Project Risk Management Process Steps

Project risk is an uncertain event or condition that, if it occurs, has a positive or a negative effect on at least one project objective, such as time, cost, scope, or quality (i.e., where the project time objective is to deliver in accordance with the agreed-upon schedule; where the project cost objective is to deliver within the agreed-upon cost; etc). A risk may have one or more causes and, if it occurs, one or more impacts. For example, a cause may be requiring an environmental permit to do work, or having limited personnel assigned to design the project. The risk event is that the permitting agency may take longer than planned to issue a permit, or the design personnel available and assigned may not be adequate for the activity. If either of these uncertain events occurs, there may be an impact on the project cost, schedule, or performance. Risk conditions could include aspects of the project’s or organization’s environment that may contribute to project risk, such as poor project management practices, lack of integrated management systems, concurrent multiple projects, or dependency on external participants who cannot be controlled.

Project risk has its origins in the uncertainty that is present in all projects. Known risks are those that have been identified and analyzed, and it may be possible to plan for those risks. Unknown risks cannot be managed proactively, and a prudent response by the project team can be to allocate general contingency against such risks, as well as against any known risks for which it may not be cost-effective or possible to develop a proactive response.

Organizations perceive risk as it relates to threats to project success, or to opportunities to enhance chances of project success. Risks that are threats to the project may be accepted if the risk is in balance with the reward that may be gained by taking the risk. For example, adopting a fast track schedule that may be overrun is a risk taken to achieve an earlier completion date. Risks that are opportunities, such as work acceleration that may be gained by assigning additional staff, may be pursued to benefit the project’s objectives.

Persons and, by extension, organizations have attitudes toward risk that affect both the accuracy of the perception of risk and the way they respond. Attitudes about risk should be made explicit wherever possible. A consistent approach to risk that meets the organization’s requirements should be developed for each project, and communication about risk and its handling should be open and honest. Risk responses reflect an organization’s perceived balance between risk-taking and risk- avoidance.

To be successful, the organization should be committed to addressing the management of risk proactively and consistently throughout the project.

Project Risk Management Process

Project Risk Management includes the processes concerned with conducting risk management planning, identification, analysis, responses, and monitoring and control on a project; most of these processes are updated throughout the project. The objectives of Project Risk Management are to increase the probability and impact of positive events, and decrease the probability and impact of events adverse to the project. The Project Risk Management processes include the following:

  1. Risk Management Planning: deciding how to approach, plan, and execute the risk management activities for a project.
  2. Risk Identification: determining which risks might affect the project and documenting their characteristics.
  3. Qualitative Risk Analysis: prioritizing risks for subsequent further analysis or action by assessing and combining their probability of occurrence and impact.
  4. Quantitative Risk Analysis: numerically analyzing the effect on overall project objectives of identified risks.
  5. Risk Response Planning: developing options and actions to enhance opportunities, and to reduce threats to project objectives.
  6. Risk Monitoring and Control: tracking identified risks, monitoring residual risks, identifying new risks, executing risk response plans, and evaluating their effectiveness throughout the project life cycle.

These processes interact with each other and with the processes in the other Project Management Knowledge Areas as well. Each process can involve effort from one or more persons or groups of persons based on the needs of the project. Each process occurs at least once in every project and occurs in one or more project phases, if the project is divided into phases. Although the processes are presented here as discrete elements with well-defined interfaces, in practice they may overlap and interact in ways not detailed here.

1. Risk Management Planning

Careful and explicit planning enhances the possibility of success of the five other risk management processes. Risk Management Planning is the process of deciding how to approach and conduct the risk management activities for a project. Planning of risk management processes is important to ensure that the level, type, and visibility of risk management are commensurate with both the risk and importance of the project to the organization, to provide sufficient resources and time for risk management activities, and to establish an agreed-upon basis for evaluating risks. The Risk Management Planning process should be completed early during project planning, since it is crucial to successfully performing the other processes described in this chapter.

2. Risk Identification

Risk Identification determines which risks might affect the project and documents their characteristics. Participants in risk identification activities can include the following, where appropriate: project manager, project team members, risk management team (if assigned), subject matter experts from outside the project team, customers, end users, other project managers, stakeholders, and risk management experts. While these personnel are often key participants for risk identification, all project personnel should be encouraged to identify risks.

Risk Identification is an iterative process because new risks may become known as the project progresses through its life cycle. The frequency of iteration and who participates in each cycle will vary from case to case. The project team should be involved in the process so that they can develop and maintain a sense of ownership of, and responsibility for, the risks and associated risk response actions. Stakeholders outside the project team may provide additional objective information. The Risk Identification process usually leads to the Qualitative Risk Analysis process. Alternatively, it can lead directly to the Quantitative Risk Analysis process when conducted by an experienced risk manager. On some occasions, simply the identification of a risk may suggest its response, and these should be recorded for further analysis and implementation in the Risk Response Planning process.

