Risk management is not a new concept but has been growing momentum as of late. Project managers are expected to know the risks inherent in their projects and give them the appropriate level of scrutiny.
Project risk is defined by the Project Management Institute as an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives.
When a risk event occurs, it is no longer uncertain. It becomes an issue.
There are two basic components of risk. The formula for risk is:
Risk = Probability x Impact
- Probability: The likelihood of an event happening.
- Impact: The potential impact of the event.
I will illustrate with an example. When you use the subway, you probably try to stay well away from the track and make sure you know what is behind you as the train is approaching. Being hit by a subway train is an event representing a high impact, but low probability. The mitigation actions that you perform are motivated by the potential impact. On the flip side, the probability of being burnt by spilled coffee is high, but the impact is low. You will probably also perform mitigation actions such as walking slowly, stopping for people walking by, etc., but the risk perception is driven by the high probability of it happening rather than the impact.
When the probability and impact are both high, it is an important risk which might need to be mitigated until it’s considered acceptable. For example, working on top of newly placed beams on a highrise building will probably not be considered feasible without the appropriate consideration of the falling risk, as well as the associated implementation of mitigation actions.
Risk and Contingency
Risk is essentially a contingency. Let’s say there is a 10% chance that a welder will be required to correct a deficient item, at a cost of $5,000. The risk is $500, but what exactly does this number mean? It means that if you put a contingency of $500 into the project, it will cover the risk of the welder over many identical projects. Of course, I know you will never have many identical projects but, statistically speaking, this is the ideal contingency.
All projects contain risk, by definition. It’s very existence means that somebody decided to pursue the project, therefore as a minimum the project has a risk that it does not accomplish its stated objective.
There is usually one or two primary risks inherent in the project. For example,
- designing a bridge that does not fail under the required loading.
- repairing a gas pipeline leak so that the leak is completely removed.
- building a fence that keeps the dog inside.
Generally, but not always, these will be high on the impact scale but low on probability, because the project was initiated with this goal in mind and accomplishing the primary goal of the project has already been considered.
Here’s another important concept though. It is not a worthwhile goal to attempt to eliminate all risks. Projects have risks by virtue of their existence, and project sponsors generally accept these risks. It’s more of a communication issue to ensure that they are aware that the risks have been considered and know that they have been dealt with appropriately when they occur.
Here’s an exciting concept. Preparing for a project’s risks is not complete without considering the opportunities that come up during project execution as well. Project risk management is not just concerned with risk, but opportunities, which are basically positive risks.
Project Risk Management
There are 3 steps involved in good project risk management:
- Identifying Risks
- Prioritizing Risks
- Developing Response Plans
To provide a solid risk management plan upon which the project can depend, the most important risks must first be identified. Some projects are inherently risky, like paving a busy freeway, or repairing an airplane engine. In this case risk analysis is an integral part of the project, but for any other project the same concept applies and thus identifying risks is important.
The most important thing during the identification phase is not the primary risks, which I talked about earlier, but the secondary risks. It is these which are usually the ones to trip up the project because they haven’t been considered and planned for in great detail.
After identifying the major risks, the next step is prioritizing them according to probability and impact. This quickly identifies which need more attention and which do not.
It does not matter what scale is used but 1-10 or High-medium-low work well. This is an excellent communication tool for project stakeholders who see that the risks have been considered and the appropriate amount of analysis given.
Often an overall prioritization is used as well.
Developing Response Plans
For the primary risks to the project, a response plan should be developed. This ensures that the appropriate consideration has been given to the factors that have resulted in the project’s initiation.
For every risk, there are 4 possible responses:
- Acceptance. There is no mitigation strategy. The risk is accepted as part of the project.
- Avoidance. The risk is avoided by changing the project scope, schedule, budget, or some other factor.
- Transfer. The risk is transferred to another party. This can involve changes to the project scope, or purchasing of insurance, using unit prices instead of lump sums, etc.
- Mitigation. Actions are taken to reduce the impact and/or probability of the risk.
Scale it to the Project
Obviously it is not possible to list all project risks. Maybe an airplane will crash into your office. (But since this is an article about calculating risk, let’s establish that an airplane crashing into your office is an event of high impact, but low probability. The probability of it happening might in fact be so low that it is not a meaningful overall risk to the project)
Creating a list of project risks not even so much for you, the project manager, as it is for the project sponsors, the initiators of the project, and other stakeholders. Without even knowing the specific circumstances of your project I can assure you that your stakeholders would be very happy with your work if you shared with them a prioritized list of risks and response plans. Better yet, after a risk event occurs you will get credit for even smallest consideration of it during the planning stage. Maybe you will get a raise, or secure some more work from the client.
Another way to look at it is that on megaprojects risk analysis is a major consideration, complete with risk workshops and thick response plan binders. The experts are doing it, so clearly it has value. Scale it down to the size required for your project, but make sure you harness its value.
How to Create a Risk Register
To create a full functioning risk register for a small project, perform the following tasks:
- Brainstorm and develop a list, in table form, using MS Word or an equivalent word processor.
- Create 3 columns, the first being “Risk”, the second “Probability”, and the third “Impact”
- Rank the probability and impact of each event on a scale of 1-10. Alternatively, you can specify a probability between 0% and 100% and an impact as a dollar value. But usually this is overkill, especially for small projects.
- Stop at a maximum of about 10 risks, or else it will become to onerous.