Project Management Institute defines risk as follows: “An uncertain event or condition that has a positive or negative effect on a project’s objectives.”
As organisations or project teams function in a fluctuating and ever-changing environment, the risk factor is always present and has to be evaluated, monitored and controlled. Risk can affect people, processes, technology, and resources, impacting positively or negatively on the completion of the project. Therefore, project managers need to use various risk management techniques and processes to minimise potential risks and issues that can derail the planned budget, timetable, quality and quantity of the project’s deliverables.
Despite the need for risk management to be an integral part of the whole life-cycle of the project, sometimes risk management is not implemented properly as it is considered an expense with little return. This exposes the project to delays, deficient cost management and other negative effects, that can potentially damage the organisation’s reputation. Therefore, risk management must be embedded in project planning from the beginning.
Ideally, Project Risk Management is exercised according to a Risk Management Plan (step 1 of the graph below), which constitutes the conduct of risk management of projects. The plan develops across three main axes: Identifying and Assessing Risk; creating a Risk Response Plan; and, Monitoring and Controlling Risks.
Risk Assessment (steps 2-4 of graph below) gives a clear idea on the types, the probability and the impact of potential risks that could affect the project, using several risk assessment techniques. In effect, it identifies the following:
Based on the Risk Assessment analysis, the probability, as well as the impact of risk events on the project, can be rated as high, medium, or low. According to this rating, a project manager can Plan Risk Responses (step 5 of the graph above), which enables decision-making and subsequent planning of course of action, to address medium of high probability and impact threats to the project and to capitalise on arising opportunities. In other words, here it is decided firstly how much risk the project can afford (“project risk tolerance”) and secondly which risk events merit the attention and resources of the project team.
The Risk Matrix is a useful tool to help establish which risks need to be planned for. Subsequently, roles and responsibilities for monitoring risk triggers are determined and effective responses to risk events are planned and communicated to the project team.
The final step in this process is to Monitor and Control Risks (step 6 on the graph above). Here evaluation of the Risk Response Plan takes place, considering, for example, which forewarning factors and triggers were successful, how well did the team react and follow the action plan, which negative effects were avoided (or not), what could have been done differently/better, etc. Moreover, monitoring involves, among others, continuous tracking of established risks and identification of new risks.