Project risk management can be stated as any project that is subject to risks. Failing to manage projects properly will eventually find itself in a state of continual crisis (The Elements of Project Risk Management, 1996). Projects that do fail are characterized by “the inability to decide what to do, when to do it, and whether enough has been done” (Project Risk Management Principles, 1996). Project Risk Management can further be characterized as using “basic techniques of analysis and measurements to ensure that risks are properly identified, classified, and managed (PRMP, 1996).
Managing risks have to be identified by first understanding what a risk is. According to Tusler (1996, PRMP), the official definition provided by his Professor James Garven, from the American Risk and Insurance Association as follows: “Risk management is the systematic process of managing an organization’s risk exposures to achieve its objectives in a manner consistent with public interest, human safety, environmental factors, and the law.
It consists of the planning, organizing, leading, coordinating, and controlling activities undertaken with the intent of providing an efficient pre-loss plan that minimizes the adverse impact of risk on the organization’s resources, earnings, and cash flows”. Prior to project risk, there is project selection and this is a significant factor since selecting a project can be risky. Project selection and project risk are hence linked together (Kendrick, 2009, p. 19).
Project management usually begins with project assumptions and many of these tend to be extracted from the project charters, datasheets, and other important documents that have previous risk assessments from previous project. Stakeholders risk management usually begins with their registering and determining their positions on specific project outcomes and guidelines. What usually follows is a set of other documents that need more in-depth information in order to continue such as project planning information, emplates and metrics, planning processes, project tools, and other important documents that will help in assisting towards better risk management. Project Risk Management usually again begins with “summarizing risk management approach, methodologies and processes, roles of people involved, risk definitions and standards, frequency and agenda for periodic reviews, reports, requirement for status collection and other tracking” (Kendrick, 2009, p. 30). Besides tracking the different areas of potential risk, risk management is also great in identifying project opportunities that can come out of uncertainties.
According to PMBOK Guide (2008, p. 273), risk management is usually approached by including the following: “the processes of conducting risk management planning, identification, analysis, response planning, and monitoring and control on a project”. The whole goal and objective to Project Risk Management is directing and controlling projects towards positive events while effectively avoiding negative events as much as one can, unless opportunities arise by entertaining negative risk events (PMBOK Guide, 2008, p. 273).
Risk planning more often than not changes as any project progressives forward and therefore should be monitored very closely since surprises often do occur catching some of us off guard and this can pose a future threat and may have multiple impacts (Heldman, 2009, p. 232). Should risks occur unexpectedly, it is always best to minimize them by thoroughly investigating in detail by reviewing every bit of information at a team’s disposal. This will help to minimize the impact that could result in a catastrophe if not handled well.
Heldman (2009, p. 232) discusses that “as you get close to a risk event, that’s the time to reassess your original assumptions about the risk and your plans to deal with the risk and to make any adjustments as required”. Of course, not all risks are bad or a cause for damnation and as discussed previously, some may even be a cause of an opportunity/s. Most project risk planning’s inputs begin with the concern of four project objectives in mind – time, cost, scope, and quality (Heldman, 2009, p. 233).
Since no project is without deliverables, a project begins with a project scope statement and what follows are usually the following documents: Cost management plan, Schedule management plan, Communications management plan, Enterprise environmental factors, Organizational process assets, and other pertinent documents related to the project itself. Heldman (2009, p. 234) exclaims that when addressing the Enterprise environmental factors, it is always best to realize and note down the enterprises and stakeholders risk tolerance levels.
Tolerance levels will provide an assessment of what can be accomplished and what to legitimately keep at bay. The right risks to avoid or take are questionable but knowing the boundaries can constitute a successful project for the team itself and perhaps to the overall project outcome. What is important is eliminating or minimizing them in order for the project to meet its end goals (Yosha, 2012, p. 37). Yosha (2012, p. 37) claims that risk management requires “a strong connection between project risk expectation, defined as the sum of the risks’ impact multiplied by their probability, and the budget reserve required”.
In essence, a thorough analysis of a project risks along with a well-prepared detailed plan can establish the outcome of a projects success, which establishes the right budget. Most organizations know very well when dealing with project management that it is impossible to execute any project without a properly detailed plan (specifications), statement of work, and budget which are all detailed by a work breakdown structure (WBS) (Yosha, 2012, p. 37). Yosha (2012, p. 8) claims that many projects are performed instinctively as opposed to methodically and that many risks that occur often appear well into a project, which ultimately requires a revision of the planned project, budget and schedule. A risk not defined early in the project can impact a project’s success and hence determine the methodology of how to tackle project risk. Project risk management involves performing a quantitative evaluation of each risk, organizing risk intensity, and implementing a mitigation plan to either minimize or eliminate each risk (Yosho, 2012, p. 8).
