Risk management process

From apppm
Revision as of 13:16, 15 September 2016 by Bjarnijakob (Talk | contribs)

Jump to: navigation, search

Risk management process (RMP) is a concept or a framework to managing risk both internal and external in all industries. It is a concept that has been coming popular for project managers in projects to improve performance and increase the profit. This concept helps management teams to construct a strong and systematic approach to the risk identification. With risk process and strong project management practice the problems in a project can by decreased and could also help to resolve problems that occur later on in projects.

Risk vary in projects because of the uniqueness of every project and due to that fact the concept RMP is very robust approach. Identification, understanding and managing critical risk that can harm the project a concept needs to be followed.

Risk management in project should be throughout the project life cycle. In some cases the risk management is primarily done in the design phase of the project, but should be also manage in the construction phase. The RMP is a five step process that is following [1].

Figure 1: "Risk event graph" [2].
  1. Step 1 – Establish the context
  2. Step 2 – Identify the risk
  3. Step 3 – Analyse the risk
  4. Step 4 – Evaluate the risk
  5. Step 5 – Treat the risk


The risk management process is essential to manage those risk that can occur in projects and to be able to mitigate those risks. Studies have shown that the changes of risk event occurring are in the idea, planning and the start-up phase of each project. As represented in Figure 1 the total cost impact is less if the risk event will occur earlier and therefore it is very important to use that period to minimize or mitigate around a potential risk. Moreover, as it goes further into the project phase the increase in cost is very steep [2].

This wiki article aims to go through those steps mention above with few techniques and methods that are well known in risk management and how to apply them along the project life cycle. Furthermore, the background of risk management, advantages and RMP limitation will also be discussed.


Contents

Overview

Introduction

The risk management term has history in America from the early 1950s and it has been developing since then around the world. It was not until 1963 “The Journal of Risk and Insurance” published nine articles regarding risk management. From the year 1963 and until 1967 an increase in academic interest was shown. It was not until early seventies that the risk management awareness increase in Europe and that is due to the expansion that happened in the United States in early years [3]. With the awareness of risk around us the expansion of the subject has aroused and is coming mainstream in businesses today.

What is risk, risk management and what purpose/value does risk management process have?

Risk is the likelihood and the impact of a certain event with potential to effect the goal or the objective of the project. To avoid these unexpected risk events that the future has, risk management process is a concept to follow throughout the project life cycle and to be able to maximize the efficiency and the effectiveness [4].

Risk management examine the future that is head of us and the uncertainty that it has. Uncertainty can both be good and could also be bad. With examination of the uncertainty that the future has, could lead us to avoid the threats and steer and aim us towards the opportunities [5]. Even though risk management is not just avoiding risk or taking one, it is a development that has to have complete understanding of the risk that are relevant to the project [1].

The basic RMP principle should always be included when dealing with risk in projects because it helps the management team to efficiently understand and manage unwanted risk. The following main phases of RMP are: Establish the context, identify the risk, analyse the risk, evaluate the risk and treat the risk [6].

Application of risk management process

The RMP is not a standalone concept that can be implemented into project or organization. To be able to managing risk effectively through the RMP a well define risk management framework has to be clear. The framework will provide the foundation for success risk management. The RMP at each step will communicate with the risk management framework, as can be seen in Figure 2, and therefore establish a holistic approach to risk management.

Figure 2: "Risk management framework and process"[1].


RMP can be seen in Figure 3, the five steps in the RMP are well defined and easy to follow with good management practice. In this section the five RMP steps will be explain further and how it can be applied to managing risk. In those five steps that is within the RMP is the risk assessment. Risk assessment is an overgroup of 3 steps, identify risk, analyse risk and evaluate risk. Inside these subgroups of risk assessment are few methodologies that are used to help the management team to establish the right outcome of the RMP. These methodologies will be mention briefly to explain what is used in practice today.

Figure 3: "Risk management process (RMP)"[1].

Even though the communication, consult, monitoring and review is not part of the five steps, it is key element of risk management. It is essential to communicate and consult with stakeholders, from early stage, in the value chain during all five steps of the RMP. Stakeholders have to understand the basis in decisions and why action is needed for specific risk. This is done by effective communication both internally and externally with stakeholders within and outside the organization.


