Risk is inherent in all our projects (and, in fact all we do). Risks are often considered in an informal way by the project manager when planning and devising project strategies, but a more disciplined approach to risk management minimises threats and maximises opportunities. This article sets out 5 steps for effective project risk management and provides a risk register template.
As George S Patton (1885 – 1945) said:
Take calculated risks. That is quite different from being rash.
Risk and the Management Process
In project management a ‘risk event’ can be defined as ‘an uncertain event or set of circumstances that, should it occur, will have an effect on achievement of one or more project objectives’. Traditionally, risk has been viewed in a negative light, but more recent practice has been to treat a risk event as being either a threat or an opportunity. Both can be managed through a single risk management process with 5 classic steps as shown in the diagram below.
Risk Management Steps
Step 1: Identify Risks
Use creative thinking techniques to identify threats and opportunities. Consider both the internal and external environment and record the results in your project’s risk register.
Working with a group of people with varied backgrounds and experience will tend to widen and improve the range and quality of the risk identification and the subsequent risk management.
The risk profile changes as the project moves forward, so the risk identification and review is an ongoing process throughout the project’s lifetime.
Step 2: Qualitative Risk Analysis
Qualitative analysis identifies the most serious risks and determines where to focus attention and resources.
To determine the seriousness of identified risks the following parameters are normally considered:
- probability
- impact
- proximity
Assessments of probability and impact are subjective with qualitative or numeric criteria most often applied to individual risks. The level of detail should be appropriate to the project. A five point scale such as that below works well for many projects:
| PROBABILITY | ||
| Qualitative Scale | Numeric Scale | Description |
| Very Low | 1 | Unlikely to occur |
| Low | 2 | May occur occasionally |
| Medium/Moderate | 3 | Is as likely as not to occur |
| High | 4 | Is likely to occur |
| Very High | 5 | Is almost certain to occur |
| IMPACT | ||
| Qualitative Scale | Numeric Scale | Description |
| Very Low | 1 | Negligible impact |
| Low | 2 | Minor impact on time, cost or quality |
| Medium/Moderate | 4 | Notable impact on time, cost or quality |
| High | 8 | Substantial impact on time, cost or quality |
| Very High | 16 | Threatens the success of the Project |
Note the use of a ‘doubling’ or ‘weighted’ numeric scale for impact – this avoids a low probability and high impact risk being viewed as much more severe than a risk of high probability with low impact.
Risks are ranked by the value of the product of the probability and impact scales:
| Risk | Probability | Impact | Rating |
| A | 2 | 8 | 16 |
| B | 3 | 4 | 12 |
Proximity is an important factor, but often ignored. By focusing on immediate risks, where it is often too late to take any effective action, we operate in a ‘fire-fighting’ mode. By thinking ahead, we can often have a wider range of options for risk responses and can manage the risks for a fraction of the potential impact cost.
Risk may be categorised as (see example in the risk register template available at the end of this article):
- Unacceptable – there is need to spend time, money and resources on responses at the individual risk level.
- Acceptable – this doesn’t mean that they are ignored, but rather that contingencies (time and/or cost) are created for the group as a whole.
Step 3: Quantitative Risk Assessment
Most managers will be comfortable and familiar with the qualitative analysis of risk described above. However, it’s all a bit meaningless unless the manager puts some thresholds to the qualitative definitions.
What is meant by medium impact? Where does a delay of 4 weeks and additional cost of $50,000 sit in terms of the ‘very low’ to ‘very high’ impact scale for a particular project? To assess risks in a meaningful way it is necessary to define the impacts in relation to a particular project. The following table shows a general measure of impact:
| IMPACT | COST | TIME | QUALITY |
| Very low | Variations manageable by virement against internal budget headings | Slight slippage against internal targets | Slight reduction in quality/scope with no overall impact on usability/standards |
| Low | Requires some additional funding | Slight slippage against key milestones or published targets | Failure to include certain ‘nice to have’ elements or ‘bells and whistles’ promised to stakeholders |
| Moderate | Requires significant additional funding | Delay affects key stakeholders and causes loss of confidence in the project | Significant elements of scope or functionality will be unavailable |
| High | Requires significant reallocation of owner’s funds (or borrowing) to meet project objectives | Failure to meet key deadlines in relation to the strategic plan | Failure to meet the needs of a large proportion of stakeholders |
| Very high | Increases threaten viability of project | Delay jeopardises viability of project | Project outcomes effectively unusable |
There are many variations on this table with percentage scales often being used for the cost and time components (see the template available at the end of this article for an example).
Step 4: Plan Risk Responses
Having established the unacceptable risks it is then necessary to consider responses on an individual basis. The standard response types can be summed up as follows:
| RESPONSE | DESCRIPTION |
| Avoid | Also known as Risk Removal and Risk Prevention. Altering the plan so that the circumstances which may give rise to the risk no longer exist. |
| Mitigate | Also known as Risk Reduction. Reducing the probability or impact of the risk. |
| Transfer | Moving the impact (and ownership) of the risk to a third party. |
| Defer | Deferring aspects of the plan to a date when the risk is less likely to occur. |
| Accept | Dealing with the risk via contingency rather than altering the plan. |
Note that all the risk responses have a cost.
Step 5: Monitor and Control Risk
The best risk planning in the world is useless without a clear picture of how the situation in the project is developing in reality. It is essential to keep track of the identified risks, monitor the effectiveness of risk responses and identify new or changed risks. This means having:
- a regular review and updating process;
- effective reporting mechanisms ensuring that risk is covered in all key reports and reviews;
- openness and transparency in the project – where ‘shooting the messenger’ is the normal approach, problems will be hidden until the last possible minute by which time response options may be very narrow indeed;
- effective communication with stakeholders to ensure that they are prepared if an anticipated risk occurs; and,
- release of contingency when the time for individual risk passes without them occurring.
Risk Register Template Download
The Risk Register or Risk Log is the key document in this classic 5 step approach to risk management. By submitting your details in the form below (privacy policy) you’ll be taken to a page where you can download a template containing:
- a blank risk register template with numeric scales and an adjustable threshold and conditional formatting for highlighting ‘unacceptable’ and ‘acceptable’ risks;
- Quantitative criteria for probability and impact set out as percentages; and,
- an example of completion of the risk register.
Powered by Fast Secure Contact Form
