- 27 September 2021
- PMO & Project Delivery
In Project Risk Management and the Elements of Risk Management Implementation, we looked at what risk management is and the essential elements for implementing risk management into your organization. In this article, we look at the process of risk management and how to identify, assess, and respond to project risks.
The Risk Management Process is a clearly defined method of understanding what risks and opportunities are present, how they could affect a project or organization, and how to respond to them.
The 4 essential steps of the Risk Management Process are:
- Identify the risk.
- Assess the risk.
- Treat the risk.
- Monitor and Report on the risk.
Step 1: Risk Identification
The first step in the risk management process is to identify all the events that can negatively (risk) or positively (opportunity) affect the objectives of the project:
- Project milestones
- Financial trajectory of the project
- Project scope
These events can be listed in the risk matrix and later captured in the risk register.
A risk (or opportunity) is characterized by its description, causes and consequences, qualitative assessment, quantitative assessment and mitigation plan. It can also be characterized by who is responsible for its action. Each of these characteristics are necessary for a risk (or opportunity) to be valid.
In order to be managed effectively, the Risks and Opportunities (R&O) identified must be as precise and specific as possible. The title of the risk or opportunity must be succinct, self-explanatory and clearly defined.
All members of the project can and should identify R&O, and the content of these is the responsibility of the Risk (or Opportunity) Owners. Risk Managers are responsible for ensuring that a formal process for identifying risks and developing response plans are conducted through exchanges with risk owners. We will explain each of these roles in further detail in our next article on Risk Management Team Roles.
Below are examples of tools to help identify R&O:
- Analysis of existing documentation
- Interviews with experts
- Conducting brainstorming meetings
- Using the approaches of standard methodologies – such as Failure Modes, Effects and Criticality Analysis (FMECA), cause trees, etc.
- Considering the lessons learned from R&Os encountered in previous projects
- Using pre-established checklists or questionnaires covering the different areas of the project (Risk Breakdown Structure or RBS).
Step 2: Risk Assessment
There are two types of risk and opportunity assessments: qualitative and quantitative. A qualitative assessment analyzes the level of criticality based on the event’s probability and impact. A quantitative assessment analyzes the financial impact or benefit of the event. Both are necessary for a comprehensive evaluation of risks and opportunities.
The Risk Owner and the Risk Manager will rank and prioritize each identified risk and opportunity by occurrence probability and impact severity, according to the project’s criticality scales.
Evaluating occurrence probability (P):
This is determined preferably based on experience, the progress of the project, or else by speaking to a risk expert, and is on a scale of 1 to 99%.
For example, suppose the risk that: “the inability of supplier X to conduct studies on a modification Y by the end of 2025” is 50% probable. This could be determined from feedback and analysis of the supplier’s workload.
Evaluating impacts severity (I):
To assess the overall impact, it is necessary to estimate the severity of each of the impacts defined at the project level. A scale is used to classify the different impacts and their severities. This ensures that the assessment of the risk and opportunity is standardized and reliable.
The criticality level of a risk or opportunity is obtained by the equation: Criticality = P x I
The purpose of the qualitative assessment is to ensure that the risk management team prioritizes the response on critical items first.
In most projects, the objective of the quantitative assessment is to establish a financial evaluation of a risk’s impact or an opportunity’s benefit, should it occur. This step is carried out by the Risk Owner, the Risk Manager (with support of those responsible for estimates and figures), or the management controller depending on the organizational set up in the company. These amounts represent a potential additional cost (or a potential profit if we are talking about an opportunity) not anticipated in the project budget.
For this, it is therefore necessary:
- To evaluate the additional costs incurred by financially reviewing:
- Hours of internal engineering
- Hours of subcontracting
- Additional work to do
- Amendments and/or claims made to contracts
- To calculate the cost of the undesired event’s consequences by adding these values.
This step will make it possible to estimate the need for additional budget for risks and opportunities of the project.
Step 3: Risk Treatment
In order to treat risks, an organization must first identify their strategies for doing so by developing a treatment plan. The objective of the risk treatment plan is to reduce the probability of occurrence of the risk (preventive action) and/or to reduce the impact of the risk (mitigation action). For an opportunity, the objective of the treatment plan is to increase the likelihood of the opportunity occurring and/or to increase its benefits. Depending on the nature of the risk or opportunity, a response strategy is defined for the project. The following 7 strategies are possible:
7 Risk Response Strategies
- Accept: Do not initiate any action but continue to monitor.
- Mitigate/Enhance: Reduce (for a risk) or increase (for an opportunity) the probability of occurrence and/or the severity of impact.
- Transfer/Share: Transfer responsibility of a risk to a third party who would bear the consequences of the problem (share the benefits of a realized opportunity).
- Avoid/Exploit: Entirely eliminate uncertainty / take advantage of the opportunity.
Monitoring the progress of the treatment plan is the responsibility of the risk owner. They must report regularly to the risk manager, who must keep the risk register up to date.
Note: The cost of a risk mitigation plan must be integrated into the budget of the project.
When defining a treatment plan:
- Each action begins with an action verb and has a clear purpose.
- Each action has an actionee and a deadline.
- Actions that could generate costs must be tracked and considered in the project.
- For example: to reduce the risk of my car breaking down, a treatment plan could be to have it checked annually by a repair shop.
When does risk become an issue?
It is possible that, despite the actions put in place to mitigate or prevent it, a risk probability could increase and reach 100%. Once a risk is confirmed, we no longer refer to it as a risk but as an issue. The Risk Manager must then inform the various project stakeholders who will relay that a risk has become an issue and transfer it to the issue log.
Step 4: Risk Monitoring and Reporting
Risks and opportunities and their treatment plans need to be monitored and reported on. The frequency of this will depend on the criticality of risk/opp. By developing a monitoring and reporting structure it will ensure there are appropriate forums for escalation and that appropriate risk responses are being actioned.
In the previous article we identified the Risk and Opportunity Management Plan or ROMP as one of the five essential elements of Project Risk Management. It should include not only the project stakeholders and steering members, but the governance cadence for monitoring and reporting on risks and opportunities. How this is organized and governed is defined by the Risk Manager in conjunction with the Project Manager.
We will go over both of these roles as well as additional roles within the Risk Management Team in more detail in our next article.
This article was written by: Marie BELGODERE, Jérémie CLAUSTRE, Capucine COMTE, Alioune DIALLO, Emmanuel LATGE, Jessy MIGNOT, Ingrid NGOBAY, Pierre PETILLON, Louann SUGDEN, Chris WAMAL.