Risk and Opportunities Management
In project management, uncertainty is a common parameter, given that projects are unpredictable and only an estimate of a future situation. In order to prevent uncertainties, project risks are identified and managed throughout the project life cycle. Risk management is a central concept and plays an important role in maintaining projects stability and success throughout the project. Risk management identifies potential obstacles that may arise and hinder the project team from achieving expected goals. Identifying risks is a repeatable process since new risks become known and others become unknown. Noteworthy risks are not only downsides, referred to as threats, but also upsides, referred to as opportunities. Opportunities may arise as a result of unexpected turns and have a positive impact on the project. Risk management is highly relevant and therefore present in all projects.
By using qualitative and quantitative risk management approaches, uncertainties are identified, assessed and mitigated in a structured way that helps projects stay on track. This article focuses on Rumsfeld’s unknown unknowns and the risk management process, including the probability impact matrix.
The risk management process, RMP, may be divided into seven process steps: communication and consultation, establishing the context, risk identification, risk analysis, risk evaluation, risk treatment and monitoring and review. This process aims to ensure that risk is managed effectively, efficiently and coherently across an organization [1]. At last, this article will outline and discuss the risk management process' limitations and advantages in a project management aspect.
Contents |
Introduction
Defining Risks
In all projects there is indistinctness, which leads to assumptions being made. These assumptions are uncertain and can affect the project’s cost, scope, time or resources [2]. Risks can be defined as "An uncertain event or condition that, if it occurs, has a positive or negative impact on one or more project objectives such as scope, schedule, cost or quality" [3].
Risk management is a beneficial concept applicable in every project. The concept aims to improve decision-making processes by identifying, assessing and mitigating relevant uncertainties in a structured way [4]. Due to the negative consequences of uncertainties, risks management is highly relevant and should be managed carefully.
Donald Rumfeld's Unknown Unknowns
The American politician and businessman, Donald Rumfeld, distinguishes between four categories of risk. The first category is identified as "known knowns" describing the things we know we know. Examples could be a project’s location, the type of project etc. The second category is defined, as "known unknowns" describing the things we know are uncertain. Examples could be how many workers are needed to complete a particular task or unpredictable weather conditions. The third category is defined as the "unknown unknowns". This category describes uncertainties that we could not have known in advance and let alone foresee their consequences, e.g. natural cataclysms. The last category is defined as "unknown knowns" describing risks that cannot be identified precisely due to multiplicity, but whose total negative impact on the project appears certain. An example of this category could be the Russian Winter Olympic Games in Sochi in 2014. The games in Sochi experienced significant cost overruns at 289% [5]. Another example in connection to Russia is the widespread corruption of local officials. The risk is known in Russia but not officially recognised and can therefore be perceived as an unknown known.
Risk Perception
The practice of risk management is to minimize negative impacts or threats to the project and maximize the upside impact of opportunities. To be a successful project manager it is therefore essential to understand what could possibly go wrong, assess risks’ probability and impact and thereby plan how to mitigate risks optimally.
Risk management involves planning and prioritising risks before they occur, handling emerged risks and control and monitor risks, by using quantitative or qualitative approaches. By using quantitative approaches including mathematical models, it is possible to calculate and estimate potential negative and positive outcomes. However risk management activities are primarily based on qualitative data [6]
Qualitative data include subjective perceptions since people value risks differently and therefore also value potential consequences differently. Gathering different viewpoints could be a challenging activity, when representing different project stakeholders. Obtaining viewpoints and ratings for each risk is a matter of unifying opinions. A method used for assessing low-high risks is the so-called probability impact matrix. Figure1 shows the positioning of identified risks. Noteworthy, Figure1 is an example of a potential matrix and therefore the matrix can change dependent on different projects.
Risks placed within the red boxes hold extreme or high risks and need to be avoided since they have the potential to greatly impact the project's quality, time or cost performance. Risks placed within the orange boxes hold moderate risks and can be mitigated or transferred. This category has the potential to slightly impact cost, quality and time performance. Risks placed within the green boxes hold low risks and can be ignored or accepted since they have a relatively little impact on cost, quality and time performance.
From Figure1 it has been identified that not all risks can be eliminated, but mitigation and plans can be developed to lessen their potential impact. The risk management process is an iterative process that begins in the early project phases and is conducted throughout the project’s development.
The practice of risk management process is systematically thinking about all possible outcomes even before they occur and outline procedures to accept, transfer, mitigate and avoid the impact of emerged risks.
Risk Management Process
The risk management process, RMP, can be divided into seven steps: communication and consultation, establishing the context, risk identification, risk analysis, risk evaluation, risk treatment and monitoring and review. The seven process steps will be outlined and described below.
