Risk can be defined as uncertainty of outcome, whether positive opportunity or negative impact. Some amount of risk-taking is inevitable, whatever the project. There has to be a deliberate acceptance of some degree of risk because the value to the business makes it worthwhile. Project risk management includes the processes concerned about conducting risk management planning, identification, analysis (both qualitative and quantitative), responses, and monitoring and control on a project; most of these processes are updated throughout the project.
Risk management in projects involves identifying and assessing the risks in terms of impact and probability, establishing and maintaining a joint risk register, agreed by the integrated project team, establishing procedures for actively managing and monitoring risks throughout the project and during occupation on completion, ensuring that members of the team have the opportunity to engage in a dialogue that will promote agreement of an appropriate allocation of risk, updating risk information throughout the life of the project, ensuring control of risks by planning how risks are to be managed through the life of the project to contain them within acceptable limits, allocating responsibility for managing each risk with the party best able to do so. Management of risk is an ongoing process throughout the life of the project, as risks will be constantly changing. Risk management plans should be in place to deal quickly and effectively with risks if they arise.
Risks should be allocated to individual risk owners within the integrated project team, who should fully understand the risks for which they are responsible. The risks should be managed actively throughout the life of the project in accordance with a risk management plan which should deal with all risks, whether retained by the client or transferred to others in the integrated project team. The business case should include a time element and the risks of that changing should be kept constantly under review.
The risk register is the document used to record the above information. It should be maintained collectively by the integrated project team and regularly updated throughout the project life cycle, as risks will be constantly changing. Risk management plans may be recorded on the risk register.
The aim of risk management is to ensure that risks are identified at project inception, their potential impacts allowed for, and where possible the risks or their impacts minimized.
Classification of Risks
The classification based on type of risks is usually done by assuming that the total risk is made up of market risks (Speculative risk) and specific risks (Pure risk). The specific risk, sometimes called as static risk, which is having no potential gain typically arises from the possibility of accident or technical failure, while for speculative risk, there is a possibility of loss or gain which might be financial, technical, or physical. Moreover, a company’s systematic risk can be spit into two components: business and financial risk. Business risk is the result of a company trading with its assets, which is borne by the equity and debt holders and the financial risk arises directly out of the gearing process brings risk only to the equity holders.
The risk classification based on the impact of it can be subdivided into the environment risk, market or industry risk, company risk and the project or individual risk. This classification has done by considering the area with which the impact of the risk is affecting. The general environmental can again be divided into two parts: the physical and then the social, political and economical risks. The physical environment includes the weather and the natural phenomena like earthquake, landslips etc. Normally the risks involved in this environment cannot be controlled. By using the modern technologies, these phenomena can be identified well in advance and can take the measures to mitigate the effects of these phenomena. While in the other hand, the social, political and the economical environment risks are to some extent can be controlled. The government can control social, political and environment of a project to an extent. Market risk depends on a lot of factors and it is very difficult to control it. Recession is a risk that almost all the companies are facing throughout the world also comes under market risk. These types of risks are very difficult to predict too, so the better method to tackle is to try to mitigate the consequence. Any company operates within an open market and the risk attached with the market can influence the company as well. So in a company itself, for different major projects, different management groups are assigned and thereby it can act as a separate group or consortium (joint venture with another company). By doing the there are chances for the risks with which the parent company is facing may not reach this group. But the company risks and project risks are intrinsically linked because the company must ultimately bear the consequence of the risky project.
Processes Involved in Project Risk Management
A proper project risk management includes the following four processes: –
- Risk identification
- Risk quantification
- Risk response development
- Risk response control
These processes are often implemented with different names though they all arrive and achieve the same goal. Risk identification and quantification are often treated as a single process and the resultant process is called “risk analysis” or risk assessment. Risk response development is also often referred to as “risk response planning” and risk response development often referred to as “risk management”. Whether they are referred to individually or collectively, they usually maintain their requirements, tools and output. A proper analysis of these processes is stated below.
1. Risk Identification
involves the identification and determination of the possible risks that are more likely to affect the project and properly documenting the properties and effect of each one. This process is not a “once in a project” affair. It is meant to be carried out regularly as long as the project is being carried out. It should also include both internal (activities that can be controlled or influenced by the project team such as cost estimation) and external (risks beyond the project team’s control such as business laws or government action) risk. Risk identification could be achieved by either identifying “causes and effects” (events likely to occur and what will be the result) or “effects and causes” (outcomes to be avoided or appreciated and method of occurrence).
2. Risk Quantification
This step involves evaluation of the risks identified in the first step and risk interactions to assess the range of possible project outcomes. Its primary aim is to determine which risks need response. It is complicated and affected by a number of factors but is not limited to them. They include: –
- Threats and opportunities can interact in unforeseen ways such as regular delays could cause consideration of a new strategy thereby reducing total project duration.
- A single risk could trigger multiple effects such as: – a late delivery of a vital part of the project could result in penalty (fines and payments), over run cost, delay in schedule and often a poor quality product.
- Reduced cost may favor a stakeholder at the expense of the other. (opportunity for one, loss for the other).
- Mathematical principles used may create a false impression and negatively affect reliability and precision.
3. Risk Response Development
This step in the project risk management activities involves clearly defining enhanced steps to utilize opportunities and respond to threats. Threat response usually fall into one of the following categories:-
- Risk Avoidance: In the process of risk avoidance the project is changed so as to avoid the risk all together. In this kind of case the managers feel that it is a better option to change the project than to deal with the risk.
- Risk Transfer: Risk transference requires shifting the impact of the risk, along with ownership of the response, to a third party. An example would be the team transfers the financial impact of risk by contracting out some aspect of the work or taking out insurance in anticipation of a risk.
- Risk Mitigation: Risk mitigation is a process of reduction in the probability and/or impact of an adverse risk event to an acceptable threshold. Taking early action to reduce the probability and/or impact of a risk is often more effective than trying to repair the damage after the risk has occurred.
- Exploit: This strategy seeks to eliminate the uncertainty associated with a particular upside risk by making the opportunity definitely happen. Examples include securing talented resources that may become available for the project.
- Share: Allocating ownership to a third party who is best able to capture the opportunity for the benefit of the project.
- Acceptance: A strategy that is adopted because it is either not possible to eliminate that risk from a project or the cost in time or money of the response is not warranted by the importance of the risk.
4. Risk Response Control
This step involves execution of the developed risk management plan in response to the risk events during the course of the project. Whenever there are changes made to the project, the first three risk management processes (identification, quantification and response) are repeated. It is a good practice to bear in mind that even the most comprehensive and thoughtfully structured analysis cannot point out all risks and likelihood of occurrence correctly. This makes the project risk management processes an activity to be repeated often.