Risk Management - Key Steps in Risk Management

The first thing to understand in risk management is that it's a on-going activity. It's not about identifying risks upfront and then forging ahead regardless. It's too easy to forget the risks once the project is started and fail to recognize and raise new risks when the project is underway.

The key steps to risk management are summarized below.

  • Risk Assessment

  • Risk Reduction / Minimisation / Containment

  • Risk Monitoring

  • Risk Reporting

  • Risk Evaluation

A key part to project management is a common language. The diagram below shows the key steps of risk management in the overall context of analysis and control. As outlined in the introduction, there are two key outcomes for risk management, action and awareness. Through risk control we manage action, through risk analysis we manage awareness.

The diagram below shows the breakdown of risk management. On the left we have risk analysis which comprises of reviewing risks, evaluating risks and reducing risks. This is the “action” side of risk management. On the right we have risk control which comprises of risk monitoring and reporting. This is the awareness and prevention side of risk reporting.

Case Note

On a recent project, I was given a perfect opportunity to raise any risks that I thought would affect the project before we started production. The specification had been completed so we knew what we had to deliver as well as the timeline. I dutifully followed the process outlined in the rest of this chapter. I put together a document that contained the 6 key risks that the project was facing. For each key risk I presented a risk memo that outlined the risk, the impact on the project, the potential cost of non containment, a solution and contingency plan. It was a bit more than the client was expecting. I thought that the client would be happy to know the risks upfront and be able to take action.

After the initial shock of seeing all the things that could go wrong, we had awareness. Half the battle won. The other half, action didn't quite happen. Although the actions for each risk were detailed, very few of them were followed up (the majority of the actions were the responsibility of the client). When the risks started to impact on the project, the client wasn't happy. They had accepted the risk, but hoped it would not surface and did not take any action to prevent it occurring. Unfortunately when the risk did arise, it took more work to repair the damage done than if preventative measures had been put in place. As the project manager, although I had raised awareness, I hadn't continued to report on the risks so that the client was in a false state of security assuming that the risk was no longer there.

Risk Assessment

The goal of risk assessment is to identify the risk factors that are a part of the activity being undertaken. Basically, it's about working out what could go wrong. For example, the task could be attending a client meeting. The possible risk factors would include

  • Distance from office to client's premises

  • Number of people having to attend meeting

  • What materials are required for meeting (eg. Laptop, projector…etc)

  • Availability of cabs

  • Availability of public transport

  • Time of meeting, eg. Midday, peak hour

The more risk factors there are with a given task, the more that can go wrong.

Risk Evaluation

Once you have identified the risk factors, then you have to work out what impact they can have on the task. Following the previous example, what would be the impact of arriving at the meeting late?

  • Would you lose the account?

  • Would you get fired by your boss?

  • Would it have an impact on your next review?

  • Nothing, the client didn't mind.

If the impact is low, the risk doesn't require much attention.

Risk Reduction

Risk reduction can also be considering risk containment or minimisation. What term you use doesn't matter as long as you are consistent. The are two parts to risk reduction

  • Plans or actions that can be taken to reduce the risk

  • Introduction of strategies that will minimize the impact of the risk

In getting to our client meeting on time we could take the following actions

  • Leave earlier (allow more travel time)

  • Shift the meeting to non peak travel time

  • Call the client to let them know we are running late

The idea is to avoid the risk altogether but if that's not possible, have plans in place that can minimize the impact.

Risk Monitoring

Risk monitoring has two dimensions to it. Firstly it's about keeping an eye on the risks that you've already identified to see if anything has changed, if the impact has increased or decrease, which could require action. And secondly, to see if there are any new risks that have arisen during the project.

For example, while we're on our way to the client meeting, we could be keeping an eye on the time while listening to traffic reports for any potential traffic delays. The most important thing to remember is that just because we have identified risks upfront, that doesn't mean new ones won't emerge.

Risk Reporting

Risk reporting is about ongoing awareness and the effectiveness of any actions or strategies taken to contain or reduce risk. For example calling your colleagues about traffic delays or train cancellations. The goal of risk reporting is to keep an eye on the existing risks to help any new ones arising.