Communication and Consultation
This process comprises communication and consultation with external and internal stakeholders and should take place throughout the seven risk process steps. This first step should especially focus on the exchange of relevant information and coordination of stakeholders’ perceptions. Communication and consultation between the stakeholders should mainly focus on the following aspects: the objectives, the scope and criteria. Last-mentioned include risk sources, consequences and related events, analysis method, judgment of evaluation criteria and suitable treatments for identified risks. Furthermore the project stakeholders are kept informed through reports, that summarise the current risk management activities [1].
Establishing the Context
This step includes defining the objectives and scope for the risk management process and furthermore determines criteria against which risks will be assessed. Establishing the context does not only address the company internal but also external. Internal factors include the role of the risk management process within the organization as well as the basic criteria used to evaluate risks throughout the following 5 process steps. Establishing the context also include the integration and implementation of risk management processes during other processes in the organization, comprising methods, roles and responsibilities of the people involved in the risk management and the outlined goals of the risk management process.
Risk Identification
The third process step consists of identifying sources of risk, potential areas of impact and outlining consequences [1]. Identifying risks in normally done in groups with both experienced and less experienced members and often people working within similar projects are invited [2]. The risk identification step is an iterative process that is managed throughout the project’s life cycle. This step aims to develop a comprehensive list of potential risks implied their impact and likelihood. This list is normally used in the following step, the risk analysis.
Risk Analysis
The risk analysis is mainly concerned around prioritizing and classifying risks. This could be done by using the earlier mentioned probability impact matrix, see Figure1. Identified risks are analyzed to achieve a better understanding of the treatment needed either to transfer, mitigate or avoid the analyzed risk. The analysis may also identify unforeseen opportunities that may be pursued to provide additional benefit.
Risk Evaluation
The risk evaluation focuses on prioritizing and deciding appropriate treatments for risks holding extreme, high or moderate risks. The risk evaluation is based on information gathered from the risk analysis and decision criteria, developed and defined during the establishment of context . Moderate-extreme risks will continue to the following step "risk treatment", while low impact risks will be ignored or accepted.
Risk Treatment
The purpose of treating risks is to develop options and determine actions to enhance opportunities and reduce threats to project objectives [4]. Different treatment opportunities are analyzed regarding cost-benefit tradeoffs and normally one or more options are developed and transferred to the project management for implementation [1]. Risk treatment includes measures and plans to avoid the risks, to mitigate risks, to deflect risks or develop plans to handle unforeseen risks if they occur. Decided treatments, expected benefits and the re-evaluated risks are transferred to the last step of the risk management process, "monitoring and review".
Monitoring and Review
This step oversees both situational risks within the organization as well as the risk management process itself [1]. The purpose of monitoring and controlling risks is to minimize disruption to the project by determining whether the risk responses have the desired effect [4]. This is done by identifying and analyzing new risks, monitoring trigger conditions for contingency plans and reviewing progress on treated risks while evaluating the effectiveness of the chosen treatment. The risk management process should be applied when new risks arise or when project milestones are reached.
Information gathered from the risk management process is collected in a risk management plan. The layout of such risk management plans will vary but normally contain the following steps [2]:
- Risk identification
- Event description
- Description of consequence or impact
- Probability impact
- Risk exposure
- Priority
- Risk response
- Dates
- Answerable
Response Strategies to Threats and Opportunities
As mentioned earlier, uncertainties and unexpected occurrences can affect the project either negatively or positively. The risk management process analyzes and manages, in particular, negative impacts threatening the project. How to manage and utilize opportunities is shown in Figure2. Opportunities can be addressed in three ways:
- Exploit opportunities
- Share opportunities
- Enhance opportunities:
- Probability
- Impact
Exploit
The aim of this response strategy is to eliminate the uncertainty associated with a particular upside risk [7]. Whereas the strategy of risk treatment aims to reduce probability of occurrences to approximately 0, the exploit strategy seeks to raise the probability to 100%. This strategy is the most aggressive of the response strategies and is usually applied when those Golden Opportunities arise, containing high probability and high positive impact. The strategy of exploiting opportunities, can either response directly or indirectly. The direct response includes making positive decisions to include an opportunity in the project scope. E.g. if an opportunity were identified that market share would intensified if a competitor withdrew from the market, active steps would be taken to either buy out the competitor or by forming a potential alliance. The indirect response includes handling the project in a different way by allowing the opportunity to be achieved while still fulfilling the project objectives [7].
The aims of this strategy is to share an opportunity involving allocating ownership to another party, who is best able to handle the opportunity, both in terms of maximizing the probability of the occurrence and in increasing potential benefits. Project stakeholders are potential owners of handling this type of response strategy since they already have an interest in the project and are therefore likely to responsibility for managing identified opportunities.
Enhance
For risks that cannot be exploited/avoided or shared/transferred this type of response strategy aims to modify the size of the risk to make it more acceptable [7]. The aim of threats it to mitigate the risk by reducing the probability of occurrences and/or the severity of impact. In the same way opportunities can be enhanced, by increasing the probability and/or impact, by identifying and maximizing key risk drivers.
