Martin Stevens

You are here: Home / Introducing Risk Management

Introducing Risk Management

Lottery Balls by Dylan Nolte on Unsplash

What is ‘Risk’?

There are many definitions of risk, but my preferred ones are:

the effect of uncertainty on objectives”

British Standard BS ISO 31000 :
2011. Risk management – Code of practice and guidance for the implementation of BS ISO 31000, British Standards Institution, London, 2011

the potential of situation or event to impact on the achievement of specific objectives”

APM Body of Knowledge Seventh Edition, The Association for Project Management, Princes Risborough, 2019

an event which may occur in the future and which if it happens might impact on the ability of the organisation to achieve its objectives”

Anderson, R., in “The Risk Management Universe: A Guided Tour”, Hillson, D. (Ed), British Standards Institution, London, 2006

Risk vs Issue vs Problem

To many in and around the project management community (and, no doubt, elsewhere) there is often confusion about the distinctions between ‘risk’; ‘issue’ and ‘problem’

A ‘risk’ is an event that may, or may not, occur.  It is a probabilistic happenstance, that is outside of the control of project participants (although they may be able to influence the impact of the event should it mature)

An ‘issue’ is a breach of the agreed tolerances for work or a deliverable within a project or programme that must be resolved and will require support of the project sponsor to agree the chosen resolution.  It is also the term often given to a risk event that has matured (i.e. occurred)

A ‘problem’ is a matter to be dealt with in day-to-day management

Characteristics of Risk

When considering risk and seeking to describe what it is; it may be helpful to reflect on the sequence: Cause, event and effect.  That is to say ‘something’ – a cause may result in the occurrence of a ‘risk event’ which may affect the objectives

Thus ‘risk cause’ is the source of the risk i.e. a circumstance that may be either internal or external to the project that triggers the ‘risk event’.  The ‘risk event’ should describe what might happen (the area of uncertainty) and determine if it is a threat or opportunity.  ‘Risk effect’ describe the impact that the risk would have on the project objectives should the risk materialise

When discussing a risk event there are three things to be considered:

Likelihood

That is; what is the probability of the event occurring.  Likelihood can be stated in either a general way on (say) a five-point scale

  1. Very low
  2. Low
  3. Medium
  4. High and
  5. ery high

or in a stochastic way by assigning numeric probabilities to the event occurring

Impact

Impact considers the result of the risk event occurring on the achievement of the project’s objectives, again on (say) a five-point scale

Proximity

It is useful to consider how close to “time now” might the risk event actually occur i.e. within one week, one month, three months, six months, longer than six months. Proximity doesn’t, of course, have any effect on likelihood or impact, but it does inform management’s decision-making in terms of focus and importance as it would be prudent to deal with those risks expected to mature sooner before those that occur later in time.  (Although equally; high probability, high impact risks merit consideration ahead of low probability, low impact ones)

Risk Attitude and Risk Appetite

Risk and uncertainty are ever-present in programme and project management and, moreover, consideration of the risk(s) involved are necessarily perception based.  Risk attitude is a perception driven conclusion by an individual or group as to the “riskiness” of the project or endeavour. For example an extreme sportsmen’s view of how “risky” something is may be different from those who just spectate

Risk appetite is how much i.e. the quantum of risk that individuals, sponsors or investors are prepared to tolerate in order to achieve their, or the project’s objectives

Decision-makers may need to reflect upon the perception of risk at the individual and organisational level and recognise that investors and funders may have a range of views regarding how “risky” an enterprise or project may be

Upside and Downside

Risk can also be categorised into “upside” risk (sometimes referred to as opportunity) and “downside” risk.  The former, should it occur, may be expected to enhance or improve the out-turn performance of the project; that is, it is a positive thing and, consequently, the management team should seek to ensure that the event does occur.  The latter will have a detrimental or negative effect on the out-turn and management should seek to reduce or mitigate the likelihood of the event occurring and its impact

Risk Assessment

The purpose of risk assessment is to seek to determine the combined effect of the degree of uncertainty that a risk event may occur and the impact on objectives should it occur

Simple risk assessments are, generally, made by reference to a matrix analysis which plots likelihood and impact using the five point scale referred to above.  Thus, any individual risk event would be assigned a score in the range of 1 to 25 representing a very unlikely occurrence with a very low impact (1) to a very likely occurrence with a very high impact (25).

