THE INS AND OUTS OF RISK MANAGEMENT

By: Michael Stanleigh

Summer 2018 Issue


Proper risk management reduces not only the likelihood of an adverse event occurring, but also the magnitude of its impact. Management consultants working in this field know that a failure to effectively manage and mitigate risk leads to crisis management becoming the mode of operation.

What follows is a primer on everything risk management – from defining the concept, to different kinds of risk, and how to respond to challenges before they become a full-blown crisis. There’s something here for everyone, from the untested business professional to the seasoned risk management expert.

What Is Risk Management?
Risk Management is the process of identifying, analyzing, and responding to risk factors throughout the life of a project and in the best interests of its objectives. Proper risk management implies control of possible future events and is proactive rather than reactive.

For example:
An activity in a network requires that a new technology be developed. The schedule indicates six months for this activity, but the technical employees think that nine months is closer to the truth. If the project manager is proactive, a contingency plan will be developed with solutions to the problem of time before the project due date. However, if the project manager is reactive, then the team will do nothing until the problem actually occurs. The project will approach its six month deadline, many tasks will still be uncompleted and the project manager will react to the crisis, causing the team to lose valuable time. 

Risk Management Systems
Risk Management Systems are designed to do more than just identify risk: they must also be able to quantify a risk and predict the impact of the risk on a project. The outcome is therefore a risk that is either acceptable or unacceptable. This acceptance or non-acceptance is usually dependent on the project manager’s tolerance level for risk.

If risk management is set up as a continuous, disciplined process of problem identification and resolution, then the system will routinely supplement other systems, including organization, planning, budgeting, and cost control. Surprises are diminished because emphasis is on proactive, rather than reactive, management.

Risk Management – A Continuous Process
Once the Project Team identifies all possible risks that might jeopardize the success of a project, they must decide which risks are most likely to occur. They base their judgment on past experience regarding likelihood of occurrence, gut feel, lessons learned, historical data, etc.

There is typically more risk early in a project as opposed to as the project moves towards its close. Risk management should therefore be undertaken early in the life cycle of the project as well as on an ongoing basis. For example, if a project’s total duration was estimated at 3 months, a risk assessment should be done at least at the end of month 1 and month 2. At each stage of the project’s life, new risks will be identified, quantified and managed.

The significance here is that opportunity and risk generally remain relatively high during project planning (beginning of the project life cycle) but due to a relatively low level of investment to this point, the amount at stake remains low.

In contrast, during project execution, risk progressively falls to lower levels as remaining unknowns are translated into knowns. At the same time, the amount at stake steadily rises as resources are progressively invested to complete the project.

Risk Response
Risk Response generally includes: 

  • Avoidance – eliminating a specific threat, usually by eliminating the cause.
  • Mitigation – reducing the expected monetary value of a risk event by reducing the probability of occurrence.
  • Acceptance – accepting the consequences of the risk. This is often accomplished by developing a contingency plan to execute should the risk event occur.

In developing contingency plans, the Project Team engages in a problem-solving process. The end result is a plan that can be put in place on a moment’s notice. 

A Project Team wants to achieve an ability to deal with blockages and barriers to its successful completion of the project on time and/or on budget. Contingency plans help ensure that most problems can be dealt with as they arise. Once developed, a contingency plan can quickly be put it into place. 

Why do Risk Management?
The purpose of risk management is to:

  • Identify possible risks.
  • Reduce or allocate risks.
  • Provide a rational basis for better decision-making in regards to all risks.
  • Plan

Assessing and managing risks is the best weapon against project catastrophes. By evaluating a plan for potential problems and developing strategies to address them, chances of a successful, if not perfect, project are improved. 

Additionally, continuous risk management will:

  • Ensure that high priority risks are aggressively managed and all risks are cost-effectively managed throughout the project.
  • Provide management at all levels with the information required to make informed decisions on issues critical to project success.

How To Do Risk Management
First, look at various sources of risks. This list is not meant to be inclusive, but rather, a guide for initial team brainstorming of all risks. Various sources of risk include:

  • Top management doesn’t recognize this activity as a project
  • Too many projects going on at one time
  • Impossible schedule commitments
  • No functional input into the planning phase
  • No one person responsible for the total project
  • Poor control of design changes
  • Poor control of customer changes
  • Poor understanding of the project manager’s job
  • Wrong person assigned as project manager
  • No integrated planning and control
  • Organization’s resources are overcommitted
  • Unrealistic planning and scheduling
  • No project cost accounting ability
  • Conflicting project priorities
  • Poorly organized project office

External - Unpredictable Risks

  • Unforeseen regulatory requirements
  • Natural disasters
  • Vandalism, sabotage, or unpredicted side effects

Predictable Risks

  • Market or operational risk
  • Social
  • Environment 
  • Inflation
  • Currency rate fluctuations 
  • Media

Technical

  • Technology changes
  • Risks stemming from design process

Legal

  • Violation of trademarks and licenses
  • Lawsuit for breach of contract
  • Labour or workplace problem
  • Litigation due to tort law
  • Legislation 

The Risk Analysis Process
The Risk Analysis Process is essentially a quality problem-solving process. Quality and assessment tools are used to determine and prioritize risks for assessment and resolution. The risk analysis process is as follows:

Identify the Risk
This step is brainstorming. Reviewing lists of possible risk sources as well as the project team’s experiences and knowledge, all potential risks are identified.

Using an assessment instrument, risks are categorized and prioritized. The number of risks identified usually exceeds the time capacity of the project team to analyze and develop contingencies. The process of prioritization helps manage those risks with both a high impact and a high probability of occurrence.

Assess the Risk
Traditional problem-solving often moves from problem identification to problem solution. However, before trying to determine how best to manage risks, the project team must identify the root causes of the identified risks.

The project team asks questions including:

  • What causes this risk?
  • How would this risk impact the project?

Develop Responses to the Risk
Now the project team is ready to begin assessing possible remedies to manage or possibly prevent the risk from occurring. Questions the team asks include:

  • What can be done to reduce the likelihood of this risk?
  • What can be done to manage the risk, should it occur?

Develop a Contingency Plan or Preventative Measures for the Risk
The project team converts ideas to reduce or eliminate risk likelihood into tasks.

Those tasks identified to manage the risk, should it occur, are developed into short contingency plans and put aside. Should the risk occur, they are brought forward and quickly put into action, thereby reducing the need to manage the risk by crisis.


Michael Stanleigh, CMC, CSP, CSM is the CEO of Business Improvement Architects. He works with leaders and their teams around the world to improve organizational performance by helping them to define their strategic direction, increase leadership performance, create cultures that drive innovation and improve project and quality management.

Michael’s experience spans public and private sector organizations in over 20 different countries. He also delivers presentations to businesses and conferences throughout the world. In addition to his consulting practice and global speaking he has been featured and published in over 500 different magazines and industry publications. For more information, contact Michael at
 mstanleigh@bia.ca