The Project Management Body of Knowledge ("PMBOK") defines project risk management as the process of conducting risk management planning, identification analysis, response planning, and controlling risk on a project (PMI, 2016). The objectives of project risk management are to increase the likelihood and impact of positive events and decrease the likelihood and impact of negative events in a project. Effective risk management strategies allow companies to identify the project’s strengths, weaknesses, opportunities, and threats. By planning for expected or unexpected events, companies can be ready to react appropriately (e.g. mitigate negative risk or capitalize on positive risk) when such events occur during the project lifecycle.
To ensure the success of a project, it is important to define how organizations manage potential risks which may arise during the course of the project and whether companies decide to transfer, accept, or work around the risk. Achieving a project’s goals depends heavily upon risk management being implemented, incorporated, and analyzed throughout the lifecycle of the project.
Risk management plans are critical in the overall project management process as the plans define specifically how a company identifies and analyzes risk to a project. This includes aggregating all risks which could impact a project and assessing the risks for aspects such as probability, impact, ranking, triggers, responses, and owners. Low risk events usually have little or no impact on the cost, schedule or performance of a project; whereas, moderate risks occurring to a project can cause an increase in the project’s cost, disruption of the project’s schedule and/or degradation of the project team’s performance. High risk events are likely to cause a significant increase in the budget of a project, disruption of the project’s schedule or performance problems of one or more individuals who are responsible for the management of a project. One or more high risk events occurring during the project could cause management to pause and/or halt a project altogether. During the planning stage of a project, it is important to include personnel from key departments in risk brainstorming conversations, as certain risks could be missed if proper representation from effected departments are not involved. The individuals included in such brainstorming sessions would be dependent on the project and the organizational setup of the company. Best practices include senior management from IT and the organization most affected by the project serving as projects sponsors (provided the scope of the project warrants involvement from both groups). Proper sponsorship not being involved through the planning phase of the project lifecycle could lead to harmful impacts to the overall health of the project. If management is not behind the purpose and need of the project, it could potentially fail to progress or be implemented at the end (Hopkins, 2006).
An effective project risk management plan should include (Stockl, 2016):
- A "top-down" commitment from the organization – if senior management does not approve of a project, it likely will not have a successful outcome.
- A Risk Register outlining the identified risks and their criticality.
- Policies and procedures established and clearly defined for all team members –outlining identification of risks, regular meetings, and Go-Live requirements.
- Clearly defined roles and responsibilities for all project members.
- Adequate resources are allocated to successfully complete the project and perform proper risk analysis.
- Proper tools are made available for risk management tasks, such as document reviews, root cause analysis, SWOT analysis, checklists.
- Ongoing monitoring of the risk management plan.
Risks to a project can be identified through a number of methods. Risks can be identified through initial risk assessments, on-going control self-assessments or internal or external audits – all of which are valuable vehicles to identifying risks. These tools can be crucial in monitoring and managing risk that may impact the critical path of the project and its overall success. Utilizing these tools will allow management to make more informed decisions regarding a project and determine the correct level of safeguards and controls which should be put in place.
Types of Risk
There are three major types of risks that would need to be considered during planning and analyzed during the entire lifecycle of a project. Many projects hold planning meetings to identify risks during the initial stages of the planning process and these meetings should continue throughout the entire project lifecycle. Known risks should be identified in the initial stages of a project. Examples of known risks include scheduling conflicts, potential weather patterns or seasonality considerations which might affect the project, technology or communication issues. Unknown risks are risks that are identified throughout the project which could not have been considered in conjunction with planning procedures performed. Examples of unknown risks include issues with a certain vendor, quality concerns during testing, key members of the project team quitting unexpectedly, or running out of server space while trying to implement a system.
The third type of risk is a positive risk. A positive risk is a positive outcome of the project which has subsequent effects that need to be managed. Specifically, a positive risk is an unknown risk as a result of a project that brings a positive opportunity for the company. An example of a positive risk of a project would be a company implementing a new web interface to order products from which results in a larger than expected number of people ordering a product and a company’s warehouse to be overloaded with orders. This is an unknown positive outcome of a project that the company would need to manage through the risk management procedures outlines within the plan (Hillson, 2014).
These risk types can be categorized in three "impact" groups, high, moderate or low:
- High-impact risks are risks that must be mitigated or resolved prior to the project going live. Examples of high impact risks include senior management not approving the project charter during the planning phase of the project or a required system component or functionality not operating as intended during the testing phase of a new system implementation.
- Moderate-impact risks are risks which should be mitigated; however, failure to mitigate such risks would not impact the completion of a project. An example of a moderate impact risk could be a reporting function within a system which is not working but does not require the delay of a go-live of a new application. Specifically, in this instance, this issue will need to be reported to end users of the system and explained that it will be resolved as soon as possible. If the project team identifies that the reporting function in the tool will not be resolved, a manual workaround, such as pivoting data in Excel, could be a temporary fix and not delay the project from moving forward.
