    What is Risk Management? Processes of Risk Management

    The main objectives of risk management are to increase the likelihood or impact of positive risks (opportunities) and to decrease the likelihood or impact of negative risks (threats). This objective play important role towards success of projects.

    Risk management strategies may vary on size and complexity of the projects. On large complex projects, risk management strategies generally include highly detailed planning for each risk to ensure mitigation strategies are in place if issues arise. For smaller simple kind of projects, meaning of risk management is to prioritize risk as low, medium and high priority risks. Generally, risk manager in collaboration with the project manager or other high-level oversight is responsible to drive risk management process.


    Define Risk and list out few sources of Risk?

    Risk can be defined as an event that has potential impact on schedule, budget, resource or overall performance of the project. Therefore, it can be said that risk is the main cause of uncertainty in any organisation. So, all organizations need to be focused on identifying and managing them before it impacts negatively on business.

    What is Risk Management? Processes of Risk Management

    Risks are the events that could occur, but no one knows when it will occur. It means risk are uncertain, so it needs vast preparation to manage them effectively. On the other hand, issues are certain to happen. Sources of risk can be either internal or external. Internal risks are in direct control of management and include noncompliance or information breaches among several others. On the other hand, external risks are not in direct control of the management and may include interest rates, potential issues, exchange rates etc.

    Sources of risks or threats may include strategic management errors, financial uncertainty, legal liabilities, accidents and natural disasters. The main aim of risk management is to identify and manage risks that are not addressed by other project management processes.


    What are the differences between Risks and Issues?

    Risks and issues are two different confusing terms used while we are going to discuss about risk management. But these two terms are as much simpler to understand. A risk is an event which is not happening currently. Means to say, risk is always planned. On the other hand, issue is an event which is happening currently and needs to be taken care of.
    Simply, we can say that, a risk when it occurs become an issue. Let’s start differentiating between risk and issues.
    Risks
    Issues
    A risk is an event that has no effect at present time but has some probability of occurring in future..
    An issue is an event that has already happened. 
    Risk has either positive or negative impact on objectives of the project.
    Issues has impacted or currently impacting the objectives of the project.
    We need to take either preventive action before or need to mitigate it after risk occurs.
    Appropriate corrective action needs to be implemented against issues.
    Risks has mostly negative impact and occasional positive impact
    Issues always have negative impact.
    Once risk is identified, it needs to prioritize, its impact should be analyzed, and the response plan should be prepared.
    Once the impact of issue is analyzed, the same should be resolved or escalated.
    Identified risks should be maintained in risk register.
    Issue log are used to keep records of issues.
    Example: Critical resource may resign during execution period of the project.
    Example: Critical resource resigned, effective immediately. No replacement was assigned yet.

    What are the common types of Risk Categories?

    Risk categorization provides idea to group individual project risks. Risk breakdown structure (RBS) is hierarchical representation of potential risk and is also known most effective way to structure risk.

    Project manager and team needs to decide acceptable range of risks for the projects. Critical risk cause vital harm on project’s success.

    The most common risk categories can be listed out as below:
    • Internal risk
    Schedule, cost, scope changes, inexperience team resources, issue with physical resources, etc.

    • External risk
    Competition, regulatory, environmental, facilities, government, legislation, market shifts, issues with project sites, etc.

    • Management risk
    Organization, communication, project management, program management, portfolio management, operation management, etc.

    • Technical risk
    Changes in technology, technical process & interfaces, definition of scope and requirements, assumption & constraints, etc.

    • Commercial risk
    Stability of customer, suppliers, vendors, subcontracts, contractual terms and conditions, procurement, etc.

    • Unforeseeable risk
    Small portion of risks (say about 10%) are unforeseeable.


    Why is Risk Management Important to projects?

    Risk management is an important practice or process of an organization which helps project manager and team to plan, identify, analyse, monitor and mitigate the risks present in the project environment.


    What is Risk Management? Processes of Risk Management

    Proper management of individual as well as overall risk play important role for success of projects. So, risk management is critical for any organization whether it’s large or small.
    Some important benefits of risk management include:
    • Helps to identify potential risks and provides proper idea to project manager for mitigation.
    • Helps to identify potential opportunities that may be hidden and provides idea to maximize it.
    • Helps in protecting business from heavy losses by establishing procedures to avoid potential threats and minimize their impact on business environment.
    • Helps organization to define objectives for the future by preventing losing direction if any of the risks suddenly occurs.
    • Helps to create secure work environment for all stakeholders in an organization.
    • Helps to protect both physical as well as team resources from any potential harm.
    • Helps organization to reach their goals and defined objectives for successful completion of projects.
    • Helps to identify and avoid the potential cost, schedule, and overall performance of the project, take appropriate approach to manage and respond to negative outcomes if they occur.


