When you manage risks, you manage the life of your project.
One of the keys to success is for project managers to manage the project management processes. The risk management process is an integral part of that success.
It doesn’t matter if your project is an IT project or a construction project; you must carefully manage risk by going through the entire risk management step-by-step process.
Therefore, today, we will go over a topic I discussed with a colleague the other day, which I knew I had to write about: the Project Risk Management steps. You need to take these steps to find emerging risks and take the appropriate response to handle those risks.
Unveiling a Proactive 5-Step Process to Help You Manage Risk!
First, a Quick Review of Risk Management:
The Project Management Book of Knowledge (PMBOK) defines risk management as:
“A systematic process of identifying, analyzing, and responding to project risks”
Risk Management is a detailed process that identifies, analyzes, and responds to threats and opportunities of a project.
To properly conduct risk management, the threats and opportunities of the project must be evaluated consistently until project closure. A quick definition of positive and negative risks are:
Threats (negative risks)
Negatively impact your project scope, cost, or time. This could mean an extension of a task that pushes the entire project’s completion date to the right, resulting in higher costs to complete, or something as simple as a natural disaster happening in the location of your project, putting a halt to the project entirely.
Opportunities (positive risks)
Positively impact your project scope, cost, or time. This could mean a reduction in a timeline due to unforeseen circumstances revolving around a new tech or an updated policy that allows you to streamline your timeline.
So, to easily define risk management, it is the process of evaluating threats and opportunities for a project, evaluating those risks for impacts on the project, and finding ways to respond to those risks.
Now, let’s jump into the steps required for risk management.
The 5 Risk Management Steps:
-
Plan for Risks
-
Identify Risks
-
Conduct Risk Analysis
-
Develop Risk Response
-
Monitor and Control Risks
You will then repeat steps 2 – 5 until project closure.
To ensure you are up to speed on these steps, lets take a deeper look into each one.
Plan for Risks:
Planning for risks starts immediately after project inception.
This is where the risk management plan is built. You determine different areas, like:
Risk Management Objectives: How you will execute the risk management process
Risk Identification: The methods used identify the potential risks
Risk Assessments: Criteria for evaluating the risks
Risk Responses: How will you evaluate and determine the appropriate responses
Documentation: How will you document risks
Tolerance and Thresholds: What are the risk tolerance and thresholds of your stakeholders
Funding: What are your funding allocations to include contingency for unknown risks
Planning risks is a key component to risk management. It is your risk strategy.
It is the pivotal element in effective risk management. Your enterprise risk management strategy hinges on this planning, and the greater the precision and thoroughness of your plan, the greater the adaptability your risk management teams will possess when evaluating potential risks.
Identifying Risks:
Identifying risks is a strenuous process that, in my opinion, could be the hardest step in this entire process. And for the project or risk manager, it could be one of the more stressful steps.
Why is this stressful? Well, you do not want to miss anything – there is nothing worse than getting that email that sends you down an endless hole of work because you didn’t identify the risk.
To combat this, you and your team should use a systematic approach to identifying the risks for your project. This can be done through multiple different ways, but some of the most popular methods are:
Brainstorming: Having sessions to go through as many risks as possible, usually great early in the project.
Assessments: These are done throughout the project, focusing on analyzing the project and its current status.
Checklists: Built from historical information, you develop a checklist of risks that could happen and the responses associated (good for projects that are similar to projects done before)
After identifying your risks, you want to ensure that you label them in a way that makes sense to whoever may read them. The standard for how to write a risk is:
Cause –> Risk –> Effect
Example: Due to the unexpected interference with the internet, the project may face a disruption of communication across international teams, resulting in delays in communication, collaboration, and access to data that could extend the project deadlines and increase costs.
Using this format for your risk management program ensures that risks in this form help keep risks consistent across the team and allow for the proper details to go into the next steps of the project risk management process on analysis.
Conduct Risk Analysis:
To properly manage risks, you must conduct an analysis of the risks.
Conducting risk analysis consists of qualitatively and quantitatively analyzing risks to determine the ranking and costs associated with your risks.
Qualitative Analysis:
The first step is when you rank risks through qualitative analysis. This more subjective step is also known as the Probability x Impact analysis, where the goal is to develop a list of the most important risks.
Data will be used to evaluate risks based on risk categories, potential impact, and likelihood of occurring. An example of this would be the chart below called a Risk Assessment Matrix:
Using this high, medium, and low analysis, you can easily rank your risks within your risk register and set them up to move to the next step, the quantitative risk analysis step.
