Sermon on Risk Management

Compendium of best practices

Risk
Born out of Greek Rhiza meaning cliff it is imported into Latin as Risicare-to dare. It is truly that proverbial taking the plunge or literally jumping off the cliff thing. Webster defines Risk as chance of encountering harm, loss; hazard; danger. Risk is a function of the probability of an event happening and the seriousness of the impact if it does. A project management risk is an event that could stop the project from achieving its objectives and meeting the expectations of its stakeholders.

Risk Management
Risk management is about increasing the probability of success and reducing the probability of failure and uncertainty of achieving the projects overall objectives. Common sense suggests that risks can have both positive and negative consequences. Some risks may be worth taking. These risks are likely to have a low probability of happening and a potential impact, if they happen, that is much less than the potential benefits to a project. This is reinforced by the Risicare. It is the actions that an organisation dares to take that will lead to its success or failure. Thus risk management is a structured approach to identifying, assessing and controlling risks that emerge during the course of the policy, programme or project lifecycle. Its purpose is to support better decision-making through understanding the risks inherent in a proposal and their likely impact Effective risk management helps the achievement of wider aims, such as: effective change management; the efficient use of resources; better project management; minimising waste and fraud; and supporting innovation

Stages of Risk Management

There are two key stages to managing project risks: Risk assessment o Identifying risks o Assessing risks o Prioritising risks Risk control o Mitigating or taking risks o Planning for emergencies o Monitoring and measuring

Risk Assessment
You can assess risks at any time during a project. This includes new risks, risks that are changing priority, risks that will become an issue and risks no longer perceived as relevant.

Page 2 of 8

Identifying risks
This step is closely associated with the planning stage. It should take place early on. There are potential risks associated with all projects. Common risks include:
Availability risk Business risk Construction risk Decant risk Demand risk The risk that the quantum of the service provided is less than that required under a contract. The risk that an organization cannot meet its business imperatives. The risk that the construction of physical assets is not completed on time, to budget and to specification. The risk arising in accommodation projects relating to the need to decant staff/ clients from one site to another. The risk that demands for a service does not match the levels planned, projected or assumed. As the demand for a service may be partially controllable by the public body concerned, the risk to the public sector may be less than that perceived by the private sector. The risk that design cannot deliver the services at the required performance or quality standards. Where the project outcomes are sensitive to economic influences. For example, where actual inflation differs from assumed inflation rates. Where the nature of the project has a major impact on its adjacent area and there is a strong likelihood of objection from the general public. Where project delays or changes in scope occur as a result of the availability of funding. The risk that changes in legislation increase costs. This can be sub-divided into general risks such as changes in corporate tax rates and specific ones which may affect a particular project. The risk that the costs of keeping the assets in good condition vary from budget. The risk that operating costs vary from budget, that performance standards slip or that service cannot be provided. The risk that the implementation of a project fails to adhere to the terms of planning permission or that detailed planning cannot be obtained, or if obtained, can only be implemented at costs greater than in the original budget. The risk of changes of policy direction not involving legislation. Where a contractor is engaged, risk can arise from the contract between the two parties, the capabilities of the contractor, and when a dispute occurs. Where the quality of initial project intelligence (eg preliminary site investigation) is likely to impact on the likelihood of unforeseen problems occurring. The risk that there, will be an undermining of customer/ media perception of the organizations ability to fulfill its business requirements e.g. adverse publicity concerning an operational problem. The risk relating to the uncertainty of the value of physical assets at the end of the contract. The risk that changes in technology result in services being provided using non-optimal technology. The risk that actual usage of the service varies from the level forecast.

Design risk Economic risk Environment risk Funding risk Legislative risk Maintenance risk Operational risk Planning risk

Policy risk Procurement risk Project intelligence risk Reputational Risk.

Residual Value risk Technology risk Volume risk

Risk identification requires an understanding of the projects mission, scope and objectives of the owner and stakeholders e.g. WBS Project Charter Product Description Schedule and Cost estimate Page 3 of 8

Resource Plan

There are many other potential risks, some of which will be specific to the project in question. Risks shouldnt be ignored. They should be anticipated and managed. The whole project team should take part in identifying and assessing the risks to the project. You might also like to consider asking people not connected to the project, or your organisation, to take part and provide alternative viewpoints. Using a team approach helps to identify and explore all potential project risks, as each team member will have a different attitude to what is and what is not a risk. Each will have different thresholds with regard to the amount of risk that they will take for a given reward. Record each risk in the attached project risk register. Risk Identification Process
Inputs Risk Management Plan Project Planning Outputs Risk categories Historical Information Tools Documentation review Informationgathering techniques (Brainstorming/ Delphi Technique/ Interviewing SWOT Analysis External Risks Checklists (Based on historical information/ It is impossible to build an exhaustive list of risks) Assumption analysis Diagramming techniques (Causeand-Effect Diagrams/ System or process flow charts/ Influence Diagrams Outputs

Risks Triggers

Inputs to other processes

Assessing risks
The risks you identify should be anything that the team agrees may have an impact on the project process or the anticipated project deliverables. A risk could have the potential to impact positively or negatively on the project. For each of these risks the team should agree on the probability that it might happen and the seriousness of the impact on the project if it did. Record your results in the project risk register. Qualitative measures of Likelihood Level Descriptor Description

Page 4 of 8

A
B C D E

Almost certain
Likely Possible Unlikely Rare

Is expected to occur in most circumstances Will probably occur in most circumstances Might occur at some time Could occur at some time May occur only in exceptional circumstances

Seriousness of the impact on the project if it did happen, using:

