Risk management process
Risk management process (RMP) is a concept or a framework to managing risk both internal and external in all industries. It is a concept that has been coming popular for project managers in projects to improve performance and increase the profit. This concept helps management teams to construct a strong and systematic approach to the risk identification. With risk process and strong project management practice the problems in a project can by decreased and could also help to resolve problems that occur later on in projects.
Risk vary in projects because of the uniqueness of every project and due to that fact the concept RMP is very robust approach. Identification, understanding and managing critical risk that can harm the project a concept needs to be followed.
Risk management in project should be throughout the project life cycle. In some cases the risk management is primarily done in the design phase of the project, but should be also manage in the construction phase. The RMP is a five step process that is following [1].
- Step 1 – Establish the context
- Step 2 – Identify the risk
- Step 3 – Analyse the risk
- Step 4 – Evaluate the risk
- Step 5 – Treat the risk
The risk management process is essential to manage those risk that can occur in projects and to be able to mitigate those risks. Studies have shown that the changes of risk event occurring are in the idea, planning and the start-up phase of each project. As represented in Figure 1 the total cost impact is less if the risk event will occur earlier and therefore it is very important to use that period to minimize or mitigate around a potential risk. Moreover, as it goes further into the project phase the increase in cost is very steep [2].
This wiki article aims to go through those steps mention above with few techniques and methods that are well known in risk management and how to apply them along the project life cycle. Furthermore, the background of risk management, advantages and RMP limitation will also be discussed.
Contents |
Overview
Introduction
The risk management term has history in America from the early 1950s and it has been developing since then around the world. It was not until 1963 “The Journal of Risk and Insurance” published nine articles regarding risk management. From the year 1963 and until 1967 an increase in academic interest was shown. It was not until early seventies that the risk management awareness increase in Europe and that is due to the expansion that happened in the United States in early years [3]. With the awareness of risk around us the expansion of the subject has aroused and is coming mainstream in businesses today.
What is risk, risk management and what purpose/value does risk management process have?
Risk is the likelihood and the impact of a certain event with potential to effect the goal or the objective of the project. To avoid these unexpected risk events that the future has, risk management process is a concept to follow throughout the project life cycle and to be able to maximize the efficiency and the effectiveness [4].
Risk management examine the future that is head of us and the uncertainty that it has. Uncertainty can both be good and could also be bad. With examination of the uncertainty that the future has, could lead us to avoid the threats and steer and aim us towards the opportunities [5]. Even though risk management is not just avoiding risk or taking one, it is a development that has to have complete understanding of the risk that are relevant to the project [1].
The basic RMP principle should always be included when dealing with risk in projects because it helps the management team to efficiently understand and manage unwanted risk. The following main phases of RMP are: Establish the context, identify the risk, analyse the risk, evaluate the risk and treat the risk [6].
Application of risk management process
The RMP is not a standalone concept that can be implemented into project or organization. To be able to managing risk effectively through the RMP a well define risk management framework has to be clear. The framework will provide the foundation for success risk management. The RMP at each step will communicate with the risk management framework, as can be seen in Figure 2, and therefore establish a holistic approach to risk management.
RMP can be seen in Figure 3, the five steps in the RMP are well defined and easy to follow with good management practice. In this section the five RMP steps will be explain further and how it can be applied to managing risk. In those five steps that is within the RMP is the risk assessment. Risk assessment is an overgroup of 3 steps, identify risk, analyse risk and evaluate risk. Inside these subgroups of risk assessment are few methodologies that are used to help the management team to establish the right outcome of the RMP. These methodologies will be mention briefly to explain what is used in practice today.
Even though the communication, consult, monitoring and review is not part of the five steps, it is key element of risk management. It is essential to communicate and consult with stakeholders, from early stage, in the value chain during all five steps of the RMP. Stakeholders have to understand the basis in decisions and why action is needed for specific risk. This is done by effective communication both internally and externally with stakeholders within and outside the organization.
Establish the context
The first step in the RMP is establish the context and is key to effective and great risk management. The context will act like a supervisor to ensure that all activities will remain relevant throughout the process. There are various context that needs to be taken into account and to articulate the objective of the project or organization. Establishing the context can be found with SWOT analysis, by identify strengths, weakness, opportunities and threats. The SWOT, Figure 4, analysis can identify the PESTEL, which is the political, economic, social and technological, environmental and legal condition of the context. Context can be divided in external and internal context. Furthermore, the context will set the scope for the risk criteria for later processes and should be establish each time it is implemented.