    What are the limitations of Risk Management?

    We all know that there are huge benefits of using risk management process in an organization, but it also has few limitations listed as below:
    • The risk management process is highly detailed, complex and time consuming.
    • The risk management process defines broad sets of risk categories in which identified risks are to be placed.
    • Risks evaluation process and its result are usually uncertain/ inaccurate.
    • It's difficult to fully understand the complete picture of cumulative risk.
    • Cost effective risk management process is quite difficult to generate. It may require gathering large amounts of data which can be somehow expensive, and it needs funds from organisation.
    • Proper training requires for the purpose of ensuring proper execution of risk management. Also highly trained personnel may require analyzing historical data for identifying risks.
    • For risk analysis, Simulation may require with the help of specific software programs which also requires expert trained personnel with comprehensive knowledge and skills


    What is Risk Management Process?

    Risk management process is a framework for the actions which reflects the dynamic nature of project work. A risk register is an important project document which is used to gather identified risks, risk analysis techniques, risk responses strategy, and to assign clear ownership of actions.
    As per PMBOK (Project management body of knowledge) guide sixth edition, there are seven basic steps of risk management which can be called as risk management process. It starts with plan risk management process and ends with monitor risk process. Let’s start describing each of the process in detail.


    What are the processes of Risk Management?

    There are seven steps of risk management processes. Let's describe one-by-one in detail:

     
    What is Risk Management? Processes of Risk Management

    1. Plan Risk Management


    Plan risk management process is first planning process of project risk management which defines proper way to conduct risk management activities for a project. It also includes time and resource required to perform risk management activities as per project’s requirement.

    Project manager needs to start this process once project is conceived and complete as earliest as possible. This process provides idea to project manager for categorizing risks, process for reassessing potential risks and definition of probability and impact of risk on the project.

    The output of this process is risk management plan which includes methodology for risk management, risk strategy, funding to perform activities, risk categories, timing for performing risk management activities, definition of probability and impact matrix, risk appetite of key stakeholders, risk activities tracking documents and formats of reporting. 

    This process is performed once in the project. Inputs, tools & techniques and outputs of this process is as below:

    Inputs
    Tools & Techniques
    Outputs
    Project charter
    Project management plan
    Stakeholder register
    Enterprise environmental factors
    Organizational process assets
    Expert Judgement
    Stakeholder analysis
    Meetings
    Risk management plan
      

    2. Identify Risks


    Identify risk is the second planning process of project risk management which helps to identify sources of individual as well as overall project risk. It provides appropriate information to project team for the purpose of responding to identified risk in proper manner to reach objectives of the project.

    This process is performed throughout the project. So, this process is also called iterative process. Sources of risks needs to be collected using methods described in the risk management plan. Project manager, sponsors, project team, SMEs, customers, other stakeholders, and risk management experts within the organization should be participated in risk identification activities.

    There are several types of risks that may arise during project handling. Few of them are technical risks, legal risks, management risks, environmental risks, commercial risks market risks, regulatory risks and external risks. Team needs to identify possible risk factors.

    The major output of this process are risk register and risk report. Inputs, tools & techniques and Outputs of this process as below:

    Inputs
    Tools & Techniques
    Outputs
    Project management plan
    Project documents
    Procurement documentation
    Agreements
    Enterprise environmental factors
    Organizational process assets
    Expert Judgement
    Data gathering
    Data analysis
    Interpersonal & team skills
    Prompt lists
    Meetings
    Risk register
    Risk report
    Project document updates


    3. Perform Qualitative Risk Analysis


    Perform qualitative risk analysis is the planning process of project risk management which involves proper prioritization of identified individual risks for further analysis by assessing their probability of occurrence and impact as well as other characteristics. This prioritization can be done into categories like low, medium and high risks.

    This process is most important because it helps to analyse the risks numerically and their effects on the objectives of the project if the risks occurs. At first, high priority risk needs to be more focused. Risk to the project can be categorized by sources of risks using risk breakdown structure (RBS).

