Risk Management (by Martin)
What is ‘Risk’?
There are many definitions of risk, but my preferred ones are:
“the effect of uncertainty on objectives” (1)
“the potential of situation or event to impact on the achievement of specific objectives” (2)
“an event which may occur in the future and which if it happens might impact on the ability of the organisation to achieve its objectives” (3)
Risk vs Issue vs Problem
To many in and around the project management community (and, no doubt, elsewhere) there is often confusion about the distinctions between ‘risk’; ‘issue’ and ‘problem’.
A ‘risk’ is an event that may, or may not, occur. It is a probabilistic happenstance, that is outside of the control of project participants (although they may be able to influence the impact of the event should it mature).
An ‘issue’ is a breach of the agreed tolerances for work or a deliverable within a project or programme that must be resolved and will require support of the project sponsor to agree the chosen resolution. It is also the term often given to a risk event that has matured (i.e. occurred).
A ‘problem’ is a matter to be dealt with in day-to-day management.
Characteristics of Risk
When considering risk and seeking to describe what it is; it may be helpful to reflect on the sequence: Cause, event and effect. That is to say ‘something’ – a cause may result in the occurrence of a ‘risk event’ which may affect the objectives.
Thus ‘risk cause’ is the source of the risk i.e. a circumstance that may be either internal or external to the project that triggers the ‘risk event’. The ‘risk event’ should describe what might happen (the area of uncertainty) and determine if it is a threat or opportunity. ‘Risk effect’ describe the impact that the risk would have on the project objectives should the risk materialise.
When discussing a risk event there are three things to be considered:
Likelihood. That is; what is the probability of the event occurring. Likelihood can be stated in either a general way on (say) a five-point scale of: very low; low; medium; high and very high or in a stochastic way by assigning numeric probabilities to the event occurring.
Impact considers the result of the risk event occurring on the achievement of the project’s objectives, again on (say) a five-point scale.
Lastly, Proximity. It is useful to consider how close to “time now” might the risk event actually occur i.e. within one week, one month, three months, six months, longer than six months.
Proximity doesn’t, of course, have any effect on likelihood or impact, but it does inform management’s decision-making in terms of focus and importance as it would be prudent to deal with those risks expected to mature sooner before those that occur later in time. (Although equally; high probability, high impact risks merit consideration ahead of low probability, low impact ones).
Risk Attitude and Risk Appetite
Risk and uncertainty are ever present in programme and project management and, moreover, consideration of the risk(s) involved are necessarily perception based. Risk attitude is a perception driven conclusion by an individual or group as to the “riskiness” of the project or endeavour. For example: extreme sportsmen’s view of how “risky” something is may be different to those who just spectate.
Risk appetite is how much i.e. the quantum of risk that individuals, sponsors or investors are prepared to tolerate in order to achieve their, or the project’s objectives.
Decision-makers may need to reflect upon the perception of risk at the individual and organisational level and recognise that investors and funders may have a range of views regarding how “risky” an enterprise or project may be.
Upside and Downside
Risk can also be categorised into “upside” risk (sometimes referred to as opportunity) and “downside” risk. The former, should it occur, may be expected to enhance or improve the out-turn performance of the project; that is, it is a positive thing (and consequently the management team should seek to ensure that the event does occur. The latter will have a detrimental or negative effect on the out-turn and management should seek to reduce or mitigate the likelihood of the event occurring and its impact.
The purpose of risk assessment is to seek to determine the combined effect of the degree of uncertainty that a risk event may occur and the impact on objectives should it occur.
Simple risk assessments are, generally, made by reference to a matrix analysis which plots likelihood and impact using the five point scale referred to above. Thus, any individual risk event would be assigned a score in the range of 1 to 25 representing a very unlikely occurrence with a very low impact (1) to a very likely occurrence with a very high impact (25).
At the risk of stating the obvious, upside (opportunity) and downside risks need to be considered separately.
[Figure 1: Risk assessment matrix]
Classically, there are a range of responses available to decision-makers and managers, depending on whether the event is a threat or an opportunity i.e. is it a downside or upside risk.
Threats or Downside Risks
Change an aspect of the project i.e. scope, procurement route, supplier or sequence of activities, so that the threat can no longer have an impact or can no longer happen.
Take proactive action to reduce the likelihood of the event occurring by putting in place a control, or reduce the impact of the event should it occur.
Put in place a fall-back plan to reduce the impact should the risk occur. This is a reactive response.
A third party takes responsibility for some of the financial impact of the threat, should it occur.
Risk sharing between two (or more) parties by agreement to share the consequences such as increased cost should the risk mature.
A conscious and deliberate decision to retain the threat, as it is more economical to do so than to attempt a response action and/or because it falls within the risk appetite of sponsors. Nevertheless, the threat should continue to monitored to ensure that it remains tolerable.
Opportunities or Upside Risks
Seize an opportunity and seek to ensure the cause will happen and the beneficial impact will be realised.
Take proactive action to enhance the probability of the cause occurring or the impact should the event occur.
Parties by agreement may share the beneficial gains such as cost savings or enhanced performance if the risk matures.
Take a conscious and deliberate decision not to exploit or enhance the opportunity.
The Risk Register is a tool that assists with the recording of potential risks and the response(s) to them decided upon by project sponsors and their professional management team.
It is considered good practice for the register to record:
- Risk event
- Risk Score (product of likelihood and impact)
- Risk Owner
- Post response likelihood
- Post response impact
- Post response score
- Further actions
- Date for next review
- Is the risk “Open” or “Closed” (that is, is the risk still likely to occur, or has it either occurred and been dealt with or is it no longer a risk)
[Figure 2: Typical risk register]
The project team should put in place an action plan to deal with agreed responses to risk events. Such plans should deal with two sets of circumstances.
The first concerns downside risk and comprises two elements: (a) the plan to implement the risk response and (b) the plan should the risk event nevertheless occur post mitigation.
The second is the plan to be implemented to enhance the probability of upside risks maturing.
Risk Management Framework
An organisation’s risk management framework is the over-arching protocols and methodologies for assessing, managing and responding to risk events.
It should also set out the risk attitude and range of risk appetites that the organisation is prepared to accept and the mechanisms for assessment, review and decision-maker approvals and/or delegated authorities. Usefully, it could also include audit arrangements.
Risk and uncertainty is ever present. Organisations and temporary project organisations should adopt and implement a management framework that enables risks to be assessed reviewed and managed with appropriate mandates delegated to particular post-holders or individuals.
Adopting such practices as discussed here provides a level of organisational preparedness to not only deal with identified risks and opportunities but, importantly, a methodology to deal with any unexpected risks that might be encountered (the unknown unknowns).
Despite such processes, however, it needs to be recognised that the practice of risk management is an iterative one that needs to be kept under review at all times.
(1) British Standard BS ISO 31000 : 2011. Risk management - Code of practice and guidance for the implementation of BS ISO 31000, British Standards Institution, London, 2011.
(2) APM Body of Knowledge Seventh Edition, The Association for Project Management, Princes Risborough, 2019.
(3) Anderson, R., in “The Risk Management Universe: A Guided Tour”, Hillson, D. (Ed), British Standards Institution, London, 2006.
Published at pmmagazine.net with the consent of Martin Stevens