Quantitative Risk Analysis:
Quantitative risk analysis is when you enter into the objective side of the risk analysis. This is where we put a numerical weight behind the risk. This step, although cumbersome if not using specialty software, is critical in developing the budget, especially for developing a budget for your project.
When doing quantitative risk analysis, you are going into a thorough and deeper dive into the risks. In essence, doing this analysis helps refine and clear up the risks from the qualitative analysis. In turn, you develop a numeric number associated with your risk, allowing you to build greater clarity in your overall risk picture.
There are simple tools and processes for quantitative analysis ranging from simple analysis, like three-point analysis, to full computer-generated analysis, such as a Monte Carlo analysis. Using these programs, you can build a complete picture of the risk evaluation with details like a complete range of risk outcomes with a total monetary value.
At the end of the qualitative and quantitative analysis, the goal is to complete a detailed project risk evaluation, allowing the project sponsor and key stakeholders to balance the outcomes vs. their risk acceptance level.
Once complete with conducting this analysis, the next focus will during into conducting additional risk assessments in determine the responses to the risk analysis.
Developing Risk Responses:
Risk response planning is the meat around the bones for risk management. Here, we get to start figuring out how we will respond to the risks we have labeled from our risk analysis at the top of our risk register. These responses are broken up between threats and opportunities.
Threats:
Avoid the threat
Transfer the threat
Mitigate the threat
Accept the threat
Escalate the threat
Opportunities:
Exploit the opportunity
Share the opportunity
Enhance the opportunity
Accept the opportunity
Escalate the opportunity
As you can see, you have plenty of options for risk management strategies around risk responses that are not always focused on mitigation risks. Using the risk factors for your project, you can determine which other risk reduction measures or enhancement measures you and your team have to take.
Risk response planning is where risk management hits its peak for being proactive and over-reactive. All the planning and time spent identifying and analyzing risks come down to this step.
You need to take the time to analysis your risks and determine the appropriate way to respond.
The efforts made up to this point will determine how the next process in monitoring and controlling your risks succeeds. Now, let’s jump into the next step in risk management.
Monitoring and Controlling Your Risks:
Once you complete the above process, you are not done yet. To manage risks effectively, you must continue identifying, analyzing, and assessing new risks. You’ll also need to reexamine your old and existing risks.
Monitoring and controlling your risks is where you implement all the risk management practices referenced above.
The hardest part of managing risks is that you can’t just record risks, assign risk owners, sit back with a cup of coffee, and relax. Not at all! You must continue to follow up on the existing risks and evaluate for new risks.
Existing Risks:
You have assigned risk owners, but to get the information you need, you will need a risk update meeting with the associated owners. Doing these reviews ensures you receive up-to-date information on the risks, allowing you to update your risk register and adjust risk responses as necessary.
This reevaluation of your risks also provides an opportunity to assess risk impacts due to changes in the project environment or update key indicators or triggers that could have changed due to additional information coming up through the execution of the project plan.
An existing risk must be continuously evaluated, assessed, and validated for its impact based on the updates to the project.
New Risks:
You can assess a new risk at any point throughout your project. And when you do, take it from step 2, all the way to step 5.
This assessment of new risks can be done either on-demand when the risk is identified or during scheduled conversations with your team. Ensure that you and your team are prepared to update the risk register whenever a new risk materializes for the project.
Realized Risks:
If a risk in your risk register triggers and is realized, you must respond according to your risk response plan.
This is why response planning is essential and should not be taken lightly. You do not know when a risk will become live in your project. You do not want to be caught off-guard when you could have had a plan!
Lets Review:
The Risk Management Steps:
Plan for Risks
Identify Risks
Conduct Risk Analysis
Develop Risk Response
Monitor and Control Risks
It does not matter what your project is; you must carefully manage risk by going through the entire risk management step-by-step process.
This was just a quick overview of the risk management process of identifying, analyzing, responding, monitoring and controlling your risks – but it also shows that risk management is not overly complicated. With the right resources and the right teams, you can ensure that you position yourself so that your positive risks (opportunities) occur and that your negative risks (threats) do not occur.
Taking a proactive step by going through this entire process carefully and with a purpose ensures that your organization, company, employees, etc., will find value in your projects.
Not every stakeholder will find risk management necessary, but that is where you and your expertise in project risk management can inform the stakeholder of the value behind understanding risks.
Now, go and update those risk management plans, fix your risk registers, do your risk analysis, and get proactive with your risk responses. I can guarantee if you take the time to do this analysis, your project will be set up for success in ways you wouldn’t believe.
– Russ Parker
The Risk Blog is reader supported – Please consider contributing to the operating costs of running this blog!
