Risks will be present on every project. As a project manager, we need to understand what a risk is, what impact it might have on the project and how we can manage it throughout the life cycle of our project.
What is a project risk?
The APM defines a risk as ‘The potential of a situation or event to impact on the achievement of specific objectives’ (see APM glossary). It is important to remember that a risk is not definitely going to happen, but it does pose a potential threat to our project. We should also think about the potential for positive impacts rather than just negative ones. We might be able to take advantage of a potential situation that means the outcomes or benefits of our project are enhanced, adding to our project’s success.
It is important not to think solely about what the risk is. When identifying a risk, you should also consider the cause and the effect. The cause of a risk is the catalyst or circumstance that will cause it to occur. The effect is the impact that the risk will have. In understanding these things, we will have a better understanding of the risk to our project and how we can respond to it.
For example, if we are building a bridge, a risk would be that the opening of the bridge is delayed. The cause of this might be that the iron girders we have ordered are too short and we need to have new ones made. The effect of the risk is that the bridge opening is delayed, meaning we have missed our project deadline. This might have an impact on benefits, e.g., if this is a toll bridge, we are not collecting income as soon as anticipated.
In considering the cause and effect as well as the risk itself, you are thinking more thoroughly about the risk. You are therefore in a better position to plan for mitigating actions if you understand the events that might cause the risk to mature.
A risk management process
We need to manage the risks that threaten our project. To do this, we will employ a risk management process, which will give us a strategy for minimising the chance that risks will derail our project or force us to stop work.
The first step in the risk management process is to identify the risks. We want to have a clear understanding of the risks that our project faces so that we can prepare to tackle them. The identification process can be as simple as a brainstorm, but might also involve interviews, prompt lists or assumptions analyses to better understand the nature of the risks. Drawing on individual experts can be particularly useful if there are particularly technical areas that might cause risks that the project manager does not have expert knowledge of.
Once we have identified all of the potential risks that might impact our project, we need to analyse them. Here, we determine the probability and impact of the risks – we might use a probability impact grid to help with this – and then rank the risks accordingly. Some probability impact grids use a simple low/medium/high ranking, whilst others will have a numerical scale which can then be multiplied together to give a number value for the weight of the risk. Once we have a value or weight for the risk, we can then determine the impact of the risk on our project and begin to plan responses.
We want to plan a response to each risk to ensure that we are prepared if the risk does mature. Planning responses can take a number of approaches. There are a number of proactive and reactive responses that we can take to risks. These might include moving the risk onto someone else’s risk register or taking action to increase the potential of the risk happening so that we can take advantage of the circumstances to exacerbate a positive outcome. The idea of planning responses is to avoid delays to our project if we are unprepared when a risk matures. We should be ready to take action if the risk does occur. Planning responses will also highlight any knock-on effects that we need to consider and give us an idea of any contingent budget or time that we might need to account for.
Once we reach the point beyond which the risk will mature, we can close the risk. This usually takes place at the end of the project when we have passed the point at which the risk could mature and impact our project. However, this might also happen during the course of the project if a risk might only mature at a certain point or during a certain phase.
The idea of closure is simply to acknowledge that the risk has either been dealt with, or the risk window has passed. We want to make sure that we have dealt with all risks appropriately and that there is nothing that might still impact the project. Any risks that cannot be closed at the end of the project need to be flagged to the team who will be operating the product so that they can be prepared to deal with the risk if it matures.
Risks are always going to exist within our projects. If we take the time to understand the risk and its causes and effects, we can be better prepared to deal with it. The aim of risk management is to minimise the negative impact that risks will have on our project. We need to put systems in place to be able to identify and analyse the risks to our project so that we can plan appropriate responses to the risks should they mature. At the end of the project, we can close down our risk register if the window of threat from the risk has passed.
Ultimately, the project manager should be aware of any risks to the project and be able to deal with them. Taking the time to prepare for risks maturing demonstrates a level of insight into the project and potential problems and may in fact save the project from significant delays if a risk response is needed.