Risk identification
How to identify risks?
Risk identification is the second step in the RMP. This step is a critical step in risk management where the project manager assembles a team with stakeholders that have the relevant experience. The team tries to produce a list of possible risk that could affect the project from the get-go and through the project life cycle.
The team usually use brainstorming technique to find possible risk events. When using the brainstorming technique the team members have to have open mind and try to come up with as many possible risk events that could occur. Furthermore, team members have to consider the project that is in front of them and also try to learn from mistakes that had occur in other projects that are in the past. In the risk identification process a common mistake is often done, that is to focus primarily on objectives rather than events that could produce consequences. For example, focusing on objectives like failing cost estimation or time schedule instead of thinking what event could cause these events to happen [2].
Risk breakdown structure (RBS) incorporated with work breakdowm structure (WBS) is an effective method to help management teams to identify risk events from the objectives. Breaking down these objectives into macro risk helps the team to check specific areas that are interesting.
This identification process of risk should involve more than the core team inside the organization. All stakeholders in the value chain, for example, customers, sponsors, subcontractors and vendors should have some input into the identification process because it makes them more committed to the project.
Risk analysis (Step 3) and risk evaluation (Step 4)
Step 3 and 4 are the risk analysis and evaluation of the events that where produced in step 2, risk identification. Even though the name risk can be a threat not all risk events need further inspection. Some of the risk in projects can be ignored while others need more attention because they pose threat to the project. Managers need to screen out these events that pose no threat to the project and try to focus on other risk events that have more potential to harm the project in any way.[2].
For analyzing risk, scenario analysis is most commonly used method. Scenario analysis is a method that team members have to analyze and assess the severity of each risk event that has been conducted in step 2 in terms of, likelihood of the event happening and the impact of the event.
Risk event that have the greatest effect on the project should receive highest priority. The best way to analyze the risk events is to have a scale ranging from “Rare” to “Almost certain” or have more precise scale with probabilities ranging from for example 0.1, 0.3, 0.5 … 1.5. The scale needs to be evaluated depending on the project nature. Impact scale is also needed to assess the consequences that event has on the project. The scale is often defined in numbers from 1-5, 1-10 or rank-order such as ”Negligible”, “ Minor”, “Moderate”, “Major” and “Catastrophic”. The likelihood and the impact scale can be seen in Table 1 and Table 2 respectively. [2] [7].
Rating | Likelihood |
---|---|
|
ALMOST CERTAIN: Could occur several times per year |
|
LIKELY: Likely to arise once per year |
|
POSSIBLE: Likelihood that it may arise over a five-year period |
|
UNLIKELY: Could occur over a five to ten year period |
|
RARE: Very unlikely but not impossible, unlikely over a ten year period |
Rating | Potential impact |
---|---|
|
CATASTROPHIC:Most objectives may not be achieved |
|
MAJOR: Most objectives threatened |
|
MODERATE: Some objectives affected |
|
MINOR: Easily remedied, with some effort the objectives can be achieved |
|
NEGLIGIBLE: Very small impact |
These two scales, likelihood and impact, are combined into risk matrix as seen in Figure 5. The risk matrix is divided into four categories green, blue, yellow and red. The green category is representing minor risk, blue is representing medium risk, yellow is representing major risk and red category is representing extreme risk.
To place each risk event in the risk matrix a light calculation is needed. The formula for risk value is:
The step 4 is the evaluation of the risk event. Risk value is a number that can be evaluate and therefore be placed into the risk matrix. After the placement of each risk event in the matrix that was consider in the beginning of the RMP the evaluation of risk event expectant is formed. As can be seen in Figure 6, if the risk event falls into the red zone the event needs an urgent attention and needs treatment, but if the risk event falls into the green zone, which is the save zone, the risk can accepted or accepted with minor treatment. Categories for yellow and blue can be treated with attention or investigation.
