Topic 3: Risk

The key role of the project manager may be seen as identifying risks to project delivery and ensuring that they do not impede the project delivery.

The Project Management Institute's A Guide to the Project Management Body of Knowledge (PMBOK® Guide) defines risk as:

"An uncertain event or condition that, if it occurs, has a positive or negative effect on a project's objectives" (2000: 127).

But for risk management, Donald Rumsfiel's much-derided definitions are perfect as they define three different types of risk.

* Known unknowns—the risks that we know might happen.
* Uncertainty—the risks that any predictions we make are not right.
* Unknown unknowns—the risks that we have not looked at or planned for.

As indicated in our definitions, an estimate is an opinion or an approximation. It is not fact. The technique for reducing uncertainty is closely coupled with the estimation process. Kerzner (2006: 722) argues that rough estimate (parametric) have a relatively low level of accuracy, budget (analogy) have a higher level of accuracy and definitive (grassroots/engineering buildup estimating method) have the highest level.

The list review tends to follow one of two typical paths:

1. Review the WBS elements and budgets (cost, schedule and technical performance) against the list, and make specific allowance at the element level for risk.
2. Review the overall project in terms of this list—scoring the risks as you go. For example, allocating numbers from 0–5 for 'does not apply' through to 'a major risk in this project'. Then compare the list of numbers to similar projects that have had known risk occurrences.

Regardless of the industry you are involved in, the risk of failure is highest during the concept phase and substantially decreases during the analysis and design phases. Most ideas or projects are terminated at the early phases due to the risk involved in achieving a viable outcome.

During the early phases of concept exploration, the focus tends to be on creating budgets for risks, and on either selecting a development approach that recognises the inherent risks or showing why a project/product should not be undertaken. Successful analysis during these early phases is not measured by the number of approved projects, but by the comprehensiveness of the information provided.

Once a project has been initiated, the focus should be on how to reduce the likelihood of a risk occurring, or the impact of any identified risks should they occur. This is referred to as risk mitigation or risk control.

Having discussed risk (things that might occur) and uncertainty (variation on our estimates or forecasts of what will occur) we need to look briefly at the impact of these occurring. Most of the reading that you will have done will have focused on the downside of risk— referred to as negative risk. You should also be aware that risk can have an upside— referred to as positive risk. This is an opportunity perspective of risk. They are things we would like to encourage.

The risk management process

The Australian/New Zealand Standard AS/NZS 4360:2004: Risk Management is arguably the world's leading standard on risk management and is certainly quoted by a number of risk management authors worldwide. The basic procedure is

* Establish Context
* Identify Risks
* Analyse Risks
* Evaluate Risks
* Treat Risks

Two key approaches are used to identify the risks:
* When working on a basis of estimate (BoE), any subject matter expert can both record any risks they believe exist or apply.
* Conducting risk meetings and then brainstorm the risks that might apply.

In both cases, the objective is to record the potential for a risk to apply, without attempting to provide any detailed analysis of that risk. The potential risks are added into a risk log.

Having recorded the potential for a risk to occur, it is necessary to estimate how likely the risk is to occur, and what impact it might have should it occur. The impact could be anything that affects the project such as schedule, cost, safety, politics, stakeholders, technical performance, contract liability and so on.

Identified risks for a project can run into the hundreds. As it is not feasible for a project manager to manage such a large number of risks, it is necessary to focus on the most important risks. The method used to assess importance is usually the 'expected monetary value' or 'EMV' where: EMV = Likelihood × Impact

Using the EMV concept, the risks can then be mapped into an evaluation matrix. The value of this table is that when the risks are mapped into it, it becomes clear which risks should be the major focus and should simply be accepted as potential problems, but are too small to warrant using management time to treat and control.

Sensitivity analysis is another method of evaluating risks. By 'sensitivity' we mean the calculation of the statistical sensitivity of an item—for example, the project's duration to a range of variables such as individual task uncertainty or discrete risks.

Decision trees are really not a method of evaluating a risk, but a decision-making methodology based upon uncertain knowledge (i.e. an environment that contains risks). In decision tree analysis, we try to find out which approach we should take given several options and potential risks.

Once evaluated, the organisational or project response to the most important risks can be established and the most appropriate and cost-effective response to treating the risk can be determined. Responses can vary and often organisations have policies on acceptable risk and risk management. For example, a project may not be allowed to proceed if certain levels of risks have been identified (e.g. 'Extreme risks'), or additional analysis or approval stages are required when particular risks become evident (e.g. senior management review of any 'High risks').

Risk prevention means obtaining the knowledge required to remove the potential for the risk to affect the project. Risk prevention actions include planning, demonstrations, research, prototypes, etc. The aim is to provide knowledge of the unknown.

Mitigation activities attempt to either reduce the likelihood of the risk occurring or reduce its impact on the project should it occur. Allocation means accepting the risk and assigning the responsibility for managing it to a subject matter expert. Assignment means moving the responsibility for dealing with the impact of the risk to a third party; typically the customer or a subcontractor.

Many of the risks that are faced in projects are simply small risks that can't be avoided. The project manager does not have the time or resources to make the project risk-free. Such risks are accepted.

Once the risks have been identified, evaluated, and treated in some fashion, the accepted risks still need to be monitored and reviewed. There are often signs that a risk is about to occur (e.g. failure of a first test) and these 'warnings' should result in actions to mitigate the impact. When risks occur, the project is also likely to have a slightly different schedule, or list of tasks. The new schedule or new tasks also may need to be evaluated. There are also changes to the project's requirements, personnel, information and status that all mean that the old risk analysis may not completely apply.

Practical risk management

Practical project management involves allocating time to the biggest problem on the project, and this may be schedule, people, accommodation or risk management to name a few. Practical risk management does not involve finding all potential risks or a vast amount of documentation and complex mathematics. Practical risk management means balancing the time available with the benefit received from doing the work. On some projects, little or no risk management would suit, and on others risk management may be a more important task than schedule management.

If you mathematically perform a similar function on quantitative risks, then you create an iso-risk contour (also known as an iso-risk curve). An iso-risk contour is a graph where all risks are mapped using mathematically defined axes for likelihood and impact. As the graphs have identical axes, they can then be overlaid throughout an organisation to create a common program or portfolio risk graph.

The risk factor is then RF = P + C – (P*C) where P is probability and C is consequence. The risk factor is then RF = P + C – (P*C) where P is probability and C is consequence. Note that if you have more than a dozen or so in the 'High' area, you canchange the axis or definitions for your project.

On the other hand, there are the day-to-day issues that arise with any project. These items have high probability of occurrence (P is near 1) but very low impact (C is near zero). These items need to be recognised as part of the working environment and included within the estimates. The only option, therefore, is to accept these risks.

Sensitivity analysis is used to determine the key drivers of potential changes to a number. As it is a mathematical technique, this technique can only be used on quantitative data. The easiest way to perform this analysis is via a specialised tool, and such tools typically use the Tornado diagram to show relative sensitivity. The Tornado diagram is a chart of the risks where the risks are sorted by their risk factor.

There are a range of computer-based risk tools available to project managers. The purpose of these tools can range from simple risk identification tools (generally spreadsheets and databases), through to process guides, reporting tools and Monte-Carlo analysis tools.

A simple, but wrong, approach is to add the sum of the expected monetary values (EMVs) of the risks to the budget. When working with many risks of similar size, this approach can provide a reasonable approximation for the average risk. However, the EMV works on averages and is really a fairly meaningless concept when applied to specifics (i.e. one risk). Risks either do or do not occur. They do not 'partly occur' as an EMV tries to allow.