E = Extreme Risk Immediate action required. There could be potential of damage to the goodwill of firm, threat to person and property

= High Risk Senior Management attention required in view of serious impact on the project leading to difficulties in maintaining the schedule, achieving the anticipated deliverables and keeping within budgeted costs M = Moderate Risk Management responsibility must be specified. Less serious impact with same difficulties L = Low Risk - Manage by routine procedures much less serious with little impact on the above difficulties

Prioritising Risks
After identifying and assessing the risks to your project the next step is to put them in priority order. This will focus most of your attention on mitigating the risks that are most likely to disrupt your project. Consequences Likelihood
A (almost certain) B (likely) C (possible) D (unlikely) E (rare) Insignificant 1 H M L L L Minor 2 H H M L L Moderate 3 E H H M M Major 4 E E E H H E E H Catastrophic 5 E E

Qualitative Risk Analysis

Page 5 of 8

Qualitative Risk Analysis targets numerically analysis of the probability of each risk and its consequence on project objectives. It determines the probability of achieving a specific project objective and quantifies the risk exposure for the project. It crystallizes with identification of risks requiring the most attention and adjunct to that propose realistic and achievable cost, schedule or scope targets Tools Sensitivity Analysis It helps to determine which risks have the most potential impact on the project. It examines the extent to which the uncertainty of each project element affects the objective being examined when all other uncertain elements are held at their baseline values Decision Tree Analysis It consists in a diagram that describes a decision under consideration and implications of choosing one or another of the available alternatives. It incorporates probabilities of risks and the costs or rewards of each logical path and future decisions. Solving the decision tree indicates which decision yields the greatest expected value

Risk Control
Good risk control relies on an accurate risk assessment. At this point many people believe that doing a risk assessment is enough to manage the risks to the project. Many project teams spend too long on assessing risks and not enough time on controlling them.

Mitigating Risks
Now you have a list of project risks in priority order. You must allocate each of the Extreme -, High- Medium and Low-rated risks to a named person (the risk manager) to manage. The risk manager should be the project team member with the most influence over the risk and therefore best able to: Prevent the risk from happening Minimise the impact if a risk does happen Decide to take the risk if it is more likely to result in a positive outcome Manage the risk.

The risk manager can re-allocate each risk to another party; perhaps a supplier/partner, if they are better placed to do the above. However, the risk manager still has the ultimate responsibility for managing the risk. Each of the Extreme, High Medium and Low risks should have a completed risk management action plan.

Page 6 of 8

Prevention is better than cure. Therefore, in most cases, it is better and much less costly to spend time, effort and money up front to prevent High and Medium risks from happening, rather than incurring the high costs of the impact if they do. Most up-front prevention costs are related to peoples time and effort. Whilst this is best practice there can be some affordability issues with this approach. This is because you incur an up front cost to mitigate a risk, whereas an unmitigated risk only incurs a cost if it happens. However, experience tells us that it is likely to cost (in cash and non-cash terms) considerably less to mitigate a risk than it is to cope with the consequences if a risk happens. There are two proactive ways to mitigate risks; you can reduce the: Probability of the risk occurring Seriousness of its impact if it does occur

You may also be able to delay the risk from happening, perhaps indefinitely. The project team, as a team, should agree the actions the risk manager must take, or manage, to reduce the probability and/or the seriousness of the impact of the risk. However, there are some risks where it would be more appropriate to do nothing. This is where the cost of mitigating the risk is much more than the cost you would incur if the risk actually happened. The main ways to deal with risk are: Reduce the risk o Reduce the probability of the risk happening, and/or o Reduce the seriousness of the impact if the risk does happen. Accept risk you could decide not to anything about a risk but merely accept it. This may happen when the cost of managing a risk is out of proportion to the cost of a risk if it happened or the benefits of taking a risk outweigh the potential negative impact. Avoid risk once you understand the risk you may be able to avoid it. Transfer risk you could try to transfer the risk. However this is itself risky as ultimately you still bear the ultimate responsibility for meeting the projects objectives no matter who is managing each specific the risk. Also, if you transfer the risk to a third party, perhaps a supplier/partner, then it is likely that you will have to pay a risk premium for the privilege.

Remember the only risk that really matters is the residual risk. This is the risk that is left after you have taken action to mitigate the probability that it might happen, and to reduce the Page 7 of 8

seriousness of the impact if it did. Represent this residual risk by giving it an overall priority rating after your mitigating actions have taken effect. Therefore, every risk that you take action to mitigate must be re-assessed and given a new, hopefully reduced, overall priority rating.

Planning for Emergencies

Each risk with a high or medium overall priority rating must have reactive contingency measures in place to cope with the impact if it happens. Good examples of this include insurance and carrying an umbrella just in case it rains.

Monitoring and Measuring

The risk manager of each risk is responsible to the project manager for monitoring their risk/s and for taking the appropriate action/s to mitigate them. They are also responsible for putting into place and managing an emergency plan if the risk does happen. The project manager and supporting team should review risks and issues regularly, normally at monthly progress meetings. You cannot control a risk if you cannot measure it. If you find that you are not able to measure a risk then re-assess it. Review the project risk register regularly; update it and the relevant risk management action plans when: Identified risks change priority the probability and/or impact changes New risks are identified Risks are no longer a risk Risks become an issue

Do not remove any of the risks from the register, even if they are not a risk anymore. Do not wait for a team meeting to communicate a new risk; the team must be aware that risk management should be in their minds constantly throughout the life of the project. Being aware of existing risks, new risks and any other changes is part of the day-to-day work of the project team.

Page 8 of 8