3. Qualitative Risk Analysis

Qualitative Risk Analysis includes methods for prioritizing the identified risks for further action, such as Quantitative Risk Analysis or Risk Response Planning. Organizations can improve the project’s performance effectively by focusing on high-priority risks. Qualitative Risk Analysis assesses the priority of identified risks using their probability of occurring, the corresponding impact on project objectives if the risks do occur, as well as other factors such as the time frame and risk tolerance of the project constraints of cost, schedule, scope, and quality.

Definitions of the levels of probability and impact, and expert interviewing, can help to correct biases that are often present in the data used in this process. The time criticality of risk-related actions may magnify the importance of a risk. An evaluation of the quality of the available information on project risks also helps understand the assessment of the risk’s importance to the project.

Qualitative Risk Analysis is usually a rapid and cost-effective means of establishing priorities for Risk Response Planning, and lays the foundation for Quantitative Risk Analysis, if this is required. Qualitative Risk Analysis should be revisited during the project’s life cycle to stay current with changes in the project risks. Qualitative Risk Analysis requires outputs of the Risk Management Planning and Risk Identification processes. This process can lead into Quantitative Risk Analysis or directly into Risk Response Planning.

4. Quantitative Risk Analysis

Quantitative Risk Analysis is performed on risks that have been prioritized by the Qualitative Risk Analysis process as potentially and substantially impacting the project’s competing demands. The Quantitative Risk Analysis process analyzes the effect of those risk events and assigns a numerical rating to those risks. It also presents a quantitative approach to making decisions in the presence of uncertainty. This process uses techniques such as Monte Carlo simulation and decision tree analysis to:

  • Quantify the possible outcomes for the project and their probabilities
  • Assess the probability of achieving specific project objectives
  • Identify risks requiring the most attention by quantifying their relative contribution to overall project risk
  • Identify realistic and achievable cost, schedule, or scope targets, given the project risks
  • Determine the best project management decision when some conditions or outcomes are uncertain.

Quantitative Risk Analysis generally follows the Qualitative Risk Analysis process, although experienced risk managers sometimes perform it directly after Risk Identification. In some cases, Quantitative Risk Analysis may not be required to develop effective risk responses. Availability of time and budget, and the need for qualitative or quantitative statements about risk and impacts, will determine which method(s) to use on any particular project. Quantitative Risk Analysis should be repeated after Risk Response Planning, as well as part of Risk Monitoring and Control, to determine if the overall project risk has been satisfactorily decreased. Trends can indicate the need for more or less risk management action. It is an input to the Risk Response Planning process.

5. Risk Response Planning

Risk Response Planning is the process of developing options, and determining actions to enhance opportunities and reduce threats to the project’s objectives. It follows the Qualitative Risk Analysis and Quantitative Risk Analysis processes. It includes the identification and assignment of one or more persons (the ‘risk response owner’) to take responsibility for each agreed-to and funded risk response. Risk Response Planning addresses the risks by their priority, inserting resources and activities into the budget, schedule, and project management plan, as needed.

Planned risk responses must be appropriate to the significance of the risk, cost effective in meeting the challenge, timely, realistic within the project context, agreed upon by all parties involved, and owned by a responsible person. Selecting the best risk response from several options is often required.

The Risk Response Planning section presents commonly used approaches to planning responses to the risks. Risks include threats and opportunities that can affect project success, and responses are discussed for each.

6. Risk Monitoring And Control

Planned risk responses that are included in the project management plan are executed during the life cycle of the project, but the project work should be continuously monitored for new and changing risks.

Risk Monitoring and Control is the process of identifying, analyzing, and planning for newly arising risks, keeping track of the identified risks and those on the watchlist, reanalyzing existing risks, monitoring trigger conditions for contingency plans, monitoring residual risks, and reviewing the execution of risk responses while evaluating their effectiveness. The Risk Monitoring and Control process applies techniques, such as variance and trend analysis, which require the use of performance data generated during project execution. Risk Monitoring and Control, as well as the other risk management processes, is an ongoing process for the life of the project. Other purposes of Risk Monitoring and Control are to determine if:

  • Project assumptions are still valid
  • Risk, as assessed, has changed from its prior state, with analysis of trends
  • Proper risk management policies and procedures are being followed
  • Contingency reserves of cost or schedule should be modified in line with the risks of the project.

Risk Monitoring and Control can involve choosing alternative strategies, executing a contingency or fallback plan, taking corrective action, and modifying the project management plan. The risk response owner reports periodically to the project manager on the effectiveness of the plan, any unanticipated effects, and any mid-course correction needed to handle the risk appropriately. Risk Monitoring and Control also includes updating the organizational process assets, including project lessons-learned databases and risk management templates for the benefit of future projects.

Related Posts:

Leave a Reply

Your email address will not be published. Required fields are marked *