Project Risk Management
Risk management processes guide the project manager and project team in the identification, analysis, response and control of risk.
When to use
While risk management should be practiced throughout the life of the project, the emphasis has a tendency to change. Early in the project there are many risks and uncertainties, but there are also many options for addressing those risks. As the project progresses, the number of risks goes down because things that were uncertain become known. However, the ability to respond to risk and the magnitude of the risk impact goes up because there is less time and resources left as you approach project completion.
Project Risk Management
“Project Risk Management includes the processes of conducting risk management planning, identification, analysis, response planning, and controlling risk on a project.” PMBOK® Guide
Because of the unique nature of a project, there are uncertainties. There are things that have never been done a certain way, by this project team, to achieve the objectives for this project, in this time period and with these business conditions. While a project manager normally manages the risk management process, they rely heavily on their project team members, who are often the subject matter experts, to identify threats and opportunities. Risk management is normally a standard part of every project team meeting. It is impossible to eliminate risk on a project, but it can be managed.
Early in the project the emphasis needs to be on identifying all risks so that a project plan can be put in place that 1) avoids threats, 2) leverages opportunities, and 3) has risk response options built in for those threats that cannot be avoided. Before the project plan is baselined, risk responses should be included for all major threats. As the project progresses, the emphasis shifts to finding early warnings of new risks and checking the efficacy of the risk response approach that was embedded into the plan.
We sometimes talk about “known” risks and “unknown” risks. Known risks are those that we have identified as a threat or opportunity, but the likelihood of occurrence is uncertain. The unknown risks are those that have not been identified. In some cases a category of risk can be identified, but the specific risk won’t be known until the project progresses. Examples of this are weather delays on a construction project or software bugs on an IT project.
Definitions are taken from the Glossary of the Project Management Institute, A Guide to the Project Management Body of Knowledge, (PMBOK® Guide) – Fifth Edition, Project Management Institute, Inc., 2013, Page 255.
Project Risk Management Processes
There are six Project Integration Management Processes. They relate to each other as shown in the diagram below. They are often being conducted in parallel as one risk is being identified, another risk is being analyzed and the risk response for a third risk is being prepared. The six processes are:
- 11.1 Plan Risk Management: “The process of defining how to conduct risk management activities for a project.” PMBOK® Guide
- 11.2 Identify Risks: “The process of determining which risks may affect the project and documenting their characteristics.” PMBOK® Guide
- 11.3 Perform Qualitative Risk Analysis: “The process of prioritizing risks for further analysis or action by assessing and combining their probability of occurrence and impact.” PMBOK® Guide
- 11.4 Perform Quantitative Risk Analysis: “The process of numerically analyzing the effect of identified risks on overall project objectives.” PMBOK® Guide
- 11.5 Plan Risk Responses: “The process of developing options and actions to enhance opportunities and to reduce threats to project objectives.” PMBOK® Guide
- 11.6 Control Risks: “The process of implementing risk response plans, tracking identified risks, monitoring residual risks, identifying new risks, and evaluating risk process effectiveness throughout the project.” PMBOK® Guide
Definitions are taken from the Glossary of the Project Management Institute, A Guide to the Project Management Body of Knowledge, (PMBOK® Guide) – Fifth Edition, Project Management Institute, Inc., 2013, Pages 534, 542, 549, and 550.
Risk Sensitivity and Risk Analysis
A complicating factor in risk analysis is that each organization, and often each stakeholder, will have a different sensitivity to risk. This sensitivity is based upon past experience, duties and responsibilities, and sometimes even personality. In addition, many organizations or stakeholders will change their risk sensitivity based upon what is happening in the business or in other parts of the project. There are three terms which help us understand the concept of risk sensitivity:
- Risk Appetite: “The degree of uncertainty an entity is willing to take on, in anticipation of a reward.” PMBOK® Guide
- Risk Tolerance: “The degree, amount or volume of risk that an organization or individual will withstand.” PMBOK® Guide
- Risk Threshold: “Measure of the level of uncertainty or the level of impact at which a stakeholder may have a specific interest. Below that risk threshold, the organization will accept the risk. Above that risk threshold, the organization will not tolerate the risk.” PMBOK® Guide
In an effort to reduce the reliance on personal risk sensitivity to determine which risks are significant on the project, many organizations use a risk matrix to do a preliminary, or qualitative, assessment of the risk. While this risk analysis my calculate a risk value or risk rating, it is still heavily subjective. For those very high risks, a company will often do a more rigorous quantitative analysis. The Decision Tree and EMV quantitative analysis is discussed in detail in another module. The Probability and Impact Matrix shown below is an example of applying an analytical process to a subjective measure. For instance the impact measures of “High” or “Low” are subjective, but by using a preassigned value for each of those measures, the analysis provides a rationale for why some risks are treated as major, or “Red,” risks and others are not.
Project Management Institute, A Guide to the Project Management Body of Knowledge, (PMBOK® Guide) – Fifth Edition, Project Management Institute, Inc., 2013, Figure 11-10, Page 331 and Glossary definitions on Pages 559 and 560. PMBOK is a registered mark of the Project Management Institute, Inc.
Lesson notes are only available for subscribers.
PMI, PMP and PMBOK are registered marks of the Project Management Institute, Inc.