At the risk of stating the obvious, upside (opportunity) and downside risks need to be considered separately.

Risk Assessment Matrix

Risk Response

Classically, there are a range of responses available to decision-makers and managers, depending on whether the event is a threat or an opportunity i.e. is it a downside or upside risk.

Threats or Downside Risks

Avoid

Change an aspect of the project i.e. scope, procurement route, supplier or sequence of activities, so that the threat can no longer have an impact or can no longer happen

Reduce (mitigate)

Take proactive action to reduce the likelihood of the event occurring by putting in place a control, or reduce the impact of the event should it occur

Fall-back

Put in place a fall-back plan to reduce the impact should the risk occur. This is a reactive response

Transfer (insure)

A third party takes responsibility for some of the financial impact of the threat, should it occur

Share

Risk sharing between two (or more) parties by agreement to share the consequences such as increased cost should the risk mature

Accept

A conscious and deliberate decision to retain the threat, as it is more economical to do so than to attempt a response action and/or because it falls within the risk appetite of sponsors.  Nevertheless, the threat should continue to monitored to ensure that it remains tolerable

Opportunities or Upside Risks

Exploit

Seize an opportunity and seek to ensure the cause will happen and the beneficial impact will be realised

Enhance

Take proactive action to enhance the probability of the cause occurring or the impact should the event occur

Share

Parties by agreement may share the beneficial gains such as cost savings or enhanced performance if the risk matures

Reject

Take a conscious and deliberate decision not to exploit or enhance the opportunity

Risk Register

The Risk Register is a tool that assists with the recording of potential risks and the response(s) to them decided upon by project sponsors and their professional management team

It is considered good practice for the register to record:

  • Risk event
  • Likelihood
  • Impact
  • Risk Score (product of likelihood and impact)
  • Proximity
  • Response
  • Risk Owner
  • Post response likelihood
  • Post response impact
  • Post response score
  • Further actions
  • Date for next review
  • Is the risk “Open” or “Closed” (that is, is the risk still likely to occur, or has it either occurred and been dealt with or is it no longer a risk)

Action Plan

The project team should put in place an action plan to deal with agreed responses to risk events.  Such plans should deal with two sets of circumstances

The first concerns downside risk and comprises two elements: (a) the plan to implement the risk response and (b) the plan should the risk event nevertheless occur post mitigation

The second is the plan to be implemented to enhance the probability of upside risks maturing

Risk Management Framework

An organisation’s risk management framework is the over-arching protocols and methodologies for assessing, managing and responding to risk events

It should also set out the risk attitude and range of risk appetites that the organisation is prepared to accept and the mechanisms for assessment, review and decision-maker approvals and/or delegated authorities.  Usefully, it could also include audit arrangements

Conclusions

Risk and uncertainty are ever-present.  Organisations and temporary project organisations should adopt and implement a management framework that enables risks to be assessed reviewed and managed with appropriate mandates delegated to particular post-holders or individuals

Adopting such practices as discussed here provides a level of organisational preparedness to not only deal with identified risks and opportunities but, importantly, a methodology to deal with any unexpected risks that might be encountered (the unknown unknowns)

Despite such processes, however, it needs to be recognised that the practice of risk management is an iterative one that needs to be kept under review at all times

A downloadable copy of this paper, together with the references is available from Martin Stevens Academy

Please click below to visit Martin Stevens Academy

Button Click Here” width=

Other Assignments

Managing Projects

 
Project Management v.2.0 05022019

Contact Us

Martin Stevens Project Services Limited
23 Sealand Court
Esplanade
Rochester
Kent ME1 1QH
+44 (0) 1634 844 314
enquiries@martinstevens.com

This site uses cookies to monitor user interaction with and movement around the site More Information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close