Carly Kroll | Director of Education | 2020

At any time during the lifecycle of a project it is important to identify possible risks that could affect the desired outcomes, and create a plan to prevent those risk from happening. Creating a risk management plan is the process of identifying, analyzing, and responding to project risks.   A risk is exposure to a situation that may negatively impact a project at some point in the future.  A risk has the potential to significantly impact the project plan, budget, schedule, or quality of delivery.  Risks can be manageable, but not fully resolvable. If an item is resolvable it is considered an issue, not a risk. The probability of risks occurring may change with time, and if left untreated, risks can have a major impact on a project. To alter the impact of a risk, interventions are needed, which are considered mitigations.

Risk Management is conducted to maximize the probability of positive events and minimize the probability and consequences of adverse events for project objectives.  Risk management involves the identification and analysis of risks, the development of responses to potential risks, and ongoing monitoring and control of risks throughout the life of a project.

 The objectives of the Risk Management approach are to:

  • Ensure critical risks (those that pose a significant potential impact to delivery, schedule, costs, performance, and / or quality) are identified and monitored regularly.
  • Minimize risks, developing alternate courses of action and establishing mitigation plans.
  • Ensure all risk stakeholders are informed and, if applicable, participate in the risk mitigation planning efforts.
  • Enable management to focus efforts on the “right” risks at the right time with an effective coordination of effort on elimination of risks to the fullest extent possible.

Risk Identification

Risk identification begins as a team collaborative effort, identifying and evaluating risks, as a start to the best contingency plans. Risk analysis should take place monthly as a way to brainstorm and highlight as many risks as possible, evaluate those risks and assign them values that will be used for determining priority, and thus, appropriate mitigation. All risks should be tracked and recorded in a risk log for future reference.

While brainstorming possible risks, the team should collect the following information:

  • Description – Give a complete description of the risk, identifying what in the project could be affected (i.e. cost overrun, delay to the schedule, reduced functionality or quality).
  • Severity or Rank – Assign a severity level or rank to the risk (i.e. depending on how the impact of the risk is quantified, a severity level of H = High, M = Medium or L = Low may suffice; this allows the team to report on how many of each severity level has been identified and concentrate their efforts on developing responses for the higher severity level risks first). Use rank to rate all the risks from highest to lowest, this technique is useful for identifying at a glance which risks need to be carefully monitored and responses developed for first.
  • Response Strategy – Record the response strategy to be used for the risk i.e. avoidance, mitigation or acceptance and detail the reason why this strategy was used.
  • Contingency Plan – Where appropriate, detail the contingency plan to be put into effect if the risk occurs.

In addition to those risks that are identified at the start of a project phase, risks identified throughout the project should be entered into the Risk Log.  A risk will not be recognized or managed until it has been recorded in the Risk Log.  Although this rule seems very basic, it is essential for the tracking and management of the project.                                                                           

Risk Assessment

Throughout a project, when reassessing risks documentation should take place to continue to detail aspects of the risk including the priority of the risk, and the phase it is currently or may in the future impact.

  • Risk – Enter a concise but meaningful short description for the risk. This field will be displayed on summary reports, so the content should represent the essence of the risk to the extent possible.
  • Priority – Select the appropriate level of priority based on the anticipated impact the risk will have on Project progress and objectives.
  1. Critical – “There is a risk that threatens the success of the overall project.”
  2. High – “There is a risk that poses a threat of significant disruption to the successful delivery of project and/or realization of project objectives and benefits.”
  3. Medium – “There is a risk that poses a significant threat of disruption to project schedule and/or costs.”
  4. Low – “There is a risk that poses slight exposure to project progress disruption.”
  • Description – Enter a thorough description of the risk, clearly noting any project dependencies on resolution of this risk.
  • Phase Impacted – Select the applicable project phase which is likely to be impacted by the risk.
  • Deliverable Impacted – Identify what deliverable will be affected by the risk.

Risk assessments can also be done in a qualitative manner to give an estimate of the severity of a risk without attempting to assign actual costs to each risk. Through using numeric values for low, medium and high, teams can determine the impact of the risk. The severity of risks can be defined according to three areas, (1) detectability, (2) impact, and (3) probability.

  • Detectability – the likelihood that the risk will be detected in the event it occurs
  • Impact – the effect that a risk will have on the project if it occurs
  • Probability – the extent to which the risk is likely to occur

These three areas are looked at according to five dimensions, (1) cost, (2) schedule, (3) functionality, (4) quality, (5) scope. Once the severity of each risk has been determined, decisions should then be made regarding which risks should have resources assigned to create mitigation strategies and contingency plans. During the life cycle of a risk, it is possible the risk becomes an issue and then results in change requests.

Risk Mitigation

After identifying and assessing the risks, steps must be taken to determine the response of the team to those possible challenges. By focusing on high-risk areas early it allows enough time for the team to give proper time and attention to a plan and reduces the chance that the risk will occur. Choosing the appropriate risk response can be achieved by focusing on one of the following approaches as a starting point for mitigation.

  • Avoidance – elude the set of circumstances that cause a risk to materialize as a problem
  • Control – formalize a process to manage or respond to the risk
  • Acceptance – acknowledge the risk on a “time will tell” basis and evaluate again later as conditions surrounding the risk may change
  • Transfer – shift the responsibility of managing the risk to another party who is better equipped to deal with, and possibly even benefit the most from, the resolution
  • Investigation – more accurately define the level of risk or develop contingency plan before another approach is selected

In addition to starting on the path towards mitigation with one of those approaches, teams need to continually meet and collaborate to review risks and progress. At the meetings for review, all responsible individuals should be present and share the progress on the mitigation of the risks. If necessary, a project champion will be chosen to help advocate for the team to executives. This may be necessary if a risk mitigation approach is beyond the authority of the project team, or an owner for the plan is not clearly established.

Overall, the process of risk management is a cyclical and ongoing process. Risks may shift and evolve, and their priorities may change. The ways to mitigate the challenges may also not always be clear, or even in the realm of possibility. For example, the economy or natural disasters may significantly impact a project, but there are limited ways to mitigate these as a whole. Focusing on other items that are in the power of the team to change ensures that a project will be on the path towards success. Reevaluation, and continual communication within the team will create a process that moves the project towards its goal outcomes.