Is Risk Management Required?
Every project manager attempts to complete a project within the triple constraints of scope, time and cost. If all these three parameters are satisfied, a project is usually well on track. However, in many cases, it is not as easy as it sounds. Due to external or internal factors within the organization, the delivery of the project can be delayed. This can be avoided if an organization looks at its risk management methodology. In many organizations, risk management is seen as a ‘Good to Have’ rather than ‘Must Have’. This is because there is no framework or streamlined risk-management process in the organization.
Without a framework, risk-management is complicated as the project manager will then need to look at risk-management as and when issues arise. This is also why PMP® Training is quite stressed.
Table of Contents
Risk Management Framework
Project Risk Management as per PMP® guidelines usually involves understanding risks and maximizing the likelihood of positive outcomes on the project and minimizing the likelihood of negative events. And Project Management Professional Certification program can help one learn the deeper aspects of the same. Any sound risk management framework covers the following areas:
- Strategy and Planning
- Identifying Risks
- Risk Analysis
- Response Planning
- Monitoring and Control
Strategy and Planning
Roles and responsibilities regarding risk-management activities are to be defined within the team. Categories of risk, as to which functional area (financial, technical) it can arise can be pre-planned. A risk matrix that maintains the probability of risk as against its impact can be prepared, so once the risks are identified, they can be laid down in the matrix.
It is important to take inputs at this stage from a wide range of people involved in the project. The risk-management team should speak to customers, end-users and the leadership team. All risks in the project can be successfully captured through frequent communication in the team amongst all stakeholders. Once all risks are identified, a ‘Risk Log’ should be developed wherein all the risks are listed. The risk log should contain
- Risk Type
- Probability of Occurrence
- Impact Level
- Possible Responses
- Action Owner
The analysis phase looks at the likelihood of occurrence and impact of the identified risks. The analysis should involve a fair amount of familiarity with the topic and an objective thinking hat. Risk analysis can be done in two steps as per PMP® guidelines-
Qualitative Analysis – In qualitative analysis, the team assigns a priority level to each risk already identified. The priorities assigned are low, medium or high risk. The risk classification should be assigned with organization goals. The classified risks are fed into the risk register. The response plans are first drawn out for high-risk items.
Quantitative Analysis – In quantitative analysis, a cost value is attached to each risk item. Each risk identified is first evaluated against the probability of occurrence and potential impact on the project. Evaluating the probability is mostly done through interviews. Decision trees can be used to think through as to which decision can yield the desired result. A simulation exercise can be carried out to understand the potential impact of the risk on the project.
In this process, the team identifies an alternate course of action or suitable responses to mitigate the identified risks. The team decides if the risk should be accepted, transferred, mitigated or avoided.
- Avoidance – The course of the project is corrected in the project plan to avoid the occurrence of the risk.
- Transference – The responsibilities associated with risks are transferred to a third party using a contractual agreement.
- Mitigation – Preventive measures are taken so that the risk does not occur at all.
- Acceptance – Accepting the risk and carrying out the project plan as is.
Monitor and Control
Monitoring and control are essential to track the risk responses and study its effectiveness. Tracking can reveal that an identified risk did not materialize in the first place. In this case, the priority of the risk can be moved to low. Similarly, a risk response may not be successful in tackling risk. In that case, an alternate response has to be drawn out.
Cost versus Benefit
For smaller projects with lesser complexity, ensuring a rigorous risk management exercise may be more expensive than beneficial. It may also involve additional work on the team. Risk management policies and processes when setting in an organization should be applicable to all projects, big or small. In order to achieve this, the organization must look at setting a standard low-level baseline that can apply to all projects. For complicated, high-value projects, another set of rigorous risk management rules may apply. The team would note for the project the cost of implementing the risk-management procedures may be minuscule as compared to the value of the project.