Implementing methodology according to Heldman (2009, p. 236), who quotes the PMBOK Guide, is one of the first steps of getting organized in risk identification. Most members of an organization need to attend a meeting regarding methodology and those who specifically get involved according to Yosha (2012, p. 38), are “project management, engineering, industrial engineering, logistics, sales, production floor representatives and other experts according to the nature of the project”. Yosho (2012, p. 9) mentions that his meeting usually involves a facilitator who gathers all risks presented by others and then he/she prioritizes them according to the following: specific, future occurrence, holds a certain probability of occurrence, its occurrence is beyond your control, it describes a reason and not a result, and finally occurrence entails negative impact on the project”.
Once the risks have been identified, they need to be organized as mentioned previously according to intensity and hence a quantitative evaluation of the risks are performed. According to Yosha, (2012, p. 9), risks will get organized as follows: Risk intensity, risk probability, risk impact, technical impact, cost impact, schedule impact, and risks expectation of the project in monetary amount. It is worthy to note that once the methodology is accomplished, of that according to the Heldman (2009, p. 236), the risk management plan should include but is not limited to the following categories: Roles and responsibilities, budgeting, timing, risk categories, definitions of risk probability and impact, probability and impact matrix, revised stakeholder tolerances, reporting formats, and tracking”.
Risk categories are essentially a way of helping to improve the process by informing others involved a common ground or basis for understanding and describing risk (Heldman, 2012, p. 237). Identifying risks is determining what risks to document if they will affect the project (PMBOK Guide, 2008, p. 282). Usually all project personnel should aid in identifying and determining project risks since risk uncertainty is wide and expansive. Identifying risk is also an iterative process since new risks can evolve at any time during the project and usually it becomes known as the project continuous well into its life cycle.
The occurrence of iteration and who gets involved during each cycle will alter by situation. Performing a risk qualitative analysis is the next step after identifying risks. What is determined is the impact the identified risks will have and the probability of their actually occurring. The next stage after qualifying risks is to conduct a risk quantitative analysis by numerically analyzing the effect that the identified risk would have on the overall projects demands (PMBOK Guide, 2008, p. 294).
Quantitative Risk Analysis basically analyses the effects of risk events and those risks can be analyzed individually or an aggregated effect of all risks affecting the project can be conducted. When a risk is potentially identified and quantified, the next step is to determine or develop a response plan. The response plan is a continuous process that needs to be constantly updated and/or reviewed. Most project managers will prefer to use this plan when viewing risk prioritization because it’s quick, relatively easy to accomplish, and cost effective.
Quantitative Risk Analysis should then be repeated again following ‘Plan Risk Responses’ and in addition to ‘Monitor and Control Risks’ (PMBOK Guide, 2008, p. 295). By repeating the Risk Response, it will determine if the overall project risk has been addressed satisfactorily. The outcome of the repeated overall risk response will indicate if there is a need for more or less risk management action. Planning for risk responses usually is addressed by priority, injecting resources and activities into the budget, schedule and project management plan as needed.
Of course, risk responses need to be tackled and appropriate to the risk, cost effective, realistic, all parties are in consensus of the responses, timely, and finally owned by a responsible person. Monitoring and controlling risks is the final stage of having to follow a process in which there is a systematic process in implementing risk response plans, tracking the identified risks at hand, monitoring residual risks, identifying any new risks that may evolve, and evaluating risk process effectiveness throughout the life cycle project (PMBOK Guide, 2008, p. 08). According to the PMBOK Guide (2008), monitoring and controlling risks is a process that applies methods such as variance and trend analysis, which needs the use of performance information spawned during project execution. Monitoring and controlling risks may using different strategies, implementing a contingency plan and if need be, amending the project management plan. Finally, monitoring and controlling involves updating lessons learned databases and risk management templates and updating the company’s process assets.
Project Management Institute. (2008). Project Management Body Of Knowledge (4th ed.). Newtown Square, PA: Author
Project Risk Management Principles. (2006). The elements to risk assessment. Retrieved from http://www.netcomuk.co.uk/~rtusler/project/principl.html
YOSHA, R. (2012). MAKE IT NOT GO WRONG. Industrial Engineer: IE, 44(6), 36-41.