Risk analysis has become an integral part of project controls. Why Risk Management?
The simple answer is that failure to properly manage risks can result in a negative
impact to three critical project variables, being cost, time and quality.
By taking what often are just simple mitigation measures project risks can be dramatically
reduced or even eliminated.
Definitions of risk and risk management
Risk is “an uncertain event or set of circumstances that, should it occur, will have
an effect on the achievement of the project’s objectives”.
Risk Management is “the process whereby responses to the risks are formulated, justified,
planned, initiated, progressed, monitored, measured for success, reviewed, adjusted
The risk management plan can be summarized as risk identification, quantification
Risk identification workshop
A crucial part of the risk management plan is the participative element which starts
with the kick-off risk identification workshop. This ideally would occur early in
the project life and preferably prior to contract award during the tendering stage.
At the risk meeting the focus would be on the qualitative aspects of project risk
and possibly also evaluating the quantitative aspects also. Though for the later
it might be preferable to cover the quantitative aspects afterwards at a separate
meeting since the quantitative aspects can generate a lot of time consuming subjective
and sometimes argumentative discussions that do not necessarily contribute to the
end goal: that is, the identification and management via the necessary public awareness
of the full spectrum (from contractual to execution to financial) of potential risks.
Ideally the risk workshop attendees should include individuals from different departments.
The right number of people for the risk workshop is very important. Too few people
can result in unilateral thinking with an insufficient range of views, while at the
other spectrum too many people (besides using up too many manpower resources without
much value in return) can create too much noise and significantly drag down a meeting.
Typically a meeting group size of about 6 people is quite effective, with 5 being
the lower threshold and 8 being the higher threshold.
Guidelines for Brainstorming Success
Brainstorming may be structured and is typically conducted on the basis that:
1. No idea is a bad idea.
2. Deliberation and discussion are to be deferred until the next step of the qualitative
3. Avoid telling war stories.
Ideas generated in brainstorming should be recorded on a medium, e.g., butcher paper/
flip charts or on-line as the ideas are generated, so that there is a real-time capture
of all ideas. Stating risks on a flip chart can help people visually connect to the
Risk Register & Major Risk Summary
During and right after the risk identification workshop a risk register should be
created with corresponding narrative detailing the risks and mitigation measures.
Qualitative – Risk Assessment
Qualitative Assessment Dimensions
There are primarily three dimensions used to assess the importance of a risk:
Probability – The likelihood that a risk will occur.
Impact – The effect that risk will have on the project if the risk occurs.
Manageability – The extent of control or influence the project team has over a risk.
Quantitative – Risk Assessment
The objectives of quantitative risk assessment are to numerically evaluate the probability
and impact of each risk and to prioritize risks using the outputs from Monte Carlo
modeling methods. The models provide another basis for prioritizing risks and allocating
resources to manage them.
Care should be taken to put the quantification of the risks in perspective: more
often than not the values used are rough order of magnitude as a result of lack of
historical data for the costs of the risk being quantified. While it is desirable
and an effort should be made to quantify all risks accurately this is not always
possible. However this is acceptable as long as it’s understood by the pertinent
parties the underlying accuracy range of the quantification process.
When quantifying risks the process can be as important (or even more so) as the actual
quantitative results. The process allows the participants to put on their “risk hats”
and think and discuss collectively about the project from a risk perspective and
hence increase the probability of avoiding, transferring and/ or mitigating risks
that can impact the success of the project.
Key benefits of quantitative assessments are:
• Simulation of risk impact on the project’s cost and schedule
• Developing and testing assumptions / constraints
• Verifying targets and plans for achievability
• Determining key cost and schedule drivers
• Allocating contingencies.
Associating (Mapping) Risks to Project Scope
Once the major risks are identified, the project team associates or “maps” the selected
risks to appropriate of schedule activities or to budget line items within a cost
estimate. Often times a risk will be pertinent to multiple activities, in which case
the same risk will be mapped to multiple activities. If a monetary contingency amount
has been allocated to the risk (that is the risk has been quantified.
