Risk management header
products page

Risk management - The Process

The Risk Management Process (RMP)

The Risk Management ProcessThe Risk Management Process

So far we have looked at the Project Life Cycle and considered the way this can be divided for project management purposes into:


  • Concept
  • Design
  • Plan
  • Allocate
  • Execute
  • Deliver
  • Review
  • Support

Timing of the RISK MANAGEMENT PROCESS

When is the best time to carry out the RISK MANAGEMENT PROCESS? To early in the Project Life Cycle and the thinking in the project is too fluid for a formal process to be meaningful. If it is done too late then it may be too late to correct any ‘new’ problems identified.
A good place to start is during the ‘plan’ phase of the Project Life Cycle before ‘execution’ gets underway.

If we have the luxury to choose the project then pick one that appears to have been well managed to date and if possible where a lot of prior experience exists.
In this way the ‘practice’ of the RISK MANAGEMENT PROCESS (for the first time) has its best chance of success and acceptance in the organisation instead of just being seen as a ‘fault finding’ exercise.

All parts of the Project Life Cycle are subjected to the formal process.
Once suitable experience has been gained and depending upon the exact nature of the project certain short cuts can be used.
However, the formal RISK MANAGEMENT PROCESS will throw light on to current practices, improve the techniques for the search of RISKS, their assessment and management and create a better awareness within the organisation.

Each of the steps outlined below may be revisited during this process in terms of feedback loops affording more than one cycle to refine the data obtained.

We will assume that the RISK MANAGEMENT PROCESS is carried out at the latter part of the ‘plan’ part of the Project Life Cycle.

Define (the project)

The following key areas will need to be addressed.

Existing information is collated


  1. Objectives
  2. Scope
  3. Strategy documentation
  4. Plans (INITIAL plan summary form, indicating timing)
  5. Idea of resource involvement
  6. Design documentation
  7. Stakeholder information

Each of these will need to be clearly documented so that there is no ambiguity.

Fill in the gaps

The above process may show a few glaring omissions which if the project has been handled well should not exist.
There will therefore be some project management to fill in these gaps.

Deliverable

When a step is complete we must make sure that the results of the phase are documented (document) in a clear fashion and are available to all persons involved in the project.
This will include all stakeholders.
The document should be circulated to verify the truth (check) of the information it contains.
This circulation may well go outside of the immediate group of persons responsible for its content.

The main aim is that all key parts which in total ‘define’ the project are clear and unambiguous.
This may not always be the case and such differences should be documented. All those responsible for the document should be noted.

There should be a review (review) of the data collected within the document to make sure it is relevant for the status of the project.
When all of this has been done it is ready for circulation (circulate).

The last part of this step namely:

  1. Document
  2. Check
  3. Review
  4. Circulate

Will apply to all of the steps and is probably good practice for a lot of documents produced.

As is the case with many stepwise activities, the more thoroughly the ‘define’ stage is carried out the less problems we will have in the next stages.

Define (the risk management process)

This step examines the RISK MANAGEMENT PROCESS itself as opposed to the Project Management Process steps above.
We need to assess:

  • The SCOPE of the RISK MANAGEMENT PROCESS
  • The STRATEGY

Depending upon the nature of the project decision making could be based upon a QUALITATIVE approach e.g. high, low, medium assessment of the risk, or it may need to be based on a stronger assessment of collated data and analysis in a QUANTITATIVE manner.

As mentioned above we need to produce:

Deliverable

The steps above will apply.

  1. Document
  2. Check
  3. Review
  4. Circulate

Scope should cover:

  • Why is the RISK MANAGEMENT PROCESS being carried out?
  • What are its benefits?
  • Who will carry out the analysis (internal or external)?

The process itself should be planned:

  • Resources?
  • Time frame?
  • What techniques will be employed (model and methods)?
  • Software usage?

The combination of the ‘define (the project)’ and ‘define (the risk management process)’ can also be called the ‘initiation’ phase.

Identify

It is not possible to run a RISK MANAGEMENT PROCESS without trying to identify the ‘risks’.

In addition, we need to understand:

  • Where the risk originates from and what effects may be expected.
  • How will we act upon this ‘risk’ in terms of ‘proactive’ and ‘reactive’ responses?
  • What might happen if these responses fail? These are known as ‘secondary risks’.

Remember that the ‘effect’ will examine what are the consequences of the ‘risk’ materialising. This is different to the ‘impact’ on the project which could be, for example, low or high.

The root causes of the ‘risks’ should be considered.
Responses to each of the risks should be documented even if the response is to ‘do nothing’.

In order to carry out this stage we will need to:

  • Identify these risks by using suitable techniques that will encourage people to raise them. This would include problem solving techniques such as a brain storm. Other methods like interviews, checklists may prove useful.
  • Once a list of risks have been identified we will need to categorise them in some fashion.

In addition, we must:

  1. Document
  2. Check
  3. Review
  4. Circulate

This activity will also lead to the identification of potential opportunities.

