All too often though the application of Project Risk Management can fall by the wayside somewhat during the Execution phase of a project, once the Project Team gets into the fast pace of the Execution phase dealing with all the day to day issues that need to be resolved.
Much has been written about Project Risk Management and the application of tools and statistical methods to analyse, prioritise and manage project risk. Arguably this creates a perception of complexity which can often lead to project managers doing the bare minimum regarding the application of Project Risk Management processes within their management routine, or hand it off to someone else to deal with. Risk Management of the project should be owned by and involve the whole Project Team,
The Good News! Practical application of Project Risk Management techniques is straightforward: By applying a practical project risk management process to your projects with the self-discipline and commitment to follow the process rigorously, you will underpin your chances of a successful project outcome. The perceived complication arises when risks are unnecessarily over analysed and over presented: The use of "trendy" statistical simulation tools and subsequent dashboards to look visual on powerpoint slide decks can often over complicate life. Not to run such practices down, but they should only be used in the cases where their value is clear.
Objective Setting - Set the objectives for the Project Risk Management process to be used and align them with the overall objectives for undertaking the project - the criteria for success. Risk Registers are practical ways for logging identified risks so they may be managed effectively through the project risk management process during the entire project life-cycle.
Risk Analysis - Identify foreseeable risks and seek to understand the type of risk - is it commercial, health & safety related, operational etc? For all risks identified, understand the likelihood and impact as well as any cause and effect relationships between risks.
Action - formulate methods and actions to reduce or eliminate identified risks in a structured and manageable way to enable continuous control of risk and uncertainty. Specific response actions may include the transfer, mitigation, allocation or acceptance of identified risks.
Monitoring - throughout the whole Project Life-Cycle, the level of risk facing the project should be measured in some way, as well as a measuring the effectiveness in responding to identified risks.
Risk or Opportunity? Go Hand in Hand…
A practical Project Risk Management process, if applied properly, should also facilitate the identification of opportunities for improving the desired outcomes of your projects.
Opportunities to bring previously unidentified benefits to the project often mean some deviation from the baselined project definition and implementation plan. Opportunities can often get overlooked or dismissed due to the discipline of controlling the project against its baseline, once it's approved.
The more creative project managers will be very keen to identify and incorporate opportunities for improvements, although significant new risk could be introduced to the project whilst pursuing an opportunity.
By following a practical Project Risk Management process during the assessment of opportunities, risks associated with pursuing opportunities can be successfully managed during the course of seeking the benefits on offer - in a lot of cases, pursuing opportunities can inherently mitigate previously identified project risks.
Risk vs Definition
Different types of risk are present during different stages of the project life-cycle, the larger project risks usually present themselves during the early stages of a project, when the project definition has not been developed sufficiently, or risk details have not been worked through sufficiently. Therefore: As a project proceeds towards completion, its risk profile reduces the nearer to completion it gets.
Project Definition Rating Index
As a way of subjectively benchmarking a project’s definition against projects that were considered successful, the American Construction Institute and the European Construction Institute published the Project Definition Rating Index (PDRI):
By scoring all aspects of a project’s definition in line with recognised Best Practice in project management application, it’s possible to assess whether your project is likely to be successful or not, given its level of definition - in a sense, an assessment of the level of risk associated with a project at a known level of definition.
As a Project Risk Management tool the PDRI is useful and prompts two discussions:
"Do we delay the Execution phase and spend some time better defining the project and reducing its inherent risk before we start?"
"We can't afford to delay the Execution phase. We understand and accept the project is carrying sufficient risk to reduce its chances of success, however we will employ a rigorous project risk management process to ensure the relatively high level of risk is managed properly."
Each type of discussion will depend on the Project Owner's adversity to risk, as well as the reasons for undertaking the project.
Foreseen and Unforeseen Risk
Two areas of project risk management that you are likely to come across, with pretty obvious descriptions, are Foreseen and Unforeseen risk.
Foreseen risks are those risks that your project team is able to anticipate and therefore has a good chance of managing appropriately. Foreseen risks are the principal focus of the project risk management process; it’s pretty difficult to manage something you are not aware of (unforeseen).
However, to ignore unforeseen risks totally is not wise. Unforeseen risks are those that creep up on you and hit you totally unawares. They can consequently cause project failure very easily. These have to be reacted to should they arise.
Although the specifics of unforeseen risks are unknown, it’s likely that some provision can be made to accommodate the generic type of risk that could present itself in an unforeseen way. Purists will challenge the logic here. After all, if a risk can be contemplated in any way, surely it has to be by definition Foreseen?
True; but its likelihood of occurring is so remote it’s generally considered "unlikely" and would live on the periphery of any prioritised Risk Register anyhow.
A common pragmatic way around this issue is for the sponsoring organisation to put aside some level of central contingency fund to be made available should an unforeseen risk present itself. This fund would typically be held outside of the project budget, but within the sponsoring organisation’s overall capital budget.
Qualitative & Quantitative Risk Analysis
If you do nothing else, the bare minimum should be a list of risks facing your project and then ranking that list in some way to allow you to focus on managing the most significant risks. The less significant risks are not totally forgotten since they are part of the overall list and do get reviewed regularly; things can and do change over time.
This ‘list’, in essence, is the start of your Risk Register and should be the main vehicle for traveling along the Project Risk Management process, although the generic risk management process is in fact an iterative review, as shown previously.
During the early stages of the Project Life-cycle, qualitative risk analysis is more often used than quantitative. During Concept and Feasibility stages of a project, the level of definition is not sufficiently defined to allow effective quantitative risk analysis.
Quantitative risk analysis techniques come into their own as the project definition gets better developed, and very often quantitative risk analysis becomes an integral part of the definition development process, leading to fully defining actions and implementation methodologies which mitigate or remove risks previously identified.
Monitoring and Control
The Project Risk Management process is iterative. Iterations, or review points, are usually determined by which stage of the Project Life-cycle you are at:
Concept and Feasibility stages may see the creation of the Risk Register with risks identified and qualitatively ranked in order of importance for more in-depth consideration at the next stage of the project.
During the Pre-planning stage of the project the risk register will be reviewed at least once again having taken some action against the most significant risks identified from the earlier definition stages. As the definition proceeds, some risks may have been eliminated, yet new risks may have presented themselves. Some risks still may have only been assessed qualitatively and some of the more significant risks may have undergone a rigorous quantitative analysis. The priorities for management action will have most likely also changed.
During the Project Execution and Handover stages of a project it’s more usual to review risks via the Risk Register on an ongoing basis as part of the project control activities and reporting requirements for the project - commonly on a monthly basis as a minimum.
After all, if a method of eliminating or mitigating a risk has proven successful; by capturing and sharing the successful risk management actions with others, similar risks associated with other projects can be managed more effectively, reducing the overall project risk exposure of the sponsoring organisation. In this sense the project Risk Management process becomes a feedback loop of learning and overall risk reduction.