What is Risk Management Process and why is it important?
A risk is an uncertain event that could possibly on its occurrence, affect the ongoing project life-cycle/ phase and in turn the project’s outcome. A risk may be a potential hazard to the planned outcome of the project in terms of Cost, Time, and Quality. However, in a few cases, the risk may turn out to be a positive catalyst for the project. In this article, we will have a look into the risk management process and why it is vital for the success of a project.
Uncertainties in a project may be anticipated mostly based on experience and historical data which can be mitigated or avoided while few cannot be anticipated turning out to be absolute disasters ruining the project outcome out-and-out.
One can compare the risks/ uncertainties with occurrences in every individual’s life shackling its progress. Attending untimely or de-efforts to mitigate it may lead to tragedy. Hence, managing such risks is of utmost importance to safeguard the interests of the project or life. Nevertheless, life is also a project with many phases in it.
Know more about the project description.
The objectives of the risk management initiative are to
- ensure compliance with applicable rules and regulations,
- assurance that the activities comply with PACED [will be discussed later in this article],
- support decision-making with appropriate risk-based information,
thus assisting in enhancing
- the efficiency of operations,
- the effectiveness of processes and
- efficaciousness of strategies.
What are the five steps in the risk management process?
For successful risk management, there are five [5] steps to be executed in a proper manner.
- Plan Risk Management - defining methodology to be applied for managing the risk.
- Identify the Risk[s] - List out the possible uncertain events that could affect the project outcome.
- Perform Risk Analysis - analyzing the probability of occurrence of the risk and its possible impact [Qualitative] on the project outcome based on the numerical analysis [Quantitative].
- Plan Risk Response[s] - developing strategies for the possible and probable risks to either enhance the positive effect or reduce the negative consequence.
- Control Risk[s] - performing all the above steps/ identifying new risks/ evaluating risk process effectiveness throughout the project.
You can learn project management through experiential workshops, a PMP prep course online, and even get expert guidance on your PMP exam!
What are the 4 process steps of risk management?
The four [4] process steps involved in risk management are:
- Identify the risk - distinguishing the possible risks
- Assess the risk - analyzing the probable impact of the identified risks
- Control the risk - managing or mitigating the risks depending on the risk nature
- Review the process - evaluating the process of risk management to the requirements
What are the methods of risk management?
Methods of risk management include:
- Risk strategy
- Risk management framework
- Risk management documentation
- Risk management responsibilities
- Risk-aware culture
- Risk training and communication
- Risk assessment
- Importance of and approaches to risk assessment
- Short, Medium, and Long-term risks
- Risk likelihood and impact
- Loss control
- Risk response
- Importance of risk appetite - risk capacity and risk exposure
- 4Ts of hazard response - Tolerate, treat, transfer and Terminate
- Risk control techniques - Preventive, Corrective, Directive and Detective
- Risk assurance and reporting
- Evaluation of control environment
- Activities of an internal audit function
- Risk assurance techniques - audit committees
- Reporting on risk management - risk documentation
- Importance of corporate reputation
How do you project risk management?
Risk Management in project has become of utmost priority because of experiencing global financial crisis and increase in a number of corporate failures, also, increasing stakeholder expectations.
Whichever the field the project is, there is always a possibility of encountering risks which may or may not be averted depending on its nature. However, risk management is everyone’s responsibility.
Here, I would like to mention the 10 myths of risk management by Dr. David Wilson which clearly states what risk management is all about and its role among the project teams.
- All risks are bad
- Risk management is a waste of time
- What you don’t know won’t hurt you
- The risk manager manages risk
- All risks can and should be avoided
- Our projects aren’t risky
- Risk management requires statistics
- Risks are covered by routine processes
- Contingency is for wimps
- Risk management doesn’t work
What are the types of risk?
Risks can be divided into three [3] categories:
- Hazard Risk - associated with the management of pure risk - need to be mitigated.
- Control Risk* - associated with the management of uncertainty [unknown and unexpected] - need to be managed.
- Opportunity Risk - associated with the benefits of speculative opportunities - need to be enhanced.
Note: * not to be confused with Control Risk - one of the five steps of the risk management process.
There are certain events that can only result in negative outcomes. These risks are hazard risks or pure risks. In general, organizations will have a tolerance of hazard risks, and these to be managed within the levels of that tolerance. A common area where these kinds of risks are observed is Occupational health and safety.
There are certain risks that give rise to uncertainty about the outcome of a situation. These can be described as control risks. Often these risks generate uncertainties on the project budget, time and quality which are to be taken care of or managed to be in the desired range. The main purpose of managing such risks is to reduce the variance between anticipated outcomes and actual results.
At times, organizations consciously take risks in order to achieve a positive return, though not guaranteed. These can be described as opportunity risks. These relate to the relationship between risk and return.
However, apart from the above, a project may face risks from four [4] different ways which can be broken down as below. These, again, maybe of hazard, control and opportunity kind of risks.
What are the principles and techniques of risk management?
Principles of risk management:
The main principle of risk management is that it reduces the volatility or uncertainty of outcomes thus achieving the best possible result/ product.
A successful approach to risk management initiative and framework within an organization is known as PACED.
- P - Proportionate to the level of risk
- A - Aligned with other business activities
- C - Comprehensive, systematic and structured
- E - Embedded within business processes
- D - Dynamic, iterative, and responsive to change
However, the critical goal of risk management is to enhance the efficiency of operations, the effectiveness of processes and efficaciousness of strategies.
