A Project Manager’s Insight Into Risk Management

What is Risk?

The threat or possibility that an action or event will adversely impact an organisation's ability to achieve its objectives. In other words, risk is "the possibility of loss or injury". 
 
Risk is everywhere; it can be associated with technical, financial, organisational, safety, etc.

Common Types of Risk in Project Management 

1. Process Risk: It refers to potential issues arising from the execution of the project's internal processes. This risk includes undocumented processes, ineffective peer reviews, defect leakage, poor design processes, insufficient requirements management, and ineffective planning.  

• Example: A risk that critical project documents are not carefully reviewed and updated due to a flawed document control process. 

2. Product Risk: This risk symbolises the chance that the final product itself might not meet expectations or quality standards, potentially impacting its success in the market. This risk includes a lack of domain experience, complex design of the product, poorly defined interfaces, a lack of legacy systems understanding, and incomplete or invalid requirements. 

• Example: A risk that a new software product might not be user-friendly, leading to low adoption rates. 

Characteristics of Risk 

• Risks are Uncertain event(s) or condition(s). 
• They can have a positive or negative impact on the project. 
• They are threats to project objectives. 
• They can be known (identified and analysed) or could be unknown (only contingency can be planned). 

Risk Management Lifecycle 

1. Risk Identification:

It is the process of recognising and listing all potential risks within an organisation or project, considering what potential favourable/unsatisfactory outcomes are associated with a particular project. This involves determining risk types (e.g., manageable, unmanageable) and documenting the characteristics of each type. The Risk Identification is a Joint meeting inviting the project team, support teams, subject matter experts and other stakeholders. 

• Input: The Input to this Stage includes a Risk Management Plan, Risk Types and Historical Information. 

• Process: The process involves brainstorming sessions to document templates and Checklists. The Project Manager uses techniques like Cause & Effect Diagrams and Process flowcharts to identify the potential risks. 

• Output: This Outcome of risk planning is sending a communication to all the affected stakeholders highlighting the identified risks after reviewing the project plans. 

2. Risk Analysis

This stage involves evaluating the likelihood and potential impact of each identified risk to prioritise them based on severity. The Project Manager focuses on the Categorisation of Risks, i.e., combining the related risks and linking the dependent risks. The next step is to determine the risk drivers based on underlying factors to understand how risks can be mitigated, the order of likelihood and consequence. 

Risk Analysis Categories 

Risk Analysis falls into two categories: 

• Qualitative Risk Analysis: It is a process that relies on subjective expert judgement and opinions to assess risk probability and impact. It involves prioritising risks according to their potential effect on the project objectives. This approach is faster, simpler and less detailed. 

• Quantitative Risk Analysis: It is the process of using Objective, measurable data to assign numerical values to risk, providing a more precise evaluation of its potential impact and likelihood of occurrence. It uses statistical tools & mathematical models for analysis and is a more thorough and data-driven approach. 

3. Risk Planning

The Project Manager plans the risk by deciding the approach with respect to the Levels of Risks, Types of Risks, Visibility and Monitoring Level Required. 

• Input: The Input to this Stage includes the Project Management Plan, the Organisation's risk management policy, the top 3 to 4 organisation risks, defined roles & responsibilities, Stakeholder Risk Tolerance and Project WBS (Work Breakdown Structure). 

• Process: The process involves planning meetings with the Project team in order to take steps to enhance opportunities and develop responses to threats. This Stage helps estimate the Timing of the Risk and plan when to take action. Scoring and interpretation of risks for prioritisation and Thresholds definition, responsible persons & actions. 

• Output: This Outcome of Risk Planning is a Risk Response Plan that includes identified risks and descriptions, Affected Areas, risk owners, and assigned responsibilities, quantitative and qualitative analysis results, Response, and a planned budget for each risk, as well as a Contingency Plan. 

4. Risk Management

This is the implementation process for putting the chosen risk mitigation plans into action, including assigning responsibilities and allocating resources. 

The common Risk Management Strategies include: 

• Risk Avoidance: This strategy includes completely avoiding risky activities or situations by choosing an alternative. 
• Risk Reduction: This strategy involves implementing measures to lower the probability or severity of a potential negative event, like preventive maintenance. 
• Risk Transfer: This strategy outlines the Responsibility shift of a risk to a third party or another source. 
• Risk Retention: This strategy involves accepting a certain level of risk and self-funding potential losses. 

The Project Manager follows the guidelines below to improve Risk Management effectiveness: 

• All resources in the Project team need to be risk-oriented. 
• Encourage teams to identify and discuss risks as early as possible. 
• Organisations should see risk identification and analysis as a positive activity. 

5. Risk Tracking

This stage involves continuously tracking the effectiveness of implemented risk controls and updating the Risk Management plan as needed. To monitor risk scenarios, watch for signs of their occurrence of risk scenarios. Compare indicators to trigger conditions by watching the indicator metrics. Inform Stakeholders of the triggering of the risks. Perform the required action as per the action plan. Sometimes, workarounds or unplanned responses to risk events are needed when there are no contingency plans. Collect and update statistics, such as revised risk scores, for the impacted scenarios. 

6. Learning from Risks

This stage includes performing the project retrospective to calibrate the lessons learnt from the release.  

Some of the lessons learnt might look like below: 

• What were the unanticipated risks? 
• What was the actual severity of the consequence? 
• What was the actual severity of the consequence? 
• What resolution strategies worked well/not so well? 
• What types of risks could be avoided or transferred? 
• What types of risks could be managed only by allocating additional capacity? 

There are a multitude of actions that can be planned as part of a retrospective.

A Project Manager needs to schedule a meeting with the Project team to discuss questions like what preventive measures we can take in the future, whether there are any significant vendor/partner performance problems, what we can share with other project teams, etc. 

This will help the Project Manager draft an effective action plan to handle any such risks for recurrence in the future.