Accept/Ignore
For the accepted/ignored threats, where any response is not likely to have an impact on the project objectives, no risk response is planned. When actively accepting the risk the idea is that the uncertainty is being accepted whether it has a positive or negative impact. Accepting opportunities means hoping to get lucky nevertheless, while accepting threats means hoping that the risk never occurs.
Discussion
The following section will describe the risk management process’ limitations and disadvantages and highlight potential advantages when using the method.
Limitations and Critical Reflection
When using the risk management process there are some aspects that need to be taken into consideration. E.g. it is important for the project manager to know what kind of people are handling and doing the assessment of potential risks. The cultures of different companies and countries can have very different perceptions in assessing consequences and what situations can be accepted. Therefore it is important to have in mind that people’s opinions regarding risks and addressing risks can be fundamentally diverse [2].
Furthermore there is a probability, that risks are improperly prioritized and assessed, which induces loosing valuable time on risks that are not likely to occur. Spending too much time assessing unlikely risks can divert resources that could be used more profitably elsewhere.
Advantages
Given that the concept of RMP is applied extensively among projects, the process contains many advantages, which can benefit both small and large-scale projects. According to the PMI projects with a thorough and well-executed risk management process can expect a 15% higher success rate than standard projects [8].
- 17% increase in cost efficiency
- 15% increase in schedule efficiency
By using the RMP and thus identifying and managing risks, project managers can plan ahead and potentially mitigate or reduce problem occurrences. Any organization that effectively manages risks will experience benefits throughout a number of areas, including the following [8] [9] :
- Increased ability to deliver project on time
- Enables decision-makers to confront risk and uncertainty in a realistic manner
- Fewer unexpected surprises
- An ability to quickly grasp and discover new opportunities/ better opportunity management: With greater liquidity follows the ability to capture emerging opportunities
- Enhanced communication between business units and departments
- Improved strategic and business planning
- Permits a thorough analysis of alternative options
- More effective use of resources: The planning and developing risk approaches helps protecting the resources of the organization.
- Improved liability leading to an enhanced reputation among potential clients
- Harvesting reusable knowledge: The risk management process holds inputs from various stakeholders and their different experiences and insights. This achieved know-how can potentially be reused for future endeavors and thereby save time, resources and money
Risk management in general aids in making better decisions concerning uncertainties and risks, by using either qualitative or quantitative methods. The methods aim to detect potential risks comprising threats and opportunities. The risk management methods are not able to predict all project risks but beneficial opportunities and potential threats can be realized when applying methods. Therefore risk management methods and particularly the RMP is highly recommended.
Annotated Bibliography
For more information about risk management in general and the risk management process, the following readings are suggested:
Books
- Maylor, Harvey. Project Management, 4th. Edition. 2010. Pearson. Ch. 10 Risk and Opportunities Management. p. 217-239 [6]
- In this chapter Harvey Maylor focuses on determining the principles of risks and uncertainties. Furthermore the author describes qualitative and quantitative approaches, including the sensitivity analysis, the Monte Carlo simulation and the programme evaluation and review technique (PERT).
- Hillson, David. Effective Opportunity Management for Projects - Exploiting Positive Risk, 2005. Ch. 7 "Planning Responses" pp. 134-152 [7]
- This chapter focuses on selecting response strategies by different risk levels. David Hillson distinguishes between threat responses and opportunity responses and describes how to manage identified risks.
Articles
References
- ↑ 1.0 1.1 1.2 1.3 1.4 Geraldi, Joana, Thuesen, Christian, Oehmen, Josef. How to Do Projects, 29. January 2016. Version 0.5.
- ↑ 2.0 2.1 2.2 2.3 2.4 Ottosson, Hans. Practical Project Management - For Building and Construction, 23. July 2012. Auerbach Publications.
- ↑ PMI. A Guide to the Project Management Body of Knowledge,5th. Edition 2013. Project Management Institute.
- ↑ 4.0 4.1 4.2 Dansk Standard. ISO 21500 - Guidance on Project Management, 27. September 2009.
- ↑ Flyvbjerg, Bent, Stewart, Allison, Budzier, Alexander. The Oxford Olympics Study 2016 - Cost and Overrun at the Games, 20. July 2016.
- ↑ 6.0 6.1 6.2 ' Maylor, Harvey. Project Management, 4th. Edition. 2010. Pearson.
- ↑ 7.0 7.1 7.2 7.3 Hillson, David. Effective Opportunity Management for Projects - Exploiting Positive Risk, 2005. pp. 142-145. Marcel Dekker Inc.
- ↑ 8.0 8.1 IRIS Intelligence. Why Manage Risk, 2010.
- ↑ 'Mok, C., K., Tummala, Rao, Leung, H., M.. Practices, barriers and benefits of risk management process in building services cost estimation, 1997.