This blog will look at the theory of Project Risk Assessment. This is the second blog in a trilogy examining:
- What is a Project Risk
- The Theory of Project Risk Assessment
- Where does Project Risk Assessment go Wrong
The first blog is completed, and this blog examines the theory of Project Risk Assessment. A following blog will discuss the problems of performing risk assessments, and how risk management can go wrong.
Project Risk Assessment
This is essentially a three-step process:
- Identify Risks on the project
- Assess the Risks
- Control the Risks
Each of these is dealt with below.
Identifying Project Risks
Without knowing what the risks are, the steps of risk assessment and control are impossible, so this is a key step in the risk assessment process. Risks can be identified using a variety of methods:
- Checklists. Especially useful for ‘Runner‘ projects that the company has a lot of experience in.
- Personal Experience. Thing that have previously happened to you as a project manager that you don’t want to experience again!
- Team Experiences. A brainstorm with the team for them to share their own personal experiences.
- Company Experiences. A good project management discipline is to hold a ‘Project Review’. This should talk about risks that have occurred, or were anticipated on previous projects. These should be a good source of risks and ‘Corporate Learning’.
- The Project Plan should reveal many risks. Items that are high cost, long duration, on the critical path, that use resources who are at capacity. The project plan is a good talking point for the team to discuss the project tasks, and the risks involved.
- Strengths, Weaknesses, Opportunities, Threat (SWOT) analysis. The benefit of performing a SWOT analysis on the project is that it highlights the positive risks (Opportunities, and Strengths) as well as the negative risks (Threats, and Weaknesses). Please refer back to the first blog to understand the significance of this.
It should be remembered that identification of risks should continue throughout the project because the project will change as it progresses, and new risks may arise.
Log Project Risks
Identified risks need to be recorded in a Risk Register or Risk Log. This is the document that can be used at project meetings to review risks as the project progresses. A good project risk log template can be found that includes information on:
- Risk Number
- Risk Name
- Risk Impact
- Risk Probability
- Risk Exposure
- Risk Owner
- Mitigation Plan
Some risk registers can become quite complex with many more columns of information.
EXCEL is often used to record risks, as risks can be re-ordered depending on owner, impact, exposure etc.
There are two dimensions to risks, the probability of them happening, and the impact if they do occur.
These are often categorised as Low, Medium, or High, or rated on a scale (1-5 is common). A percentage can also be used for the probability range. Whilst this is easy to describe in theory, actually assessing risks in practise can be difficult as the third blog in this series describes.
The results of the risk assessment can be entered into the Risk Log, and also drawn on a Risk Map.
Clearly risks in the top corner where both the probability and the impact are high should be avoided (do the task a different way!). Risks in the lower corner should be recognised (not ignored!) as over the course of a project the risks may change.
The risk map already suggests some methods of risk control, however there are other methods available. Firstly, it should be recognised that risk control falls into two categories, Risk Prevention (stop the risk happening) and Risk Mitigation (actions to take if the risk occurs).
Risks can be controlled by 6 different methods:
- Avoid. Do something differently, at a different location, with a different method.
- Transfer. Transfer the risk to a sub-contractor, or share the risk with the client.
- Control. By understanding them better with computer models or simulations.
- Insure. This method compensates rather than prevents risks occurring.
- Manage. By encouraging good communication, skilling staff to deal with risks, reporting progress regularly and close monitoring of risky task situations.
- Provide. By adding extra time and budget into the plan in case risks occur.
When thinking about the best method to control the risk, do remember that prevention is probably a better option than mitigation.
Risks need to be reviewed as part of a regular project meeting. New risks might be identified, and will need to be assessed. Some risks will be ‘triggered’ and risk mitigation plans activated, whilst other risks will pass without occurring. As the project progresses (and changes), the assessment of risk impact and probability of each risk need to be reviewed. The monitoring of risks is an on-going progress, and concludes at the ‘Project Review’, where the company can learn, and record everything about risks for sharing to future projects teams.
Project Risk Assessment: All well and good in theory, however putting it into practice is another matter!