What is project risk management?
There are many risks associated with projects. It is impossible to foresee and handle all risks, and it is also impossible to reduce all risks to zero.
However, if you proceed with the project without considering the risks, it may lead to business failure. How project managers envision and address risks in the project.
This is called risk management, and it is a very important aspect of project management.
The PMBOK, a globally used project management guide, defines ten management domains and five processes. Ten management domains are defined as follows, is positioned heavily as one of these domains:
- Integrated management
- Scope management
- Schedule management
- Cost management
- Quality management
- Resource management
- Communication management
- Risk management
- Procurement management
- Stakeholder management
In this article, I will explain risk management as defined in the PMBOK Guide.
Table of contents:
- What is risk management in project management?
- Individual risk
- Overall risk
- The seven processes of risk management
- Planning process group
- Execution process group
- Monitoring and control processes
- Event risk and non-event risk
- Responding to sudden risks
- Integrated risk management
- Summary of risk management in project management
What is risk management in project management?
The PMBOK Guide defines risk management in project management as the process of carrying out risk management planning, identification, analysis, response planning, implementation of response measures, and risk monitoring for a project.
The risks of a project can be roughly divided into two types:
Individual risk
These are events or conditions whose occurrence is uncertain. If it occurs, it will have a positive or negative impact on one or more project objectives.
Overall risk
The overall risk is the impact of uncertainty on the project as a whole. It arises from all sources of uncertainty, including individual risks, and stakeholders are affected by both positive and negative variability in project outcomes.
As can be inferred from the above classification, risk in a project refers to the uncertainty of events related to the project. No matter how meticulously project managers plan, events that do not conform to the plan will occur.
In addition, events that cannot be foreseen at the time of planning are also risks. When project managers are involved in risk management, it is important to control rather than eliminate the risky uncertainty.
The goal of risk management in project management is to increase the probability and impact of positive events on the project and decrease the probability and impact of negative events.
It's easy to forget, but one event that can be risky has positive and negative aspects. For example, let's take the event of changing the supplier of materials to reduce costs. While the price of raw materials is a positive factor due to changes in suppliers, the possibility that the quality of raw materials is inferior to before is a negative factor.
If you think of an event as a threat to your project, you'll take action as negative. On the other hand, you will take all measures to be positive if you take risks as an opportunity.
The seven processes of risk management
The PMBOK Guide categorizes risk management processes in project management into seven types.
Each process has three stages: inputs, tools and techniques, and outputs.
Inputs are the documents and information required before executing the process, tools and techniques are the specific means of executing the process, and outputs are the new documents and information obtained from executing the process.
Here is an overview of each process:
Planning process group
Risk management planning
Planning is the first step in risk management. Define how the risk process will proceed, determine analytical tools to identify risks and create a risk management plan. It is a process that starts when the project is envisioned and should be closed to project recall, but the project is constantly changing and should be reviewed later in the overall project.
When planning risk management, you may create an RBS (Risk Breakdown Structure) similar to the WBS (Work Breakdown Structure). RBS is a division of the categories of risks that can be assumed in advance. It is convenient for exploring risks in the following processes or for classifying identified risks.
Risk identification
Identify both individual risks and overall risks. Basically, all parties involved are required to participate in identifying risks. This creates a list of risks called the risk register. When describing individual risks, it is necessary to have a uniform format and clearly understand each risk without leaving any ambiguity.
In addition, a risk owner who is responsible for individual risks is appointed. The risk owner may not necessarily be the project manager. Also, risk identification is an iterative process during the course of the project, as new individual risks arise as the project progresses.
In addition to the RBS developed in the planning process, a SWOT analysis is also used to identify risks, which is a process of examining the project from the perspective of Strengths, Weaknesses, Opportunities, and Threats.
Qualitative analysis of risks
Analyze the probability of occurrence and impact of the identified risks, and prioritize them for the response, taking into account the level of urgency.
Prioritization is called qualitative analysis because it is based on subjective risk perceptions by the project team and stakeholders. To eliminate subjective bias, project managers need to identify and manage how key stakeholders behave towards risk.
Quantitative risk analysis
Quantitatively analyze the impact of a combination of individual risks and uncertainty factors across project goals.
Specifically, we quantify the impact of risk over the entire project through simulations. Quantitative analysis requires advanced technology, so you may ask an expert for or not perform the analysis.
