Risk Management – Principles and Definitions

We all hear about risk management (and risk assessment). The notion of trying to determine up front all the various things that ‘could’ go wrong is definitely a difficult task to undertake. Many a project that has hit rough times (or failed completely) can often find its troubles attributed to an unforseen problem that was not adequately taken into account up front. Now while no one has a crystal ball and can foresee every single issue that may (or may not) arise, it is important to still make a discerned effort into assessing as many conceivable risks and derive action plans to contend with them.

There are a whole slew of publications available regarding risk management and risk assessment. Degree and certificate programs are also available to those wishing to explore this area further. Truth be told, whole companies and careers are built around the notion of cataloging risks and formulating plans of action should problems appear as well as providing suggestions on how to proceed in order to mitigate potential risks.

Generally speaking, project managers are not formally schooled in the concept of risk management. Their background encompasses aspects of risk assessment, but depending on their role, it is likely to be one piece of the set of overall duties a project manager may be required to perform.

With that being said, it is important to take a moment and define some of the key concepts and definitions pertaining to risk management. What are some of the key takeaways and ideas that a project manager should be mindful of if attempting to perform a risk assessment on their project? What are some of the core principles that they should be aware of in order to best handle their project?

Risk Management – What is it?

In its purest form, risk management is the identification, classification and prioritization of risks. This is generally done in tandem with efforts to monitor, control and mitigate the risks. Risks themselves can be from factors internal to the project, such as the adoption of a new technology, team members that are new to the project manager, or resource constraints and internal dependencies. Additionally, risks can also be external, such as the health of the financial markets, competitive pressures, legal liabilities or even accidents. The sheer number and type of risks that may (or may not) factor in to a given project gives a good idea of how complex and problematic risk assessment can become.

Principles of Risk Management

There are specific core principles in regards to risk management. When looking to perform an actual risk assessment, the following target areas should be part of the overall risk management procedure (as defined by the International Standards Organization; ISO):

• The process should create value
• It should be an integral part of the organizational process
• It should factor into the overall decision making process
• It must explicitly address uncertainty
• It should be systematic and structured
• It should be based on the best available information
• It should be tailored to the project
• It must take into account human factors
• It should be transparent and all-inclusive
• It should be dynamic and adaptable to change
• It should be continuously monitored and improved upon as the project moves forward

When first addressing a risk management procedure for a project, take note of the aforementioned principles to ensure that your specific assessment is matching up with the core ideals as defined by ISO.

Risk Management Process

There is a specific procedure that one should follow when it comes to performing a risk assessment. The overall process can be itemized as follows:

1. Identification – Perform a brainstorming session where all conceivable risks are itemized
2. Planning – Once defined, plan for contingencies as part of the overall project plan; implement controls as needed
3. Derive Safeguards – Place specific ‘fallbacks’ into the overall project plan as contingencies for risks if they arise
4. Monitor – Continuously monitor the project to determine if any defined (or un-expected) risks manifest themselves

Note that the diagram that is part of this post dictates the aforementioned process in a graphical format.

Dealing with Risk

Once the risks are identified and the specific risk process has been instantiated, what should the project manager do with the defined risks? There are actually certain techniques to be aware of pertaining to risk. Being aware of what the risks are will dictate how effective each of the individual risk management options might be.

• Avoid the Risk – This may seem obvious, but it is an actual technique. There are instances where a perceived risk can be avoided entirely if certain steps are taken. An example of this might be a concern over a vendor supplying a given deliverable at a specific timeframe. It may be decided to perform the actual work for the deliverable in-house thereby eliminating the risk of the external vendor.
• Reduce the Risk – While some risks cannot be avoided, they can be reduced. This may be accomplished by fine tuning aspects of the overall project plan or making adjustments to specific areas of scope. Whatever the case, reducing a risk reduces the impact it will have on your project.
• Share the Risk – If a certain risk cannot be avoided or reduced, steps can be taken to share the risk in some way. Perhaps a joint venture with a third-party will reduce the downside risk for the organization as a whole. This could reduce the sunk cost and potential losses of the project if sharing of risk results in it being spread out over several different individuals or groups.
• Retain the Risk – This is actually a judgement call. Once all options are exhausted, the team members, sponsor and project manager may just decide to retain the risk and accept the downside potential as is. This decision is usually made by first determining the upside potential of the project. If it is deemed that the project’s expected upside far outweighs the sunk cost and downside, than the risk itself may be worth it. Note that in certain cases, insurance can be used to mitigate the downside, although the actual risk retention itself is what is being accepted by the team.

Conclusions

Risk management is a very broad field and often requires a very specialized knowledge set and background to perform adequately. However, from the standpoint of the project manager, he/she is the defacto risk assessment officer if none other have been made available. Being that the project manager is ultimately responsible for the success or failure of the project, being aware of the various concepts and methodologies behind risk assessment and risk management, will give them a leg up in being able to draft a project plan that takes into account any downside potential for the project.

Note: For further information on risk assessment, please read the post: Project Risk Management – Tools & Techniques.