Risk is an inherent ingredient of the project. There are always changing scenarios in the project environment due to which projects are exposed to uncertainties. The uncertainties eventually turn on in the form of various risks. The assessment of frequency occurrence of risk and severity of risk is very much important in project management. After analyzing the risk, risk mitigation measures are taken by the project managers. In general, the analysis, monitoring and mitigation of risks in a project is called the risk management.
Project risk management consists of following steps:
- Risk identification
- Risk analysis
- Risk Response
- Risk Monitoring & control
Risk identification is the first step in risk management process. There are several sources of risks in a project which can be mainly understood in following ways:
Project- specific Risk
Project specific risks are directly related to projects, such as, the earnings and cash flows of the project may be lower than the expected. There may be risks of poor quality management due to lake of proper quality control and quality assurance system. Poor project execution due to lack of skilled manpower may be another project risk.
The unanticipated actions of the competitors may affect project earnings and cash flows.
Industry- specific Risk
There are some risks associated with the industrial environment or due to political, social and economic changes of the country where the project is being executed. Unexpected technological developments and regulatory changes specific to the industry, will have an impact on the earnings and cash flows of a project.
The risks may also be classified based on operations such as:
- Financial risks (Budgeting)
- Legal risks
- Supplier risks
- Physical risk to employees, labors, machinery and assets.
- Strategic risks
Risks are analyzed by using qualitative and quantitative methods. In this step of risk management mainly two things are analyzed. One is the probability the risk will actually occur and the other is the severity or the impact of the risk. Both parameters are assigned a qualitative value, ranging from high, medium to low. The risk is assigned a category accordingly and placed in a matrix.
Qualitative Risk Analysis
In this type of evaluation, a subjective value is assigned to the probability and impact of the risk and the risk is categorized accordingly and place in a matrix as shown below:
This method is simple, quick and easy to use. This method is suitable for people who do not possess skills in calculation and statistics. This method has some disadvantages like it is more ambiguous and difficult to explain.
Quantitative Risk Analysis
In the quantitative risk analysis, probability and impact are numerically analyzed. The probability and severity of the risk is assigned a number and the overall score of risk is determined by multiplying the probability score to the severity score.
The following guideline may be used to analyze a risk:
Overall Risk Score
Overall risk score is determined by multiplying the probability score to the severity score as shown in the table below:
The color represents urgency for risk response. Quantitative risk analysis is less ambiguous and easy to explain since the probability and impact are expressed in numbers. Contingency plans can be prepared based on the data obtained from the qualitative risk analysis.
The disadvantage of this method is that it is time consuming and needs skilled persons for analysis.
After identification and analysis of risk, the next step comes is risk response. The project team can response the risk in following ways:
This is the most direct method of dealing with risk. It simply involves avoiding any opportunity or threat for the risk to cause a loss event. It is sometimes an unsatisfactory approach to dealing with many risks. Many security professionals consider risk avoidance impractical because If risk avoidance were used extensively, the business would be deprived of many opportunities for profit and probably would not be able to achieve its objectives.
Risk mitigation involves any security measures or other actions that would reduce the risk to the project. The most common and direct means of reducing risk, in this sense, are actions that decrease the vulnerability in the risk equation (whereas risk transfer primarily decreases the impact of a loss event). Common risk reduction mechanisms are security measures, policy enforcement, and employee education and awareness, as well as financial and legal positioning.
It is a risk response method in which the risk is not taken by the project but is transferred to some other parties. The party bearing the risk may charge some amount or may take some other benefits for taking the responsibility of the risk. The typical example of risk transfer is the purchase of insurance. Although not commonly viewed as a part of the traditional “security” function, insurance is generally a key element of risk management strategy. Sometimes, a portion of risk can be transferred to suppliers, vendors, or others through contract clauses or other types of formal agreements.
After the risk avoidance, risk mitigation and risk transfer measures have been taken by the project team, some risk still remains in existence since it is virtually impossible to eliminate all risk. Risk acceptance measures are taken when the costs to mitigate or avoid risks are too great to justify given the small probability of occurrence or small impact the risk may cause but sometimes the project manager or the competent authority may accept a risk if it is so catastrophic that insuring against it is not feasible due to cost involved. Accepting risk can be a seen as a form of self-insurance.
Risk Monitoring and Control
This is the last step of project risk management. It involves the activities like identifying new risks and planning for them, keeping track of existing risks, risk reclassification and risk reporting.
Keeping track of existing risks is important to check if reclassification of any existing risk is necessary, any of the risk conditions that have been triggered and monitor any risk that have become critical over time. For the risks that cannot be closed, the impact has to go down over a period of time due to implementation of action plans. If it is not the case, then the actions might not be effective and should be re- examined.
The risk register is continuously updated, from risk identification to risk response planning and status has to be updated during risk monitoring and control. The project risk register is the valuable tool for risk management which is available to all stakeholders throughout the project life.
Risk monitoring and control is the iterative process. For the risks having very high severity, the guidance should be shout from upper management and stakeholders, as there may be high risk of project failure.
(1) Risk is an inherent ingredient of the project.
(2) The assessment of frequency occurrence of risk and severity of risk is very much important in project management.
(3) Project risk management consists of four steps, i.e., risk identification, risk analysis, risk response and risk monitoring & control.
(4) The sources of risk may be project specific, competitive environment or industry specific.
(5) The risks may also be classified based on operations such as, financial risk, legal risk, supplier risk, physical risk and strategic risk.
(6) Risks are analyzed by using qualitative and quantitative methods.
(7) Qualitative method of risk analysis is simple, quick and easy to use. This method has some disadvantages like it is more ambiguous and difficult to explain.
(8) Quantitative risk analysis is less ambiguous and easy to explain since the probability and impact are expressed in numbers.
(9) The disadvantage of quantitative risk analysis method is that it is time consuming and needs skilled persons for analysis.
(10) The risk response strategies are risk avoidance, risk mitigation, risk transfer and risk acceptance.
(11) Common risk reduction mechanisms are security measures, policy enforcement, and employee education and awareness, as well as financial and legal positioning.
(12) The typical example of risk transfer is the purchase of insurance. Sometimes, a portion of risk can be transferred to suppliers, vendors, or others through contract clauses or other types of formal agreements.