For example, a quantitative analysis is better for a large project because the amount of loss incurred is large. On the other hand, most small projects may not have the cost and resources to do so.
Risk response plan
Develop options, select strategies, and form a consensus on response actions to address the overall and individual risks of the project. Specifically, allocate resources as needed and describe the contents in the project document and project management plan. For example, it is necessary to dedicate many resources to high-priority risks because appropriate measures are required.
Execution process group
Implementation of risk response measures
In the execution process, we implement what we have agreed upon in the risk response plan.
The common problem is that although risks have been identified and planned in the planning process group of risk management, the risk response measures are not implemented. In simple terms, this means that they only planned but did not execute.
It can be said that risk management is correctly functioning only when the risk owner designated in the risk identification process spends the necessary human resources to implement the countermeasures.
In addition, risk response measures need to be implemented in a timely manner. Failing to take action when it must be taken is the equivalent of not having a risk response plan in place.
Monitoring and controlling processes
Risk monitoring
Track the risks you have responded to and the risks you have accepted. It also analyzes and responds to new possible risks and terminates risks that can be determined to no longer occur, and prepares a report.
Project managers need to determine the effectiveness of risk management from various perspectives. This includes how individual risks are handled, changes in overall risk levels, whether current risk management methods are effective, whether risk management policies and procedures are being followed, and whether costs and schedules are in place.
Risks will continue to emerge throughout the life of the project. Therefore, the risk management process described above is iterative. The project manager needs to check periodically if the risk management is working, and the frequency of the check is information that should be included in the project management plan.
Event risk and non-event risk
In recent years, the concept of categorizing risks into event risks and non-event risks has been adopted.
Event risk refers to the risk of an event occurring. For example, a key supplier goes out of business during the project or a customer's requirement changes after the design is completed. A change in the project manager may also occur.
Non-event risk can be further divided into two categories: variability risk and ambiguity risk.
Variability risk is the risk of uncertainty in planned events, activities, and decisions. As a proactive measure, we can use the Monte Carlo method (a method to find approximate solutions by repeating trials using random numbers) within the range of variability in the probability distribution to reduce the magnitude of possible outcomes.
Ambiguity risk is a risk that stems from the uncertainty of what might happen in the future. For example, if a stakeholder's knowledge or skills are incomplete, it may affect the project's ability to achieve its objectives.
In such a case, it is necessary to spend money on acquiring knowledge
and skills and this should also be recorded as a reserve fund in advance.
Responding to sudden risks
It is not possible to predict all risks in advance. Risks that can only be recognized after they have manifested themselves are called "unknown and unknown." Correspondingly, the ambiguity risk mentioned above can be said to be "known unknown."
Since it is not possible to take concrete measures to deal with the unknown unknowns, dealing with sudden risks depends on the resilience of the project. For example, it is difficult to predict natural disasters. If the project is resilient in the event of a natural disaster and can recover from the damage caused by natural disasters, it can be said that it can respond to risks.
Integrated risk management
In recent years, the need for integrated risk management across organizations has also increased. The risks that individual project managers address often have something in common.
Addressing such risks can be done through efficient and effective risk management through consistency and coherence among higher-level portfolios, programs, and projects.
Summary
As mentioned in the introduction, every project involves risk. The risk is the uncertainty in a project. Risk management is not about trying to reduce all risks to zero.
You can plan for a few risks that should never occur, but it is not practical or cost-effective to reduce all risks to zero.
In addition, dealing with risks, whether before or after the fact, requires costs. Spending money means making an investment, which means that dealing with risks may become a risk. This risk is called secondary risk, but this effect must also be acceptable. Therefore, it is necessary to prioritize risks and focus on the risks with the highest priority.
In some cases, it may be necessary to accept minor risks. It is also important to note that risk management is sensitive to characteristics such as professionals and job titles.
Where opinions should be gathered equally from a broad perspective, the strong opinions and titles of experts tend to create a bias of the assumptions. This makes it difficult to respond appropriately to risks, so project managers will be responsible for creating a place where everyone can participate as much as possible and communicate fairly.
Always keep in mind that the purpose of risk management is to adjust the highly uncertain risks through planning and proper control to minimize the negative impacts and maximize the positive impacts.