Organise

The next 4 phases:

  • Organise
  • Ownership
  • Estimate
  • Evaluate

Are also known as the ‘analysis’ phase.

The aim of this phase is to refine what is currently known about the list of risks and other aspects of the plan, namely:

  • The list of risks should be reviewed with respect to their understanding and their responses. It is quite possible that the responses will be modified and others found during this process.
  • The classification of the risks will benefit from further consideration. Some of the risks may be held under the same umbrella for a given general response.
  • At the design phase a preliminary plan schedule was put in place. This requires review in terms of the interdependencies and the order of the activities based upon the risks and responses to date.
  • The updated ‘risk list’ requires ordering, together with any secondary responses. This may have meant reordering some of the activities in the project schedule.

As usual:

  1. Document
  2. Check
  3. Review
  4. Circulate

Are required.

It is important that the risk analysts are happy with the output and the proposed models that may be used.

Ownership

  • What risks and associated responses will be owned by the project owners? Which ones will be managed elsewhere? For example, contractors or consultants etc.
  • The responsibility of each risk associated with the project owners, not ‘given away’, must be allocated to named persons.
  • To sanction any risks that are allocated to contractors and third parties.

The first of these must be completed before going any further.

The others may need revisiting a little later once the consequences of the first part and other issues are clarified.

This difficulty of this activity will depend upon the nature of the organisations that are involved with the ‘delegated risks’. If possible these ‘delegated risks’ should be reinforced in a legal contract.
Depending upon the ‘contract’ policies of the project owner organisation it could be straight forward or very tricky.

The policy for this ‘risk allocation’ should be considered and then formulated for future use.
We should consider the type of organisations we will be prepared to use, the ‘objectives’ of the strategy (i.e. why is the organisation doing this) and which risks will be ‘delegated’.

In addition, the approach to planning the contracts should be considered as well as ‘how’ and their timing (when).

Estimate

This phase is concerned with performance measures, for example, cost and time and quality measures.

We need to concentrate on the risks and provide a firmer estimate of the likelihoods and the impacts in terms of cost, project durations, product quality etc.

We need to know which risks are important in terms of their impact.

The list of project risks are examined for areas which ‘MAY’ have a significant risk. It will be necessary to decide if additional data needs to be collected to clarify the situation.
In addition, those areas of the plan that ‘DO’ have significant risk should be reviewed carefully before critical decisions are made by the team.

The aim is to reduce the amount of time spent on ‘minor’ risks where simple and straight forward responses will suffice in order to concentrate on those risks where complexity means that a more thorough approach is called for.

Each risk is assessed for its likelihood (chance of occurring) and its impact (the affect it will have) on each of the performance criteria so far identified.
At this early stage it is often adequate to assign a simple classification of ‘impact’.
For instance, HIGH, MEDIUM and LOW are quite common. Others may wish to try to quantify risks by using statistical probability distributions but this may be too much detail at this stage of the RISK MANAGEMENT PROCESS.

A risk needs to be selected and then assessed in some fashion for its likelihood and impact by relevant experts. If necessary, the risks may require additional clarification.

Evaluate

The previous stage is looked at in a little more detail in terms of the impact and the responses and how they in turn may affect the project.

Plan

Having completed the RISK MANAGEMENT PROCESS a BASE plan or schedule is produced. This will contain all of the tasks, the milestones and of course the deliverables.
It should be as complete as possible. It will contain resource allocation and task ownership.

There will be a report summarising the RISK MANAGEMENT PROCESS indicating all of the threats and opportunities. This will include responses both PROACTIVE (prevention) and REACTIVE (if the risk materialises for contingency plans).

The proactive and reactive ‘contingency’ plans will, in themselves, have a schedule with activities, ownership and timings.
Trigger points and rules will need to be identified prior to implementation of the reactive ‘contingency’ plans.

Note: The proactive plans will form part of the base plan as they will need to be introduced in order to reduce affects from perceived risks.
Trigger points will need to be considered very carefully. These may not be entirely clear cut. We don’t want to wait for something to actually fail or a risk to fully materialise before implementing the contingency plan.

Manage

This is the part where the plan is put into operation. This will form part of the ‘execute’ phase of the normal project management process.

In an ideal world major risks will not materialise and all activities will run on time [see 'The Complete Time Management package']. This is unlikely to happen.
We will need to put into place all of the usual Project Management [see ‘The Complete Project Management package’] and [see 'The Complete Project Management plus PRINCE2'] processes to monitor and control the project.

This will continue against a backbone of progress reporting bringing attention to milestones and key issues.

General

Implementation of the RISK MANAGEMENT PROCESS earlier in the process than the ‘plan’ stage can face problems of lack of definition as the information is often too fluid.

However, the earlier the RISK MANAGEMENT PROCESS is carried out naturally there is more chance to influence the plan if it is carried out thoroughly. Responses can be considered in more depth which may lead to different approaches.