Risk management incorporates multiple areas of concentration including risk mitigation, prevention and avoidance. Planning for risk in a project allows for the risks to influence the potential success of the project and allows the limited resources allocated to the project to go towards the deliverables and requirements as opposed to using the time and funding for pitfalls or roadblocks that could have been prevented or mitigated.
Planning for Risk
Building a project plan incorporates all three key areas of a project including, schedule, cost and quality. All three of the constraints play pivotal roles in the successful completion of the project (Dobson 2004). The project manager’s role is to ensure the successful implementation of the project and a part of that role is to utilize the appropriate tools and techniques to manage and lead project management activities. The development of the scope, estimation of the budget and monitoring and controlling of the schedule and resources are all key activities. Risk management tools can help manage key project management decisions and influence key decisions on what steps to take to implement the project tasks.
Risk management incorporates the identification, assessment and prioritization of risks and takes those results and establishes a mitigation plan to limit or negated the effects of the risk. The risk management process extends throughout the lifecycle of a project or circumstance and the root cause of those risks can stem from a multitude of sources. Risk mitigation or the management of the risks can be handled in just as many varied ways. The most common actions to reduce the risk exposure are to transfer the risk to another entity, avoid the risk altogether, reduce the probability of the occurrence or just accepting the risk (Alexander and Sheedy 2005). Depending on the goals and objectives of the implementation team there are different ways to handle the risk. There is a basic construct on how to analyze a risk and thus understand which risk assessment method would be appropriate.
The cycle of defining the risk involves first identification of the threat or risk. Once that is understood there is an analysis on the vulnerability to the assets or processes. Now we understand what the risk is and the potential negative ramifications but it must also be understood what the likelihood or probability of the risk occurring. With that information the assessment of the risk can occur and identification of the ways to reduce or eliminate the risk and then prioritize the mitigation measures based on the goals and objectives of the overall strategy.
The major function of a risk assessment is determining the potential loss caused by the risk and the probability of that occurrence happening. The risk assessment also takes into the population of people impacted by the risk. The risk assessment brings together the qualitative assumptions and uncertainties and incorporates a quantitative value to the overall risk. This allows the formulation of a hierarchy of potential impact of a risk. This could then be used to determine the cost and effort needed to mitigate those risks and based on the strategic outlook which risks that would be ultimately mitigated.
Qualitative risk tools involve a highly disciplined analysis of the process to fully understand the potential hazard or risk of a situation (Baranoff 2006). For each event there are ways to improve the probability of it not occurring or removing the risk. One example of this type of assessment is the FMEA or failure mode and effects analysis. This procedure analyzes each potential failure in the process/system and stratifies it by severity. This is fairly labor intensive and becomes exponentially more labor intensive as the project increases in scope. Each failure mode is denoted with the failure, probability, severity, impact and cost to mitigate. All of this is rolled up into the stratification of all of the risks and evaluated against budget constraints.
Another method of risk assessment is the tree based technique. This is used to evaluate in a qualitative and quantitative analysis. This builds a “what-if” scenario and traces back to a root cause of the potential hazard. This can illustrate a series of outcomes to specific scenarios and is highly useful when determining potential risks. This outlines the causal risks and the impacts those risks have on the project or incident.
The risk assessment that suits this project most effectively is a hybrid solution between the FMEA and the fault tree analysis. This is most applicable due to the fact that a detailed analysis will be required for specific scenarios dependent on the type of risks found. The quantitative analysis of the risk, probability, scope and cost will have a direct implication on the efforts afforded to mitigate those risks. The risk assessment tool will provide a fault tree analysis and denote risks through the lifecycle of the project. Risks that have a high probability or significant negative impact will have a full analysis completed. The risks will have mitigation plans associated with them.
Project and Risk Management
Even before the risk management models are used to assess the level, complexity and breadth of the risk there is also the project management methodology of how risk is managed in the project. This is dependent upon the size and complexity of the project. The level of effort to manage and analyze risk is directly proportional with the visibility and complexity of the project. If the project is small and not very complex the risk mitigation plan can be informal and managed through spreadsheets or notes. As the complexity and visibility increase there is a higher dependency upon structure and a systematic approach to the risk identification and mitigation. This allows for more visibility into the risk management techniques and allows for an additional level of accountability both from the project team to the sponsors but also across functional representatives that are working on the project.
As the project’s depth and breadth increase organizationally, the project manager will need to ensure that adequate attention is focused on the risk mitigation opportunities as well as the progress of the project. The models for risk management have their positives and negatives as mentioned before and it is a normal operating procedure to utilize all of the tools available to a project manager to provide as much usable data to make informed business decisions. The key points that the project management must manage include overall project risks including deviations in the triple constraints of resources, schedule and scope as well as the management of the contingency plans just in case something does deviate from the project plan.
While each model can be used exclusively it is all dependent upon the project in which the risks are being controlled. The variables of the project will determine which tools are necessary and which tools present too much of a cost or extraneous effort for the diminished returns they provide. This comes with the experience of the project manager as well as the best practices established by the project management office, organization and business culture.
Alexander, C., and Sheedy, E. (2005). The professional risk managers’ Handbook: A comprehensive guide to current theory and best practices. PRMIA Publications
Baranoff, H. (2006). Risk assessment; 1st edition. AICPCU.
Gorrod, M. (2004). Risk management systems : Technology trends (finance and capital markets). Basingstoke: Palgrave Macmillan.
Hutto, J. (2009). Risk management in law enforcement, applied research project. Texas State University. Retrieved from: http://ecommons.txstate.edu/arp/301/