What is Risk Management?
The Australian and New Zealand Standard for Risk Management AS/NZS 4360:2004 defines risk management as: “the culture, processes and structures that are directed towards realizing potential opportunities whilst managing adverse effects”.
Why manage risk?
Managing risk is not just about going completing the (often prescribed) Risk Management Plan then putting it in your bottom drawer and forgetting about it. Ongoing Risk Management is a business activity of vital importance for all organisations – Government and private.
Organisations that effectively manage project risk have a greater likelihood of achieving their objectives and desired results. Done well it minimises losses from negative outcomes and identifies opportunities to improve project results.
No matter what the size, every project will at some time be exposed to risk. Risks can be direct, physical problems such as illness, floods or fire damage, theft or vandalism. But risk can also be less obvious and direct such as poor decision making, poor recruitment processes or investing in inappropriate technology.
Risk Management Workshops
There are many ways to consider risks to your project but an efficient, tried and tested method frequently used is that of the Risk Management Workshop. The purpose of the workshop is to identify, assess and prioritise risks and plan appropriate treatments. The workshop is usually conducted with representatives from the project team, key stakeholders and clients – in fact anyone who can offer constructive insights into likely project risks and their possible treatments.
Types of project risk
An efficient risk management workshop uses models and processes to identify and assess risk. Both internal and external risks should be identified and examined. One model used to assist in identification of external risks is P.E.S.T.L.E – an acronym for: Political, Economic, Social, Technical, Legal, and Environmental.
Project teams should first conduct some research to identify the extent to which any of these external elements might impact. A good example (of political) would be the impact of the recent election on Government project spending.
A model for identifying internal risks consists of: Benefits Delivery, Project Delivery, Corporate, Design and Critical Success Factors.
Benefits Delivery asks the question: “What are the threats to my project successfully delivering the benefits expected?” This might include: How well known is the project’s ‘big picture’? How well is the need for change accepted by those impacted by it? Has a compelling case for change been made – is there commitment? Are unions involved and are they supportive? How well is the organisation primed for change? Are the support functions — HR, Finance, IT, etc – actively involved and supportive?
Project Delivery risks are risks to the project processes being successfully implemented. They are subject to frequent change. They cover: understanding of the business and knowledge of business requirements; availability of design and development skills; knowledge of technology; timeframe (is it sufficient) and consequences of failure.
Corporate risks relate to the client organisation and include: financial risk (eg debts or revenue); security – especially of technology; the ‘risk appetite’ of the organisation (some industries are typically more tolerant of risks than others); existence of formal risk structures; customer/staff loyalty risks; competition risks.
Design risks deal with unintended results of project solution. Throughout the project, staff will join and leave. These might be managers, analysts, trainers, consultants or others. They may not have been in place when key decisions were made regarding project solution and implementation. Design risks include: assumptions, contract changes, rule breaches, training lapses, lack of understanding of what things mean.
By their very nature, critical success factors are a key source of risk. The are those factors that need to exist or go right for the project to succeed which are outside the control of the project manager. They include project funding and resource availability (such as the right staff at the right times).
Assessment, Prioritisation and Treatment
Once all project risks have been identified the workshop will work through all the risks first assessing the likelihood of occurrence and impact of each risk on project outcomes. From here teams are able to prioritise risks in terms of urgency and importance.
Some risks will be deemed to be acceptable while others will require action to either reduce the likelihood or the impact of the risk, or both. From here a Risk Treatment Plan can be developed and actions brought into the Project Plan for completion.
It’s not enough to just hold one workshop, prepare the plan and be done with it. Both internal and external factors are subject to change – sometimes without warning. For this reason risks need to be reviewed on a regular basis. It is suggested there be a core sub-team specifically convened to keep an eye on project risks. For complex projects this should be done fortnightly, for smaller projects monthly or quarterly is sufficient.
Become a Risk Manager
Organisations world-wide are recognising that effective risk management is good business. For project managers experienced in successful risk management, there is now a certification that acknowledges skills in and knowledge of risk. The Risk Management Institution of Australasia (RMIA) now offers a Certified Practicing Risk Manager that PMs can undertake that will add to their capacity to attract interesting, challenging and high paid positions to strengthen their careers.