As the result of a risk may have on the project, a negative impact [due to hazard or pure risk] or a positive impact [due to opportunity or business risk] so the strategies to deal with the risks.
Techniques in risk management:
a. Hazard or pure risk:
- Avoid - changing the project plan so that particular risk can’t occur during which inadvertently new risks arise called secondary risks.
- Mitigate - steps are to be taken to reduce the likelihood and/or impact of an identified risk.
- Transfer - outsourcing the risk or awarding the handling of risk to a third party.
- Accept - tolerating the risk as it is.
b. Opportunity or business risk:
- Exploit - reduce the time to completion or to provide lower cost than originally planned.
- Share - forming risk-sharing partnerships, teams or JVs.
- Enhance - increase the probability and/or positive impact of an opportunity.
- Accept - no action.
In whichever the given situation, both the risks must be assessed and managed.
What are the four ways to deal with risks?
Priority significant risks faced by an organization are those that have:
- High or very high impact in relation to the benchmark test for significance
- High or very high likelihood of materializing at or above the benchmark level
- High or very high scope for cost-effective improvement in control
To handle such risks, Paul Hopkin - Author of Fundamentals of Risk Management, stated in his book, four [4] ways called 4Ts.
- Tolerate risk and its likely impact - a detective action is required to control the risk.
- Treat risk to reduce the likely impact - a corrective action is required to control the risk.
- Transfer risk to the third party - a more directive action is required to control the risk.
- Terminate activity generating the risk - a preventive action is required to control the risk.
Drawing a distinction between project risk management and the reason why the project was undertaken is of utmost importance because project risk management is concerned about the risks embedded within the delivery of the project. Project risk management should be an extension of project planning. The main requirements of any project are that it is delivered on time, within the budget [cost], and to specification or performance [quality].
A risk is often defined in terms of uncertainty or deviation from required outcomes. Therefore, the focus of risk management is often on the reduction in the variability of outcomes and the management of control risks. Project risk management is a type of control management. Project risk management is one of the successful areas for the application of risk management tools and techniques.
As per the Project Risk Analysis and Management [PRAM] Guide developed by The Association for Project Management [APM], there are five [5] points in a project where an accurate prediction of the impact of risk-based events can be done:
- Feasibility: at this stage the project is most flexible, enabling changes to be made that can reduce the risks at a relatively low cost.
- Sanction: the client can view the risk exposure associated with the project and check at all steps to reduce/ manage the risks have been taken.
- Tendering: the contractor can ensure that all risks have been identified by the risk contingency or risk exposure limits have been set.
- Post Tender: the client can ensure that all risks have been identified by the contractor and assess the likelihood of programmes being achieved.
- During implementation: the likelihood of completing the project to cost and timescale will increase if all risks are identified and correctly managed.
Risk management should be embedded in project management so as to consider that it is just another project management technique. It must not be seen as optional. It must be built-in into project management and not seen as a bolt-on. Built-in risk management has two [2] key characteristics:
- Project management decisions are made with an understanding of the risks involved.
- Risk management must be integrated with other project management processes.
The Importance of Risk Management In An Organisation
Importance of Risk Management in an Organization can be understood by analyzing a series of steps:
Level of risk:
The explicit management of risks brings benefits. By taking a proactive approach to risk and its management, organizations will be able to achieve improvement in:
- Operations
- Processes
- Strategy
Stakeholders should expect that organizations will take full account of risks that may cause disruption within operations, late delivery of projects or failure to deliver the strategy.
The exposure presented by an individual risk can be identified in terms of the likelihood of the risk materializing and the impact of the risk when it does materialize. As risk exposure increases, then likely impact will also increase. The level of risk should be compared with the risk appetite [set of risk criteria] of the organization for risks of that type.
Impact of hazard risks:
Hazard risks undermine the objectives, and the level of impact of such risks is a measure of their significance. Hazard risk management is closely related to the management of insurable risks. Hazard [or pure] risk can only have a negative outcome.
Hazard risk management is concerned with:
- Health
- Safety
- Fire prevention
- Avoiding damage to property
- Consequences of defective products
Hazard risks can cause disruption to normal operations resulting in increased costs. Theft and fraud can also be significant hazard risks to an organization. Techniques to avoid such risks include adequate security procedures, segregation of financial duties, authorization and delegation procedures, etc.
Risk and reward:
Another feature of risk and risk management is that many risks are taken by organizations in order to achieve a reward. When an organization puts the value at risk, it should do so with the full knowledge of the risk exposure and it should be satisfied that the risk exposure is within the appetite of the organization. Even more important, it should ensure that it has sufficient resources to cover the risk exposure.
Risk and uncertainty:
Risk is sometimes defined as the uncertainty of outcomes. It is particularly applicable to the management of control risks. Control risks are most difficult to identify and define but are often associated with projects. The overall intention of a project is to deliver the desired outcomes on time, within budget [cost], and to specification [quality].
A certain level of deviation from the project plan can be tolerated, but it must not be too great.
Attitudes to risk:
Different organizations will have different attitudes to risk. Some organizations may be considered to be risk-averse while some others risk aggressively. To some extent, it depends on the nature and maturity of the marketplace within which it operates, as well as the attitude of the individual board members
Risks cannot be considered outside the context that gave rise to them. Improvement in the decision-making process is one of the key benefits of risk management.