- Low-impact risks are risks which may not need to be mitigated and will not prevent the completion of a project. An example of a low impact risk would be if the product was presented in the wrong shade of blue given the branding scheme of a company. This represents a risk that is not an issue to complete a project or impact a user’s experience. These risks may be resolved if ultimately deemed beneficial; however, such a fix can also be completed after the project is closed and in conjunction with the next planned upgrade.
There are five ways to manage risk, in any of the three categories.
- Accept the risk – accept the outcome of the situation and do nothing to mitigate the risk (e.g. contingency budget for unexpected risks)
- Avoid the risk – change your project plan in order to avoid the risk (e.g., avoid the financial / personnel risk of implementing a new accounting system at the end of a company’s fiscal year)
- Transfer the risk – transfer the risk to another party (e.g., Insurance)
- Mitigate the risk – prepare and take steps to limit the impact of the risk (ex. implement a secondary review control to prevent human error associated with a primary review)
- Exploit the risk – reap the benefits of the outcome of a positive risk (e.g., hiring new staff to manage website traffic as a result of a redesign to a company’s web interface) (Hillson, 2014)
These five risk management options will play a role in the way management implements controls and makes critical financial decisions. The way the project team and project sponsors identify how to handle the risk will have a direct effect on the internal controls that are implemented, whether they are detective (detect events after they occur) or preventive (prevent events from happening) controls. Critical financial decisions will also be affected by risk mitigation plan. Should management decide to accept the risk, they will need to identify a more conservative plan in order to make sure they cover any avenues that the accepted risk could affect (Hillson, 2014).
Communicate the Plan
Having a risk management plan in place better assists project team’s abilities to identify and prepare for known and unknown risks. It also helps ensure the right resources are aware and available to help minimize negative risks and promote positive risks/opportunities. Risk management plans lead to overall higher rates of success for projects. Such plans need to be communicated and distributed by the project manager to the project team and any other key stakeholders that may be involved during the term on the project. This helps project managers and project sponsors keep abreast with any known risks. Having the risk management plan in place and available to those key stakeholders will allow the team to identify new risks, their triggers, and how to plan for them. By having a plan to identify, avoid or accept potential risks which a project may encounter as it progresses in its lifecycle, companies can ensure that the project team and other key stakeholders can respond effectively when challenges emerge and require intervention (Bragantini & Ferrante 2014).
Final Thoughts / Conclusion
By planning and preparing for the known and unknown risks of the project, the success rate of projects undertaken by organizations can improve drastically. Specifically, project teams will be better prepared to tackle obstacles encountered and be well-positioned to meet targeted objectives. Project teams will also be better equipped to identify any new potential threats to a project, as the guidelines and expectations will have been set through the formation of the risk management plan. Having a risk management plan in place will reduce the vulnerability of a project and minimize the impact of negative risks (or maximize the effects of positive risks) to the project team and the organization as a whole.
Some benefits of having a risk management plan are as follows:
- Saving valuable resources such as time, income, assets, people, property and maintaining a safe environment
- Reducing legal liability and increasing the stability of a company’s operations
- Having a baseline for future projects
Risk management is crucial for the success of any project. This risk assessment allows the project team to identify risks and action plans to reduce the impact of negative risks on a project and the resources assigned to it. Successful risk management improves the success of the project and overall health of the company.
Project Management Institute: www.pmi.org
Project Management Institute, Inc (PMI) PMBOK 5thEdition (2016) PMI Retrieved from PMI: https://www.pmi.org/pmbok-guide-standards
Stöckl, H. (2006). An important step from risk analysis to risk management. Paper presented at PMI® Global Congress 2006—EMEA, Madrid, Spain. Newtown Square, PA: Project Management Institute.: https://www.pmi.org/learning/library/important-step-risk-analysis-risk-management-8159
Hillson, D. (2014). Managing overall project risk. Paper presented at PMI® Global Congress 2014—EMEA, Dubai, United Arab Emirates. Newtown Square, PA: Project Management Institute.: https://www.pmi.org/learning/library/overall-project-risk-assessment-models-1386
Hopkinson, M. (2006). Top down techniques for project risk management. Paper presented at PMI® Global Congress 2006—EMEA, Madrid, Spain. Newtown Square, PA: Project Management Institute.: https://www.pmi.org/learning/library/top-down-techniques-project-riskmanagement-8177
Hayashi, S. K. & Neckowicz, K. T. (2013). Adjust your communication style for effective sponsor engagement. Paper presented at PMI® Global Congress 2013—North America, New Orleans, LA. Newtown Square, PA: Project Management Institute.: https://www.pmi.org/learning/library/communication-style-effective-sponsor-engagement-5870
Bragantini, D. & Ferrante, D. (2014). How to shape your stakeholders. Paper presented at PMI® Global Congress 2014—EMEA, Dubai, United Arab Emirates. Newtown Square, PA: Project Management Institute.: https://www.pmi.org/learning/library/stakeholder-shape-tool-effectivecommunication-8706
Henderson, L. S. (2008). The impact of project managers' communication competencies: validation and extension of a research model for virtuality, satisfaction, and productivity on project teams.Project Management Journal, 39(2), 48–59.: https://www.pmi.org/learning/library/communication-competencies-productivity-projectteams-5582