Effective Risk Management in 5 Steps

DiceRisk is inherent in all our projects (and, in fact all we do).  Risks are often considered in an informal way by the project manager when planning and devising project strategies, but a more disciplined approach to risk management minimises threats and maximises opportunities.  This article sets out 5 steps for effective project risk management and provides a risk register template.

As George S Patton (1885 – 1945) said:

Take calculated risks. That is quite different from being rash.

Risk and the Management Process

In project management a ‘risk event’ can be defined as ‘an uncertain event or set of circumstances that, should it occur, will have an effect on achievement of one or more project objectives’. Traditionally, risk has been viewed in a negative light, but more recent practice has been to treat a risk event as being either a threat or an opportunity. Both can be managed through a single risk management process with 5 classic steps as shown in the diagram below.

Risk Management Steps

Risk Management Steps

Step 1: Identify Risks

Use creative thinking techniques to identify threats and opportunities. Consider both the internal and external environment and record the results in your project’s risk register.

Working with a group of people with varied backgrounds and experience will tend to widen and improve the range and quality of the risk identification and the subsequent risk management.

The risk profile changes as the project moves forward, so the risk identification and review is an ongoing process throughout the project’s lifetime.

Step 2: Qualitative Risk Analysis

Qualitative analysis identifies the most serious risks and determines where to focus attention and resources.

To determine the seriousness of identified risks the following parameters are normally considered:

  • probability
  • impact
  • proximity

Assessments of probability and impact are subjective with qualitative or numeric criteria most often applied to individual risks.  The level of detail should be appropriate to the project. A five point scale such as that below works well for many projects:

Qualitative Scale Numeric Scale Description
Very Low 1 Unlikely to occur
Low 2 May occur occasionally
Medium/Moderate 3 Is as likely as not to occur
High 4 Is likely to occur
Very High 5 Is almost certain to occur
Qualitative Scale Numeric Scale Description
Very Low 1 Negligible impact
Low 2 Minor impact on time, cost or quality
Medium/Moderate 4 Notable impact on time, cost or quality
High 8 Substantial impact on time, cost or quality
Very High 16 Threatens the success of the Project

Note the use of a ‘doubling’ or ‘weighted’ numeric scale for impact – this avoids a low probability and high impact risk being viewed as much more severe than a risk of high probability with low impact.

Risks are ranked by the value of the product of the probability and impact scales:

Risk Probability Impact Rating
A 2 8 16
B 3 4 12

Proximity is an important factor, but often ignored. By focusing on immediate risks, where it is often too late to take any effective action, we operate in a ‘fire-fighting’ mode.  By thinking ahead, we can often have a wider range of options for risk responses and can manage the risks for a fraction of the potential impact cost.

Risk may be categorised as (see example in the risk register template available at the end of this article):

  • Unacceptable – there is need to spend time, money and resources on responses at the individual risk level.
  • Acceptable – this doesn’t mean that they are ignored, but rather that contingencies (time and/or cost) are created for the group as a whole.

Step 3: Quantitative Risk Assessment

Most managers will be comfortable and familiar with the qualitative analysis of risk described above. However, it’s all a bit meaningless unless the manager puts some thresholds to the qualitative definitions.

What is meant by medium impact? Where does a delay of 4 weeks and additional cost of $50,000 sit in terms of the ‘very low’ to ‘very high’ impact scale for a particular project? To assess risks in a meaningful way it is necessary to define the impacts in relation to a particular project.  The following table shows a general measure of impact:

Very low Variations manageable by virement against internal budget headings Slight slippage against internal targets Slight reduction in quality/scope with no overall impact on usability/standards
Low Requires some additional funding Slight slippage against key milestones or published targets Failure to include certain ‘nice to have’ elements or ‘bells and whistles’ promised to stakeholders
Moderate Requires significant additional funding Delay affects key stakeholders and causes loss of confidence in the project Significant elements of scope or functionality will be unavailable
High Requires significant reallocation of owner’s funds (or borrowing) to meet project objectives Failure to meet key deadlines in relation to the strategic plan Failure to meet the needs of a large proportion of stakeholders
Very high Increases threaten viability of project Delay jeopardises viability of project Project outcomes effectively unusable

There are many variations on this table with percentage scales often being used for the cost and time components (see the template available at the end of this article for an example).

Step 4: Plan Risk Responses

Having established the unacceptable risks it is then necessary to consider responses on an individual basis. The standard response types can be summed up as follows:

Avoid Also known as Risk Removal and Risk Prevention. Altering the plan so that the circumstances which may give rise to the risk no longer exist.
Mitigate Also known as Risk Reduction. Reducing the probability or impact of the risk.
Transfer Moving the impact (and ownership) of the risk to a third party.
Defer Deferring aspects of the plan to a date when the risk is less likely to occur.
Accept Dealing with the risk via contingency rather than altering the plan.

Note that all the risk responses have a cost.

Step 5: Monitor and Control Risk

The best risk planning in the world is useless without a clear picture of how the situation in the project is developing in reality. It is essential to keep track of the identified risks, monitor the effectiveness of risk responses and identify new or changed risks. This means having:

  • a regular review and updating process;
  • effective reporting mechanisms ensuring that risk is covered in all key reports and reviews;
  • openness and transparency in the project – where ‘shooting the messenger’ is the normal approach, problems will be hidden until the last possible minute by which time response options may be very narrow indeed;
  • effective communication with stakeholders to ensure that they are prepared if an anticipated risk occurs; and,
  • release of contingency when the time for individual risk passes without them occurring.

Risk Register Template Download

The Risk Register or Risk Log is the key document in this classic 5 step approach to risk management.  By submitting your details in the form below (privacy policy) you’ll be taken to a page where you can download a template containing:

  • a blank risk register template with numeric scales and an adjustable threshold and conditional formatting for highlighting ‘unacceptable’ and ‘acceptable’ risks;
  • Quantitative criteria for probability and impact set out as percentages; and,
  • an example of completion of the risk register.
* indicates required field
If you subscribe to be informed of new posts you'll receive an email notification approximately weekly.

Powered by Fast Secure Contact Form

About Sandy McMillan

Sandy, who semi-retired in 2011, is the former COO of development and project management businesses operating in the construction and real estate sector throughout Europe, the Middle East and North Africa. He holds university degrees in civil engineering from the Universities of Strathclyde and Glasgow, and is a Chartered Engineer, a member of the UK's Institution of Civil Engineers, and a Member of the Association for Project Management. Since graduating, Sandy has more than 35 years management experience with the last 20+ years being in the fields of development and project management. While his early experience was in the heavy civil engineering sector e.g. power stations, he has operated primarily in the building sector since 1988 where he has managed development of retail, office, residential, and industrial properties. When Sandy's not travelling around EMEA on business, he has a home in Warsaw, Poland.
This entry was posted in Project Management, Project Management in Practice, Project Management Techniques and tagged , , , , , . Bookmark the permalink.