Developing Risk Models
The objective of creating risk models is to evaluate the potential impact of the
major risks upon the cost and schedule estimates. As described above, this is performed
by applying ranges of possible costs and durations to the deterministic cost and
Developing Risk Model Results
The results generated from the quantitative cost and schedule models offer a window
into what might be optimistic and pessimistic project outcomes. As with any type
of forecast model, the results must be carefully scrutinized and validated against
historical benchmarks to ensure the model’s integrity. This validation effort is
an iterative and collaborative process between the project team and the analyst.
Risk Assessment Reports
A typical Risk Assessment Report is generally divided into the following sections:
• Executive Summary
• Results - Qualitative & Quantitative
Risk Assessment Updates
As the project matures along the project life cycle, the qualitative and quantitative
risk assessment processes repeat to continually identify and assess both new and
existing project risks. By updating the risk assessments on a regular basis, the
changes to the cost and schedule drivers can be proactively evaluated and addressed
to ensure a more predictable project outcome.
Risk Treatment Evaluation
Strategies to manage negative risk (threats) include:
Avoid – Seeking to eliminate the source of uncertainty.
The process of revising a component, system design or plan to eliminate a source
of threat. As an example, a lower threat, mature technology may be substituted for
a higher threat, new technology.
Transfer– Seeking to transfer ownership and/or liability to a third party.
The process of reallocating a subsystem, component, requirement or interface responsibility
to a third party, program or project team member. Requirements and responsibilities
may be transferred to customers, suppliers, or associate contractors. It is important
to note that transferring may not always eliminate the impact of the risk to the
party that is transferring the risk. When considering this treatment always consider
who is best able to manage the risk.
Mitigate – Seeking to reduce the size of the risk exposure to below an acceptable
The process of reducing a threat’s likelihood and impact levels through the systematic
completion of mitigation actions. Usually this consists of attacking the threat elements
of the overall risk until the threat is no longer an issue. When mitigation is selected
as the risk treatment approach, detailed risk mitigation actions need to be developed
and integrated into the project plan.
Accept – Recognizing residual risk and developing responses to monitor them.
The process of accepting a threat. A threat may be accepted when the likelihood and
consequence levels have been reduced to a level that has been determined as acceptable.
Strategies to manage positive risk (opportunities) include:
Exploit – Seeking to eliminate the source of uncertainty by ensuring that the opportunity
has the highest probability of occurring.
The process of revising component, system design or plan to exploit a source of opportunity.
The aim of the risk treatment is to ensure that the opportunity will be realized
as almost certain.
Share – Seeking to allocate ownership to a third party who is best able to maximize
probability of occurrence and benefit of the opportunity.
The process of retaining and sharing appropriate opportunities or parts of an opportunity
with others instead of attempting to leave them to chance.
Enhance – Seeking to increase the probability and benefit impact by identifying and
maximizing key opportunity drivers.
This is the primary method of opportunity realization by increasing an opportunity’s
likelihood and impact levels through the systematic completion of response plan actions.
Accept– Recognizing an opportunity, but developing no plans to promote its occurrence.
Developing Proactive Risk Response Plans
When developing the risk response plan it’s a good idea to tabulate these to include
at least the following information:
• Risk Description
• Risk Owner.
• Impacted project tasks/ scope.
• Overall plan.
• Detail actions to be taken to execute overall plan.
• Who is responsible for completing the detail actions - the Risk Action Owner(s).
• Dates or time periods for when an action should start and when it should be completed.
Questions that should be asked when revisiting the risk response plan include:
• Is the risk still valid?
• Is the risk assessment current?
• Is the selected response plan appropriate based on the current circumstances?
• Is the response plan consistent with other project plans?
Monitoring & Updating Project Risk Register
It is necessary once the project is being executed to monitor and update the risk
response plans. As stated earlier actual process for risk management done right can
be as valuable as the actual results and findings from the risk analysis as it facilitates
constructive communication between the participants.
Risk Review Meetings
Communicating and documenting risk information at all steps in the process is essential
to effectively implement project risk management. The process of reporting and reviewing
the status of risk is the principal mechanism for implementing risk management on
a project. Communicating risk status involves presenting the current likelihood and
impact assessment for a particular risk as well as the planned risk response plans.