Risks need to be managed. There is really nothing more to it than that.
But what does that entail?
Managing risk is simply the process of assessing risk and then developing strategies to manage that risk. Risks are usually managed through development of a plan to identify, analyse, and prioritize project risks and define risk response strategies.
Step-by-step, project risk management looks like this:
Step 1: Understand what type of risk you are dealing with.
According to the Project Management Institute (PMI), there are 4 types of risks:
Known knowns – the things on the project that you a pretty sure you know.
Known unknowns – the items that you know about that are risky. These are uncovered by discussing potential risks in risk workshops, brainstorming etc.
Unknown knowns – these are risks that you should be able to identify, but you don’t for whatever reason.
Unknown unknowns – these are the things you cannot foresee and you would have no reason to think they were potential risks.
Step 2: Document the risks
Once you know what risks are associated with your project, you need to document them in a log, commonly referred to as a Risk Register. This is a central document that will be reviewed and updated regularly throughout the life of the project.
Step 3: Prioritise the risks
Your next step in risk management will be to prioritise the risks based on two things:
- a) the probability of the event occurring, and
- b) the impact that it will have on your project.
If you want to get technical, this process is called Qualitative Risk Analysis (PMI©).
Here is an example. Your risk: resource A will not be available due to involvement in another project. The probability of that occurring is low. The impact that it will have on your project is high.
A nice tool to have on hand is a Probability Impact matrix, as below, as it can help plot risks on a matrix to give perspective on what are high impact risks. Our example risk of an unavailable resource will sit in the “high/low” section of the matrix.
If you need to know more about certain risks, bring in a second round of analysis – Quantitative Risk Analysis. One would perform this kind of deep-dive analysis on risks that have been prioritized by the Qualitative Risk Analysis process – as above – as potentially and substantially impacting the project’s competing demands.
What does it entail? It is simply a process of numerically analysing the effect of identified risks on the overall project objectives. While there are many tools and techniques that can be used to quantify risk impact, the simplest of them is the Expected Monetary Value. This associates a numerical value to each risk and multiplies the probability of the risk occurring. This allows you to “rank” risks according to their monetary value.
Applying this to our example, it could look like this: the probability of resource A not being available is low, pegged at 30%. The impact of that is however high, with an estimated value of $1million as it will delay the project for at least 6 weeks. The monetary value of this risk is therefore 30% x $1 million = $300,000. For the time being, this risk might be low on the ranking, but the moment the probability shoots up to 60%, the monetary effect will double to $600,000, and thus move the risk higher up in the ranking.
Step 4: Develop response strategies
Once you’ve ranked risks you need to developed response strategies on how to deal with them.
In general, strategies employed include
- a) transferring the risk to another party,
- b) avoiding the risk,
- c) reducing the negative effect of the risk, and
- d) accepting some or all of the consequences of a particular risk.
People tend to think of risks as only negative, but it’s important to note that risks can be positive and negative.
Step 5: Manage risks
With risk response strategies in place, what is left is arguable the most important step: managing the risks. That means that you will need to track your risks very carefully and update their status regularly. This should be done at least two weekly, as things can change quite quickly on projects.
The bottom line? Risks are an integral part of every project and require time and effort to identify and manage correctly. It is, however, time well spent.