    Most effective risk response can be developed by focusing on high risk exposure if grouping of risk into categories is done. This process is performed throughout the project. Inputs, tools & techniques and outputs of this process as below:

    Inputs
    Tools & Techniques
    Outputs
    Project management plan
    Project documents
    Enterprise environmental factors
    Organizational process assets
    Expert Judgement
    Data gathering
    Data analysis
    Interpersonal & team skills
    Risk categorization
    Data representation
    Meetings
    Project document updates


    Process 4: Perform Quantitative Risk Analysis


    Perform quantitative risk analysis is the process of numerically analyzing the combined effect of identified individual project risks and other sources of uncertainty on overall project objectives.

    This process uses information on individual project risks from perform qualitative risk analysis process and helps to quantify overall project risk in the project. This process generally needed for larger or complex projects and requires specialized risk software for analysis. It is performed throughout the project where this process is required.

    Highly trained personal needed who are having appropriate knowledge and experience on handling risk software and for developing risk models. This process requires additional time and fund.

    Qualitative risk analysis uses Monte Carlo analysis techniques for simulation. Simulation techniques uses cost estimates while running a Monte Carlo analysis for cost risk. Schedule network diagram and duration estimates are used while running a Monte Carlo analysis for schedule risk.

    Another data analysis technique used by this process is sensitivity analysis which helps to the risk having most potential impact on outcomes of the project. Display of sensitivity analysis is tornado diagram. Inputs, tools & techniques and outputs of this process as below:

    Inputs
    Tools & Techniques
    Outputs
    Project management plan
    Project documents
    Enterprise environmental factors
    Organizational process assets
    Expert Judgement
    Data gathering
    Data analysis
    Interpersonal & team skills
    Representation of uncertainty
    Project documents updates

    5. Plan Risk Responses


    Plan Risk Responses is the process which helps to reduce probability or impact of negative risk (threats) and increase chances of positive risks (opportunities) by developing options and selecting appropriate strategies. Effective risk responses have ability to minimize threats and maximize opportunities.

    This process also helps to identify proper methods to address individual as well as overall project risks. This process is performed throughout the project.

    PMBOK provides five strategies in order to deal with threats, opportunities and overall project risks:

    Five Strategies for threats or negative risk response
    There are five basic ways to handle threats.
    • Avoid
    Avoid means eliminating threats or its impacts from the project by removing its cause, extending project schedule, reducing scope or changing strategies.

    • Escalate
    Escalates a negative risks or threats to higher management when it is found that threat is outside of scope. Escalated risk need not to be monitored by project team.

    • Transfer
    Transferring threats to third party for managing the risk. Best examples of risk transfer are insurance for which certain premium amount needs to be paid by the organization to third party. Others can be performance bonds, guarantee, warranty etc.

    • Mitigate
    Action required to decrease probability and impact of threats. If you cannot avoid risk, you can mitigate it.

    • Accept
    Low threat can be accepted by the organization without any proactive action. This strategy can be used only if you cannot avoid, transfer or mitigate a risk. Acceptance can be either active or passive.

    The most common active acceptance strategy is to establish a contingency reserve, including amounts of time, money, or resources to handle the threat if it occurs. Contingency reserves are for “known unknowns” risks and part of cost baseline whereas management reserves are for “unknown unknown” risks and not part of the project cost baseline but included in the budget for the project.

    Passive acceptance requires no proactive action apart from periodic review of the threat to ensure that it does not change significantly.

    Five Strategies for opportunities or positive risk response
    Like as threats, there are five basic ways to handle opportunities.
    • Escalate
    Escalate strategy shift responsibility of managing the risk to higher management.

    • Exploit
    Exploit strategy ensures opportunities using internal resources. For example, sometimes project manager uses enough funds and assign best resources to get opportunities.

    • Share
    Share strategy is all about sharing ownership of an opportunity to third party. You might call in another company to share in it with you.

    • Enhance
    Enhance strategy increase likelihood or impact of positive risks or opportunities.

    • Accept
    Accept opportunities if it’s exists and document it, but do not take any action to realize it. Like as in strategy for threats, here also acceptance can be either active or passive.

    Strategies for overall project risks
    The project manager needs to know the techniques to respond overall project risks. Strategies for overall project risks are:
    • Avoid
    • Exploit
    • Transfer/ Share
    • Mitigate/ Enhance
    • Accept


    The project manager should also consider how to respond appropriately to the current level of overall project risk.

