Project Risk Management
Risk management processes guide the project manager and project team in the identification, analysis, response and control of risk.
When to use
While risk management should be practiced throughout the life of the project, the emphasis has a tendency to change. Early in the project there are many risks and uncertainties, but there are also many options for addressing those risks. As the project progresses, the number of risks goes down because things that were uncertain become known. However, the ability to respond to risk and the magnitude of the risk impact goes up because there is less time and resources left as you approach project completion.
Project Risk Management
“Project Risk Management includes the processes of conducting risk management planning, identification, analysis, response planning, response implementation and monitoring risk on a project.” PMBOK® Guide
Because of the unique nature of a project, there are uncertainties. There are things that have never been done a certain way, by this project team, to achieve the objectives for this project, in this time period and with these business conditions. While a project manager normally manages the risk management process, they rely heavily on their project team members, who are often the subject matter experts, to identify threats and opportunities. Risk management is normally a standard part of every project team meeting. It is impossible to eliminate risk on a project, but it can be managed.
Early in the project the emphasis needs to be on identifying all risks so that a project plan can be put in place that 1) avoids threats, 2) leverages opportunities, and 3) has risk response options built in for those threats that cannot be avoided. Before the project plan is baselined, risk responses should be included for all major threats. As the project progresses, the emphasis shifts to finding early warnings of new risks and checking the efficacy of the risk response approach that was embedded into the plan.
We sometimes talk about “known” risks and “unknown” risks. Known risks are those that we have identified as a threat or opportunity, but the likelihood of occurrence is uncertain. The unknown risks are those that have not been identified. In some cases a category of risk can be identified, but the specific risk won’t be known until the project progresses. Examples of this are weather delays on a construction project or software bugs on an IT project.
Project Risk Management Processes
There are seven Project Integration Management Processes. They relate to each other as shown in the diagram below. They are often being conducted in parallel as one risk is being identified, another risk is being analyzed and the risk response for a third risk is being prepared. The seven processes are:
11.1 Plan Risk Management: “The process of defining how to conduct risk management activities for a project.” PMBOK® Guide
11.2 Identify Risks: “The process of identifying individual process risks as well as sources of overall project risks and documenting their characteristics.” PMBOK® Guide
11.3 Perform Qualitative Risk Analysis: “The process of prioritizing individual project risks for further analysis or action by assessing their probability of occurrence and impact as well as other characteristics.” PMBOK® Guide
11.4 Perform Quantitative Risk Analysis: “The process of numerically analyzing the combined effect of identified individual project risks and other sources of uncertainty on overall project objectives.” PMBOK® Guide
11.5 Plan Risk Responses: “The process of developing options, selecting strategies, and agreeing on actions to address overall project risk exposure as well as to treat individual project risks.” PMBOK® Guide
11.6 Implement Risk Response: “The process of implementing agreed upon risk response plans.” PMBOK® Guide
11.7 Monitor Risks: “The process of implementing risk response plans, tracking identified risks, monitoring residual risks, identifying new risks, and evaluating risk process effectiveness throughout the project.” PMBOK® Guide
Risk Sensitivity and Risk Analysis
A complicating factor in risk analysis is that each organization, and often each stakeholder, will have a different sensitivity to risk. This sensitivity is based upon past experience, duties and responsibilities, and sometimes even personality. In addition, many organizations or stakeholders will change their risk sensitivity based upon what is happening in the business or in other parts of the project. There are three terms which help us understand the concept of risk sensitivity:
Risk Threshold: “The level of risk exposure above which risks are addressed and below which risks may be accepted.” PMBOK® Guide
Risk Appetite: “The degree of uncertainty an organization or individual is willing to accept in anticipation of a reward.” PMBOK® Guide
Risk Exposure: “An aggregate measure of the potential impact of all risks at any given point in time in a project, program, or portfolio.” PMBOK® Guide
In an effort to reduce the reliance on personal risk sensitivity to determine which risks are significant on the project, many organizations use a risk matrix to do a preliminary, or qualitative, assessment of the risk. While this risk analysis might calculate a risk value or risk rating, it is still heavily subjective. For those very high risks, a company will often do a more rigorous quantitative analysis. The Decision Tree and EMV quantitative analysis is discussed in detail in another lesson. The Probability and Impact Matrix shown below is an example of applying an analytical process to a subjective measure. For instance, the impact measures of “High” or “Low” are subjective, but by using a preassigned value for each of those measures, the analysis provides a rationale for why some risks are treated as major, or “Red,” risks and others are not.
Project Management Institute, A Guide to the Project Management Body of Knowledge, (PMBOK® Guide) – Sixth Edition, Project Management Institute, Inc., 2017, Figure 11-5, Page 408 and Glossary definitions on Pages 708, 711, 712, 713, 717, 720 and 721. PMBOK is a registered mark of the Project Management Institute, Inc.
Login to download
Lesson notes are only available for subscribers.
PMI, PMP, CAPM and PMBOK are registered marks of the Project Management Institute, Inc.