Managing risk in project is vital the overall outcome of the project. Deciding on the level of risk management will come down to the complexity, size and timescales involved. Managing risk in a project should come in at inception stage and should always be on the mind of the project team.
The risk management process can be broken into 5 stages which be explored in more detail -
Step 1 – Identify
The project manager should take lead and use the project team to identify the project's risks. In some cases there can be a risk manager but this tends to be in very large and very complex projects. Utilising the project team from engineers to the stakeholders allows you to cover as many potential risks as possible. Good communication is vital, some of the different ways this can be achieved is by:
Brainstorming as a collective
Analysing project documents
Using a risk register
A risk register is a tool used to identify and maintain information on risks that have been identified. Data that should be captured includes -
- ID number - Likelihood
- Category of the risk - Cost impact
- Risk owner - Time impact
- Risk score (impact x likelihood)
- Title - Next steps
- Cause - Action
- Event - Owner
- Impact - Action completion date
There can be a large amount of risks depending on the project. It is important the risks are established and frequently revisited, not identifying risks and taking action can result in the failure of a project. ESTA encompasses the above into one clean view where you can track risks easily. A fully automated notification feature provides notifications on risks identified and when they need to be completed to ensure the project keeps moving forward.
Step 2 – Analyse
There is no exact science to analysing risks, a common way is by a qualitatively assessment is made (either by an individual or a group) of the likelihood that the risk will occur and then the magnitude of its potential impact.
Here's an example of a Probability Scale definition.
Qualitative analysis assigns a likelihood and impact rating to each risk and these are used to create a rating. As demonstrated in the below diagram, a rating 3 probability x rating 3 impact = total risk rating of 9 – Amber Risk.
It is important to note that there can be a vast amount of risks within a project and the ranking procedure adds an order and structure to the way risks are organised. Most importantly, proximity of the risk needs to be taken into account by the project manager, i.e. when will the risk be relevant.
Step 3 – Evaluate
When the risks have been analysed, it is important to disseminate the findings to the client and project team. Explaining how the the risk will impact the project and contextualsing the risk will allow the clients to understand why the risk is of a certain rank and how you intend to deal with it.
Generally we go back to the time, cost, quality triangle. As an example this is what stakeholders would be interested in -
Will the project be delivered on time?
Will it be on budget?
Will quality be effected?
What are the drivers for the project not being on time or on budget?
How are we going to mitigate these risks?
What's the priority?
Step 4 – Treat
All risks highlighted on the risk register do not need to be actively managed, this would not be cost effective. The aim is to highlight the ones that have the biggest potential impact and can be most effectively managed.
Once the risks are agreed by the project team, actions and controls need to be applied to mitigate them. On a simple level, it is required to either initiate an action to mitigate the likelihood or impact of the risk. This could be a specific action or a control like monitoring and allocating resource in the event that the risk comes to fruition.
Each risk has an owner, the owner analyses the risk and determines the mitigating action, pro-active action/monitor/ add to contingency. Resource should be allocated against the quantifiable risks (time & cost), this will help you build a picture of possible contingency required and an estimate of how the programme may be effected in the event these risks turn into real issues. Proximity in this case is the point at which you need to do something before it is too late to be effective, this can be tricky when actions are set months in advance, ESTA can notify you of what needs to be done, by who and when, across all jobs.
Step 5 – Report
It's common for the risk register to be set at the start of the project and not regularly checked, tying in updating the risk register with monthly meetings helps keep everyone in the project team proactive in mitigating project risks. Specific reviews can also be held at key stages, for example, RIBA works stages or project gateways to ensure that the risks reflect the current position for estimates, schedule, change and progress.
The outcome of the review should -
Produce the most update risk register reflective of the project in its' current state, it should be a working document.
Delete closed risks
New risks and new assigned actions.
Updates on existing risks
Review the amount of allowances against quantified risks.
Report on risk management effectiveness.
Risk management requires a lot of proactive thinking and team collaboration. Its' overall goal is to highlight risks and promote action/change for the best outcome of the project. Following a clear procedure and ensuring everyone is involved in risk mitigation in the project will have huge benefits in regards to project delivery.
Ensure all communication is clear, consistent and everyone understands what they should be doing.