    Specific actions are developed to implement the agreed-upon risk response strategy, including primary and backup strategies, as necessary. A contingency plan (or fallback plan) can be developed for implementation if the selected strategy turns out not to be fully effective or if an accepted risk occurs.

    Secondary risks should also be identified. Secondary risks are risks that arise as a direct result of implementing a risk response. A contingency reserve is often allocated for time or cost. If developed, it may include identification of the conditions that trigger its use.

    Inputs
    Tools & Techniques
    Outputs
    Project management plan
    Project documents
    Enterprise environmental factors
    Organizational process assets
    Expert Judgement
    Data gathering
    Data analysis
    Interpersonal & team skills
    Strategies for opportunities
    Strategies for threats
    Strategies for overall project risk
    Contingent response strategies
    Decision making

    Project management plan updates
    Project documents updates
    Change requests

    6. Implement Risk Responses


    Implement risk response is the executive process which helps to implement agreed-upon risk response plans and risk owners hold the responsibilities of implementing risk response. This process is newly added in PMBOK guide sixth edition. Project documents are updated as a result of implement risk responses process.

    It is necessary to capture information to the lesson learned register about the behavior of the project while implementing risk response. Risk register and risk report are updated with information on response taken, describing details on how well the responses addresses the risk and suggesting changes to future risk response plans.

    Inputs, tools & techniques and Outputs of this process are as below:
    Inputs
    Tools & Techniques
    Outputs
    Project management plan
    Project documents
    Organizational process assets
    Expert Judgement
    Interpersonal & team skills
    Project management information system
    Project documents updates
    Change requests

    7. Monitor Risks


    Monitor risks process falls under monitoring and controlling process group. This process helps project manager and team to monitor implementation of risk response plans, tracking identified risks and evaluating risk process effectiveness throughout the project. 

    It also helps project manager to analyse effectiveness of risk management plan and record lesson learned for future risk events. Major outputs are Change requests and work performance information

    The Monitor Risks process includes below listed actions:

    • Monitors residual risks as well as occurrence of risk triggers.
    • Evaluate effectiveness of risk management plan as well as implemented risk responses.
    • Determines whether the project assumptions and project strategy are still valid.
    • Ensure policies & procedures of risk management are being followed.
    • Collect status of risks and timely communicate with stakeholders about it.
    • Update risk report, risk register, risk management plan as well as risk response plan.
    • Ensure that project manager is using appropriate risk management approach.
    • Adjust contingency and management reserves.

    Inputs, tools & techniques and Outputs of this process are as below:
    Inputs
    Tools & Techniques
    Outputs
    Project management plan
    Project documents
    Work performance data
    Work performance reports
    Data analysis
    Audits
    Meetings
    Work performance information
    Project management plan
    Project documents updates
    Change requests
    Organizational process assets updates


    What are the uses of Risk Management tools?


    Risk management tools are used for various important purpose, but it has major role in system engineering programs. Risk management tools come in many sizes and shapes based on requirements of the project.

    What is Risk Management? Processes of Risk Management

    Risk management tools helps project manager in following areas:

    • Supports implementation and execution of program risk management
    • Used for threat analysis which mainly focuses on identifying, prioritizing and analysing risks to achieve defined objectives of the project.
    • Used for budget risk analysis which tells us any affect seen on cost of the project by economical and technical risks.
    • Used for investment risk analysis which helps us to identify, analyse and prioritize investments and any possible alternatives taking risk in consideration.


    Which are the areas that overall Risk Management process should include?

    The overall risk management should include following principles or target areas:
    • Should be systematic, structured and integral part of the overall organizational process.
    • Should be clear, transparent and has capability to create value for an organization.
    • Should based on filtered available data and should be adaptable to change.
    • Should be tailored to the project and explicitly address any uncertainty.
    • Should be continuously monitored and follows decision making process of an organization.


    Conclusion

    Risk management helps project manager to be prepared by minimizing likelihood or impact of negative risks and maximizing likelihood and impact of positive risks. By implementing proper risk management process, an organization can save cost and protect their future. This article is also most beneficial for the candidates who are preparing for Project Management Professional (PMP) examination.

    Share your views/questions about this article in the comment box below which would be highly appreciated and of course, you can also contact me on my email id: [email protected]
    ------------------------------------------------------------------------------------------------------------
    Thank you for taking time reading this article.



    SHARE THIS
    Latest
    Next Post