Risks affecting organizations can have consequences in terms of a company’s economic performance, professional reputation, as well as environmental, safety and societal outcomes. Therefore, managing risk effectively helps organizations to perform well in an environment full of uncertainty.
Risk management is the identification, evaluation, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives) with the purpose of minimizing, managing, monitoring, and controlling the probability or impact of unfortunate events or maximizing the realization of opportunities. Threats could arise from financial uncertainty, legal liabilities, management issues, accidents, natural causes and disasters, or events of uncertain and unpredictable root-causes.
Project risk management is a continuous process that begins during a project’s planning phase and ends once the project is successfully commissioned and turned over to operations.
Here are the key steps of Risk management, described further in this document.
Risk identification is the process of identifying and listing all the potential risks that could either negatively or positively affect the project.
In Sciforma, we essentially focus on the negative risks.
What is a Risk?
A risk is an uncertain event or set of events which, should it/they occur, will have an effect on the achievement of objectives.
Risks can arise due to the influence of both internal risks (risks arising from the events taking place within the organization) and external risks (risks arising from the events taking place outside the organization).
Internal Risks result from such factors (endogenous variables, which can be influenced) as:
Human factors (talent management, strikes)
Technological factors (emerging technologies)
Physical factors (failure of machines, fire, or theft)
Operational factors (access to credit, cost cutting, advertising)
External Risks arise from such factors (exogenous variables, which cannot be controlled) as:
Economic factors (market risks, pricing pressure)
Natural factors (floods, earthquakes)
Political factors (compliance with demands and regulations imposed by governments)
During the Identification phase and based on previous project experiences, Project Managers will have to compile a list of risks. From the initial list of identified risks, a Risk Register or log can be maintained to ensure that all risk items are analyzed, prioritized, and monitored.
Risk registers should typically include the following fields:
Once all risks are identified, Risk Mitigation plans could be created.
A Risk Mitigation Plan should include the risk responses identified by each responsible party. The plan should clearly define the agreed upon response to a risk, the responsible party, results from both the quantitative and qualitative analysis, and a budget and timeframe for the risk response.
The Risk Analysis phase determines the likelihood of occurrence and the impact of each identified risk and prioritizes all of them for management review.
The analysis is a two-step approach:
Qualitative analysis – The Severity, Probability of likelihood; as well as Time, Cost, and Quality Impacts should be assigned to each risk.
Quantitative analysis – The Time and Cost Impacts in terms of days and money should also be evaluated in anticipating the consequences (that is to say, the penalty) of the Risk on the project.
These values will then be used for ranking the Risks and, moreover, define a risk’s position in the Severity/Probability Matrix, which illustrates and compares Risks based on the Level of Risk value.
The level of Risk is the product of the risk likelihood and its potential severity.
This Matrix has several objectives:
To provide decision-makers with a comprehensive vision of all risks.
To provide a better rating of risks.
To generate action plans to avoid the occurrence of risks and mitigate their impact.
The related color are the following:
Probability x Severity
1, 2, or 3
4 or 6
5, 8, or 9
10, 12, or 16
15, 20, or 25
Example: If a Risk’s Probability is “Possible” and its Severity is “Minor”, the Risk Level will be computed as follows: 3 (Probability) x 2 (Severity) = 6. The Risk Level will, therefore, be considered as “Low” () and appear as such in the matrix.
During this phase, the Project Manager assesses its highest-ranked risks and runs a plan to alleviate them using specific risk controls. The purpose of such Risk Mitigation strategies is to lessen or reduce, if not totally eliminate, the adverse impacts of the known or perceived risks even before any damages or disasters occur.
There are several options that can be undertaken to respond to risk(s):
Risk avoidance – While the complete elimination of all risks is rarely possible, a risk avoidance strategy can deflect as many threats as possible in order to avoid the costly and disruptive consequences of a damaging event. For example, Project Managers can modify the project plan.
Risk sharing – Sometimes, the consequences of a risk is shared, transferred, or distributed among several of the project's participants or business departments. The risk could also be shared with a third party, such as a business partner. Risk sharings are often accomplished by contractual agreements.
Risk reduction – Companies are sometimes able to reduce or mitigate the effects certain risks can have on company processes. This can be achieved by adjusting certain aspects of an overall project plan or company process, or by reducing its scope.
Risk acceptance – Sometimes, companies decide that taking on a risk is worth it from a business standpoint, and decide to retain the risk and deal with any subsequent fallout. Companies will often retain a certain level of risk if a project's anticipated profit is greater than the costs of its potential risk.
In short, Mitigation strategies are about taking advance and proactive actions. Risk Mitigation follows the dictum: “Prevention is better than cure.”
Although the Risk Mitigation Plan is run to decrease the risk exposure, each risk might still materialize. Project Managers need then, to determine a Risk Contingency Plan in order to handle them. Contingency Plans act as cushions and absorb the shock from the unwanted event. Contingency responses are executed when sufficient triggers or warning signs are identified and in cases where the risk is inevitable/unavoidable.
What are the main differences between a Mitigation Plan and a Contingency Plan?
It is the action undertaken to prevent a risk before it happens.
It is the action undertaken to recoup from a risk after it materializes.
A Mitigation Plan can be considered as PLAN A.
A Contingency Plan can be considered as PLAN B.
A Mitigation Plan is preventive.
A Contingency Plan is reactive.
The actions will be planned for identified risks in advance irrespective of whether the risk will occur or not and the severity of the risk.
The actions will be planned in advance but certain warning signs will be monitored and actions will be taken when the warning signs are in sight.
It helps reduce the probability of the impact of the identified risk.
Probability or impact does not change, but it helps in controlling the impact.
The final phase of Risk management is monitoring and control. This phase should be set up to track potential risks, oversee the implementation of risk plans, and evaluate the effectiveness of Risk management procedures. Monitoring and control should occur throughout the project’s lifecycle and helps improve and guide the overall Risk management process. Remember a Risk usually evolves and can always change. Thus, the review process is essential for proactive Risk management.
Risk monitoring and control is required in order to:
Ensure the execution of the Risk plans and evaluate their effectiveness in reducing risk.
Keep track of the identified risks.
Monitor trigger conditions for contingencies.
Monitor residual risks and identify new risks arising during project execution.
Update the organizational process assets.
The purpose of Risk monitoring is to determine whether:
Risk responses have been implemented as planned.
Risk response actions are as effective as expected or if new responses should be developed.
Project assumptions are still valid.
Risk exposure has changed from its prior state (determined through analysis of trends).
A Risk trigger has occurred.
Proper policies and procedures are followed.
New risks have occurred that were not previously identified.
The relationships available for Risks are as follows:
This relationship will be created when the Risk reaches the “Closed” Workflow State. The Risk can thereupon be transformed into another object, while allowing the user to keep track of its evolution.
Risks can be turned into Issues (1-1) and Tasks (1-1).
The Risk can be attached to another object, allowing the user to associate some or all of the elements they respectively share with each other. This connection can be created and deleted without any consequences.
Attachments (1-N) can be attached to Risks.
Duplicate & Attach to
The relationship will be created when the Risk reaches the “Duplicate” Workflow State. The Risk can thereupon have a Parent-Child relationship with another Risk.
A Risk can be attached to another Risk (N-N) when “connecting” them together.