Project Risk Management

Figure 1: Kate Middleton waiting 8 years for Prince William to propose was a risk

This blog covers how to identify risks during a project and the risk management processes used to manage these risks.

Every part of a project carries risks associated with it. The most common issues revolve around human issues, technical limitations, funding, political issues and changing deliverables (otherwise known as scope creep and leap).

The Risk Management Process can be described as three key processes:

1. Risk Identification

2. Risk Analysis

3. Response to Risk

The process of accomplishing these tasks can be broken down into 6 sub-processes:

1. Risk Management Planning

This involves developing a plan for risk management activities. Managing risk is a continuous process as factors that cause uncertainty to appear, disappear, and change as the project changes.

2. Risk Identification

To identify risks, the key facts about the project should be known, such as the product deliverables, WBS, cost estimates, staffing plan, historical information and team knowledge. It may then be helpful to set up a meeting with the stakeholders to establish what the risks are. The project manager can give the group the following categories of risks to the stakeholders to help the group can identify the risks applicable for the particular project

Figure 2: Broken Equipment

Example of Risks of a Landscaping Company

Staff risks: landscaping staff leaving during the project

Equipment risks: not delivered, breaking down (Figure 2)

Client risks: Client may not pay

Scope risks: Scope creep and leap

Technology risks: not a major risk for a landscaping company

Delivery risks: such as capacity issues

Physical risks: damage to landscape equipment

Figure 3: A matrix to establish the likelihood and impact of risks

3. Qualitative Risk Analysis

This is evaluating the impact and likelihood of the risk. Even though much of this work is guesswork, talking through the risks helps a company focus on having appropriate controls in place.

There are two methods for carrying out Qualitative Risk Analysis: Scenario analysis and Failure Mode and Effect Analysis.

Scenario analysis involves envisioning likely scenarios that may have major repercussions on the project and then identifying the possible resulting outcomes. These risks can be identified and evaluated by the project stakeholders. A close analysis of the project plan and the project schedule can help identify potential problems. A score of 1-5 can be given each to the impact and likelihood of each scenario (See Figure 3). Multiplying the two scores gives a rough materiality score and is helpful to prioritise risks and controls for those risks.

The other method is Failure Mode and Effect Analysis (FMEA). This is a structured approach to help identify, prioritise, and better manage risks.

Figure 4 – Carrot fly damage

List ways the project might potentially fail: product may not be suitable for the target market. Each way of failure is then analysed as follows:

• The severity (S) is ranked using a ten point scale, where 1 represents failures with no effect on the project and 10 represents very severe and hazardous failures. If a carrot crop gets carrot root fly, the damage estimated is rated to be 8 on the scale

• Likelihood (L) of occurring. The likelihood of a failure occurring is also ranked on a 10 point scale with 1 being not likely and 10 indicating failure is almost certain. Crops such as carrots are more likely to have damage from pests (carrot fly - see Figure 4) than say courgette, which is not particularly susceptible to pest damage. The likelihood is rated 5.

• The delectability (D) of failures is ranked using a ten-point scale where 1 is when monitoring and control are almost certain to detect and 10 is where the failure will not be detected. Carrot root fly can be detected quite easily and this is rated 3.

Calculate the Risk Priority Number by multiplying S x L x D: 8 x 5 X 3 = 120.

This method is applied to various risks and then the risks are ranked by their Risk Priority Numbers.

4. Quantitative Risk Analysis

The essence of risk analysis is to state the various outcomes of a decision as probability distributions and then use this information to make managerial decisions. The objective of this is to illustrate to the manager the risk profile of the outcomes of the project. This helps establish if the potential upside to the project is worth the risk.

PERT Estimation Technique: Knowledgeable individuals are asked for three estimates of the cost of each activity - a normal estimate, an optimistic estimate and a pessimistic estimate. A weighted average expected cost is then calculated, giving a higher weight to the normal cost.

Game Theory is when the decision maker takes a pessimistic mindset and selects a course of action that minimises the maximum harm. This approach evaluates each decision for the worst possible outcome and all of the worst outcomes are compared so the “best” worst outcome can be selected.

Figure 5: What a garden might look like if a landscaping company cuts their prices too much

For example, if a landscaping company decide to cut prices for its services to get more business (Figure 5). The optimistic outcome is that the company will get more business. The pessimistic outcome is that other competitors may cut their prices too, leading to every business in the area being less profitable.

5. Risk Response Planning

Risk response planning is planning to reduce the negative impacts on the project of the risk. Tools for a risk response plan include procurement (transfer the risk elsewhere), alternative strategies, insurance and contingency planning.

A contingency plan for a landscape company may be to plan for bad weather by having hotel customers with indoor work requirements (flower arranging and indoor plants).

6. Risk Monitoring and Control

Recording and maintaining records of what risks and risk responses are important tools for making adjustments during the project and for improving the risk management processes that are in place for future projects. For control and prevention to be successful a project needs to remove excuses, demand visibility, help people to communicate and have a plan to fall back on when things go wrong.