Before we start to talk about managing risks, it is worth it to provide a brief overview. Of course we associate risks with mistakes in projects. Actually, risks are events or future conditions with some likelihood of occurring and that may impact a project. This impact can be negative when dealing with a threat or positive in situations where the risk poses an opportunity. In one way or another, mapping and managing them is fundamental to the success of a project. Yet this is not yet the reality at many companies. A study from the Project Management Institute (PMI) shows that a significant number of them have still not adopted risk management practices.
Source: Pulse of the Profession 2018 (PMI)
The same PMI study found that among projects that failed, 29% traced their failure back to a failure to define risks and opportunities.
Source: Pulse of the Profession 2018 (PMI)
How to manage project risks
Managing risks means raising the probability that positive events will occur or increasing their impact and lessening the chances of threats occurring or even minimizing their consequences. This leads to the ability to maximize a project’s chance for success. Below we have described the seven fundamental processes to managing project risk.
1 – Plan management
You should start the risk planning process right away during project conception, which should ideally be finalized before effectively beginning execution. This stage defines how project risk management activities will be treated. This is aimed at guaranteeing that the risk management’s degree, type and visibility are aligned with these risks and the project’s importance. A typical risk management plan contains the following elements:
Using a general approach to risk management for the specific project.
Define tools and data sources that should be used to manage risks.
Roles and responsibilities
Determine the risk management leader and other team members and the responsibilities of each person.
Identify the origin of funding needed for risk management activities. Criteria are also established for the use of contingency reserves.
Determine how often risk management activities will be executed during the project lifecycle. In addition, define risk management activities to be included in the project timeline.
Identify how to group project risks. One common way to do this is by creating a hierarchical structure under which possible sources of risks are classified. PMBOK, a guide published by the Project Management Institute (PMI), suggests using a Risk Breakdown Structure (RBS), as shown in the figure below:
Example of a Risk Breakdown Structure (RBS)
Stakeholders’ appetite for risk
The appetite for risk of the main stakeholders should be noted, stating the limits of measurable risks. This will determine the acceptable level of exposure to the project’s general risk and will be used to define probability and impacts to be used in evaluating and prioritizing project risks.
Definition of the probability and impact of risks
Probability and impact levels are directly associated with the appetite for risk that the organization and stakeholders have. The project can have specific definitions of probability that can be derived from the organization’s own general definitions. The figure below shows one example of definitions of probability and impact related to goals for the project’s cost, deadline and performance. They can help in assessing threats (delays, additional costs and under-performance), as well as opportunities (reduced time or cost and improved performance).
Example of definitions for probability and impact
Probability and impact matrix
The rules for prioritizing risk can be those defined by the organization, and adapted to the project in question. Risks with a positive impact are included in a matrix along with threats, allowing the probability-impact of each risk to be calculated.
Example of a Probability and Impact Matrix
Describe the content and format to be used to register as well as communicate risks. Reports serve to show stakeholders how risk management is being conducted, along with evidence of analyses and any actions that have been necessary.
Define how activities related to risks will be documented and audited.
2 – Identification of risks
At this stage, the risks inherent to the project and the sources of potential risk are individually and formally identified. The project team and its manager should actively work to survey threats and opportunities that could affect the project. Customers, specialists, end users and other stakeholders should also be involved in identifying project risks.
A standard format should be adopted for identifying and keeping records on risks, ensuring complete understanding by those involved so that they can support specification and identification of responses to the risks listed. This is an iterative process that lasts during the entire project lifecycle, since new risks can emerge and the general level of risk can also change. At the end of this stage, there should be:
- A list of identified risks
- Possible responsible parties for each risk
- A list of responses to risks
3 – Qualitative Risk Analysis
Qualitative risk analysis is useful for organizing risks according to their probability of occurring and impact on project results. This is a subjective process and, therefore, it is normal for there to be some partiality in risk analysis. Whenever possible, use third-party support as a facilitator to separate any biases that appears.
