This is the final blog in a trilogy of blogs on Project Risk Assessment.
The series has included three blogs:
- What is a Project Risk
- The Theory of Project Risk Assessment
- Where does Project Risk Assessment go Wrong?
Edit November 2019: Of course, any organisation is running a project to make profit or to ‘get something done’. If the organisation has a poor attitude to risk management, or prefers to put profits first, then risk management can never be done properly.
The Problems with Identifying Risks
Project Risk Assessment has three stages, Identification, Assessment, and Control – so we will start with the problems of Risk Identification.
- By definition, projects are unique. Therefore, many projects will contain tasks not performed before, and thus identification of risks on these untried tasks is problematic.
- Time. There simply isn’t enough time to identify all of the risks that may affect any project. When do you stop identifying risks and start the ‘real’ work?
- Can be seen as non-productive. This is especially true when a project has just been agreed, and (some) senior managers want active progress rather than passive thought. Poor management may see risk identification as ‘Excuse making before you start’, and non-productive.
- You can never identify all of the risks before creating a detailed plan. Risk identification is a bit of ‘chicken and egg’. You need a plan to identify risks from, but you need a plan that is also risk free. It can take many iterations (and time) to identify most of the project risks.
Risk identification is difficult to do properly, but is the first sage in the process. You cannot assess a risk that has not been identified!
The Problems with Assessing Risks
It could be that the risks identified turn out to be too general to be assessed correctly. For instance, a common risk in a construction project is ‘Bad Weather’ or ‘Supplier Delivers Late’. However, to assess this risk correctly, we need to know the quantity, duration, and type of bad weather, and which supplier is how many days late. Identified risks can be simply too general, and this leads to the problem of too many risks – bad weather can become wind, rain, frost, snow, sleet, sun, etc., with each of those being various degrees of both severity and duration.
Risk assessment has two dimensions:
- Impact: The impact on the project schedule or time frame are easy to quantify in terms of days or £’s. The impact on quality may be more difficult to determine.
- Probability: Whilst it is easy to propose that a risk is high probability – what do we mean by that in percentage terms? A 10% probability (1 in 10 chance) will be a high risk for some tasks but a low risk for other tasks.
So not only does a simple risk become many when it is assessed, it is also difficult to accurately assess.
Tips for Assessing the Impact of Risks:
Consider the impact in terms of days, or cost, and then compare this with the overall project duration and budget. It will be fairly easy for a team to agree the boundaries for Low, Medium or High.
For instance, a £1 million project, lasting 6 months (120 days):
- Delays of up to 5 days or affecting the budget by up to £1,000 are Low impact
- Delays of over 5 days and up to 15 days or affecting the budget by £1,000 – £10,000 are Medium impact
- Delays of over 15 days or affecting the budget by more than £10,000 are High impact
Another method may be as follows:
- 1 (low) Not critical to continued project operation
- 2 (low) Minor impact in some project areas
- 3 (Medium) Minor impact in many project areas
- 4 (Medium) Significant impact – would not affect continued project operations in short-term but might in long-term
- 5 (High) Significant impact in medium-term; relates to substantial project areas
- 6 (High) Fundamental to continuing project operations
Again, the project team can discuss these boundaries at the start of the project.
Tips for Assessing the Probability of Risks:
This will depend on project type and duration, but a simple scale could be used as follows:
- 1 (Low) Extremely unlikely, rare occurrence, once every 10 years
- 2 (Low) Unlikely, once every 5 years
- 3 (Medium) Moderately likely, once a year
- 4 (Medium) Regular occurrence, two, three times a year
- 5 (High) Highly likely, once a month
- 6 (High) Extremely likely; frequent occurrence, once a week
The assessment of risks is not about luck, chance, or science. You cannot predict the future, and it is difficult to assess the probability of an event occurring. Do your management understand this?
Risk Mitigation Produces New Risks
So, you have identified a high impact risk, and added new tasks to the project plan in order to mitigate the risk. Have you now returned and identified the risks on those new tasks? As examples:
- Risk of falling so wear a parachute. New risk – parachute gets damaged or fails.
- Risk of falling so build a bridge. New risk – bridge fails.
- Risk of IT system becoming corrupt so take a back-up. New risk back-up fails.
Actions taken to mitigate risks need to be risk assessed themselves.
Companies Prefer One Mitigation Method
The final step of Risk Management after Identification and Assessment is Risk Control. However, do remember that there are many ways of controlling risks:
- Avoid. Do something differently, at a different location, with a different method.
- Transfer. Transfer the risk to a sub-contractor, or share the risk with the client.
- Control. By understanding them better with computer models or simulations.
- Insure. This method compensates rather than prevents risks occurring.
- Manage. By encouraging good communication, skilling staff to deal with risks, reporting progress regularly and close monitoring of risky task situations.
- Provide. By adding extra time and budget into the plan in case risks occur.
Some companies have preferred methods for risk control:
- They add extra time to the schedule in case of risks
- They add extra money to the budget in case of risks
- They train their staff to be able to deal with risks
- They use contracts to share or transfer the risks to suppliers
The problem here, is that other risk control methods may be overlooked, or forgotten.
Project Risk Assessment is Difficult
In summary, the theory of Project Risk Assessment is easy, and can be covered in about an hour. However, it is only when trying to identify and assess risks on a real project, that the difficulties start to arise, and the simple theory becomes a complex practice!
Don’t think that you can understand project risks by reading a text book or attending a trainign course. the reality is that putting the theory into practise is difficult!