An important part of managing a project is project risk management. Not identifying and managing risks can take down a project in short order. Therefore, risk management should be done for all but the most trivial projects.
Even if we are willing to accept a given risk level in order to take advantage of an opportunity, knowing the risk level is still important.
Refer to this article for a discussion on the meaning of risk.
Project Risk Management
Many organizations have developed risk management standards. We will keep the project risk management process pretty generic for our purposes. In general terms, risk management entails the following steps:
- Identification Identify potential risks.
- Analysis Assess the impact of risk, and the probability of occurrence.
- Mitigation Develop a plan to mitigate risks, and mitigate up front, if possible. Give high impact risks first priority in any mitigation efforts.
- Monitoring Monitor risks, and take appropriate action as needed.
In the first step, we enumerate potential risks. Each identified risk is often placed in a risk log or risk register that is updated throughout the project. Documenting risks provides a means of communicating risks to all stakeholders. It also provides a structured way of dealing with risks.
Identifying risks is part science, and part art. Some risks are identified because they are specific to an industry, or we know risks that have happened in past projects. Brainstorming methods may be used to think of scenarios that result in risk. This requires experience, creativity, and including all stakeholders to get a diverse input on potential risks.
A risk analysis is performed to determine two things: the impact of the risk and the probability of occurrence. Risk analysis generally falls into one of two categories: qualitative and quantitative.
Qualitative risk analysis is a subjective look at risk. Impact and probabilities are categorized by varying levels such as low, medium, and high.
Quantitative risk analysis is a more in-depth analysis. Models are used to describe risk numerically.
Refer to this article for more information on risk analysis.
Sometimes all risks cannot be mitigated with the available resources. At this point risk mitigation efforts need to be prioritized.
In some cases we are willing to accept a risk level for the opportunity of a higher return. A breakthrough product with no existing market may be a large financial risk, but we might be willing to accept this risk because of the potential upside.
Some risk mitigation techniques are:
- Avoidance. Not doing part or all of a project exposed to an unacceptable risk.
- Redesign. Change a design to mitigate or eliminate risk.
- Risk sharing. Doing a joint venture or some form of partnership with another party to share in risk and reward.
- Risk shifting. Buying property or liability insurance.
- Do nothing. This isn't a mitigation technique, but as we discussed earlier, sometimes we are willing to accept a risk for the opportunity to experience the potential benefits.
After we've identified, analyzed, and mitigated risks (or at least have a plan), we don't just move on and forget about them. Risks are monitored for the life of the project, and action taken as needed. Any new risks that are identified during the project should follow the same analysis and mitigation steps as well.