There is one other option that is available and it is widely used, that is Failure Mode and Effect Analysis (FMEA) technique. By adding detection into the Risk value formula gives the analysis a clearer view how difficult is to detect the risk event that could be a head of us. The detection scale is would also be in the same scale as the probability and the impact. If a risk event would get a 5, it cannot be detected until it is too late, but if an event would receive 1, it would be very easy to detect the risk. The event that receives the highest score from the calculation will have the highest impact.
Risk treatment/response
Risk treatment and response is the final and the fifth step in the RMP. The treatment of risk events involves project manager and team members to identify the range of options to treat the risk event, evaluate those options, and make a plan for the treatment and the implementation. The most appropriate method that the team members find to achieve the wanted outcome is chosen. Risk response can be classified as follows:
- Mitigating
- Avoiding
- Transferring
- Retaining
It is up to the project manager and the team to choose which risk strategy they will go for. If the risk event is inside the red zone in the risk matrix, like in Figure 6, the project manager needs to pay attention to those risk. Following the guidance in Figure 6, will help the managers and the team to treat and evaluate what to do in next steps.
Mitigating risk
When mitigating risk the team members try usually to reduce one of the two option, likelihood or the impact. Reducing the likelihood of particular event to happen is the first option of every team in the business because if it is successful, the team could eliminate the next option of reducing the impact which could lead to higher cost in the end. It is essential to take an early action to reduce the likelihood of an event to happen because as was mention in the beginning the cost will rapidly increase if the project is started and is well ahead in the project life cycle. Furthermore, it is more effective to take early action than try to repair the damage after the risk has occurred. This part of the process may require many resources or time, but in the end it is very effective way of reducing cost.
Avoiding risk
This strategy is very important and should always be the first to consider in a project. Sometimes avoiding risk or eliminate it is not an option, because it can be too expansive or it could be time consuming. Avoiding risk is done by removing the cause or executing the project phase in a different way than it was planned. Even though we decide to avoid the risk the project objectives needs to be achieved. If the situation comes up that we cannot eliminate the risk that occur in the project, we try to eliminate that risk before the project lunches.
Transferring risk
Risk transfer could be in full or in part transfer. This strategy involves another stakeholder who is willing to take responsibility and the liability if the risk event happen. Transferring risk to another stakeholder is very common because in practice the aim is to ensure the risk event is in the hand of the stakeholder that is willing and is in the best position to deal with it effectively. Passing risk to another stakeholder in the value chain will always cost premium. Therefore, management team needs to evaluate if it is more valuable to adopt the strategy to another stakeholder or keep it and try to avoid or mitigate the risk.
Acceptance/retaining risk
The least strategy that we would use is to accept a risk event to happen, but sometimes project manager or teams need to accept the risk event can occur, because it could be that it is too expensive or too large to transfer or reduce the event. Project managers should be well aware of the risk events that could occur and sometimes they have to take conscious decision to accept the risk knowing it is very slim changes of that event occurring. When acceptance of any risk, project managers and teams are acknowledging to take on the risk when it occurs.
Monitoring risk
Risk monitoring is not part of the five step process that are in RMP concept. Risk monitoring is not a step that has to be done or take. Monitoring risk should be throughout the life cycle of a project and done at each step in the RMP, because that ensures that new and changing risk events will be detected and manage before it occurs by implementing risk response action. To be able to monitor all risk events, meetings should be held regularly to maintain and update old and inform if there is a new threat. To identify new threat, the project manager and the team need to go through the steps that are in the process and repeat them until the project life cycle is over, because there are not many risk that remain static.
Advantages
WIP
Limitations
WIP
References
- ↑ 1.0 1.1 1.2 1.3 John Lark.(2015) ISO 31000, Risk management.
- ↑ 2.0 2.1 2.2 2.3 2.4 Larson, E. W. and Gray, C.F (2010) Project Management, The Managerial Process (5th ed.).McGraw - Hill/Irwin, NY
- ↑ Neil, G.C.(1982) The Bibliography and History of Risk Management: Some Preliminary Observations, 7(23),169-179
- ↑ Smith. N.J., Merna, T. and Jobbling p.,(2006) Managing Risk in Construction Projects
- ↑ Kozin. I.,(2015) Course 42172: Risk and decision making
- ↑ Gajewska. E. and Ropel. M.,(2011) Risk Management Practices in a Construction Project – a case study.
- ↑ Duijm, N.D. (2015) Recommendations on the use and design of risk matrices