4 – Quantitative Risk Analysis
Quantitative risk analysis means numerically assessing the effects that these risks can have on project objectives. It also helps in identifying those that will demand more attention. The Monte Carlo analysis is normally used, simulating the combined effects of project risks to assess possible impacts. When evaluating risks that involve costs, for instance, project estimates are considered from optimistic, probable, and pessimistic perspectives. With this information in hand, the probability of each scenario occurring is calculated, which means that effective responses can be built. For example, suppose that a project’s total cost is estimated (most likely scenario) at R$ 500,000.00. By performing a quantitative risk analysis, the following types of conclusions can be reached:
- There is just a 25% chance of the project being finalized within a budget of R$ 500,000.00
- On the other hand, there is just a 10% chance of the cost exceeding R$ 600,000.00
Once you have information like this, problems can be anticipated and actions can be implemented to mitigate them.
5 – Planning Responses to Risks
Having appropriate responses to risks can minimize negative impacts and maximize the chance of seizing opportunities. The opposite is also true. Taking inappropriate actions can worsen the bad effects of a threat or neutralize the gains that a positive risk would have.
PMI’s PMBOK guide proposes some strategies for dealing with threats and opportunities associated with projects:
Strategies for Threats
Escalate: a given threat should be escalated when it is outside of the project’s scope or the response needed is above the authority of the project’s management. The project manager can determine who should be notified, if the threat comes to fruition.
Prevent: this is used when the team will take actions to neutralize the effects of the threat against the project or even eliminate the risk. It is particularly important for high-probability and high-impact risks and can involve changes to the project’s management plan. For example, to prevent a certain risk from occurring, a decision can be made to postpone the project or reduce its scope.
Transfer: this normally involves passing responsibility for the impacts to third parties by contracting insurance and paying bonuses, bonds and guarantees.
Mitigate: this regards reducing the probability or impact of a threat. It can involve applying more tests or using less complex processes or even choosing more stable suppliers.
Accept: analyses can lead to the conclusion that no action will be taken because of the low priority or a lack of practical or economic feasibility. Even when the acceptance strategy is used, it is important to periodically review risk. This aims to identify significant changes that lead to changes in strategy.
Strategies for Opportunities
Escalate: even an opportunity can create effects that the team is unable to handle. Scaled opportunities can be managed at the program or portfolio level or even by involving other parts of the organization. The project manager can determine who will be notified and can communicate with the person or people about the opportunity’s emergence.
Exploit: the exploitation strategy is usually employed for high-priority risks with a positive effect and when the organization wants to ensure that their benefit is taken advantage of. In this type of strategy, the probability of occurrence increases, with the goal being attaining a 100% chance.
Share: choosing a third party as being responsible for the opportunity is one option, sharing the benefits with this third party if the risk occurs. Typical cases of sharing involve partners, other teams or even a special purpose entity.
Enhance: used when you want to increase the chance of an opportunity occurring or leverage its impacts. The likelihood of an opportunity can be increased, leveraging its causes. Its benefits can also be increased, focusing on phenomena that influence its potential.
Accept: as is the case with threats, the conclusion can be reached that because of an opportunity’s low priority or unfavorable cost-benefit ratio, a choice will be made not to determine any action. Nevertheless, periodic review is recommended in order to verify changes to the nature or potential of the opportunity.
6 – Implementing Responses to Risks
You must take care that risk management is not just about identifying and creating responses. It is fundamental that those responsible be aware and take the actions necessary to implement responses to risks. Adjustments to the timeline, review of costs and other elements listed in the response planning stage must be implemented. Keep in mind that the appropriate requests for change should be made, according to the project management plan.
7 – Monitoring Risks
Good risk management depends directly on constant monitoring and oversight of the evolution in the project’s general and specific risk conditions. You should execute this process throughout the project’s entire lifecycle. It provides support for decision-making based on updated information. One of the goals of this process is to keep the team and other stakeholders abreast of the current status of risk levels. For instance, if new threats or opportunities emerge and they are not in the risk list.
Managing project risk is not just a question of minimizing losses or acting proactively for a venture to succeed. It contributes to improving execution of activities, increasing visibility, facilitating communication and providing essential elements for lessons learned.
For excellence in project and portfolio management, rely on SoftExpert Project, a low total ownership cost solution for integrated risk management.