Establish the context

Figure 4: "SWOT"

The first step in the RMP is establish the context and is key to effective and great risk management. The context will act like a supervisor to ensure that all activities will remain relevant throughout the process. There are various context that needs to be taken into account and to articulate the objective of the project or organization. Establishing the context can be found with SWOT analysis, by identify strengths, weakness, opportunities and threats. The SWOT, Figure 4, analysis can identify the PESTEL, which is the political, economic, social and technological, environmental and legal condition of the context. Context can be divided in external and internal context. Furthermore, the context will set the scope for the risk criteria for later processes and should be establish each time it is implemented[1].




Risk identification

How to identify risks?

Risk identification is the second step in the RMP. This step is a critical step in risk management where the project manager assembles a team with stakeholders that have the relevant experience. The team tries to produce a list of possible risk that could affect the project from the get-go and through the project life cycle.

The team usually use brainstorming technique to find possible risk events. When using the brainstorming technique the team members have to have open mind and try to come up with as many possible risk events that could occur. Furthermore, team members have to consider the project that is in front of them and also try to learn from mistakes that had occur in other projects that are in the past. In the risk identification process a common mistake is often done, that is to focus primarily on objectives rather than events that could produce consequences. For example, focusing on objectives like failing cost estimation or time schedule instead of thinking what event could cause these events to happen [2].

Risk breakdown structure (RBS) incorporated with work breakdowm structure (WBS) is an effective method to help management teams to identify risk events from the objectives. Breaking down these objectives into macro risk helps the team to check specific areas that are interesting.

This identification process of risk should involve more than the core team inside the organization. All stakeholders in the value chain, for example, customers, sponsors, subcontractors and vendors should have some input into the identification process because it makes them more committed to the project [2].

Risk analysis (Step 3) and risk evaluation (Step 4)

Step 3 and 4 are the risk analysis and evaluation of the events that where produced in step 2, risk identification. Even though the name risk can be a threat not all risk events need further inspection. Some of the risk in projects can be ignored while others need more attention because they pose threat to the project. Managers need to screen out these events that pose no threat to the project and try to focus on other risk events that have more potential to harm the project in any way.[2].

For analyzing risk, two categories of methods have been developed – qualitative and quantitative. Within qualitative and quantitative are few methods that can be used to determine risk and its value, but choosing the right method for each project could be difficult. Qualitative methods are used when the risk can be placed on a detailed scale from low to high. The quantitative methods are based on numeric estimations and are used to determine the impact and the likelihood of the risk event. When choosing the right method for risk analysis, the size of the project needs to be evaluated e.g. small project sometimes need only identification and what action needs to be taken regarding risk, when larger projects need more work and depth in analysis. [7]

Quantitative methods

Figure 5: "FTA"[7].

To be able to perform quantitative analysis a lot of work is needed. Quantitative methods are more used in larger project due to the complexity and it required often software tool and skilled employee. Methods that could be used is the Monte Carlo simulation, sensitivity analysis and diagram techniques.

Monte Carlo method is based on statistics from previous projects and the information that is collected is sometimes variables of cost and schedule for a project. It is often divided into pessimistic, most likely and optimistic scenarios.

Sensitivity analysis is based on which risk event has the most impact or value. The impact and the value are compared to the objectives of the project and if the event is very critical to the project it is the most sensitive and action needs to be taken. This method have the most beneficial for the project if the analysis is done in the beginning of the project. This method, like Monte Carlo, needs software tool to analyze the data.

Diagramming technique are very often used and when it comes to time and cost. Fault tree analysis (FTA) and Event tree analysis (ETA)) are the two types of technique that are used to determine the impact that risk could have on the project. FTA is used to identify risk events that can bring out or cause failure of an event. FTA is drawn up like a tree, see Figure 5, and the branches represent the cause of the problem and on the top of the tree is the risk event that could occur. The branches in the tree have all different and possible outcomes. For each risk event that could occur in a project a FTA is done. The analysis of the risk event gets more detailed if the branches are many and therefor it could lead to better conclusion what is the real cause for that top event to happen. ETA is very similar in structure as the FTA, it is built like tree but the outcome is different. The ETA branches represent the impact if it is ether success or failure event. This technique should be applied early in the stage and therefore mitigate or avoid the risk. The goal of the ETA is to find the likelihood of negative outcomes that can cause damage to the system from the initial risk event [7].



Qualitative methods

For analyzing risk, scenario analysis is most commonly used method. Scenario analysis is a method that team members have to analyze and assess the severity of each risk event that has been conducted in step 2 in terms of, likelihood of the event happening and the impact of the event.

Risk event that have the greatest effect on the project should receive highest priority. The best way to analyze the risk events is to have a scale ranging from “Rare” to “Almost certain” or have more precise scale with probabilities ranging from for example 0.1, 0.3, 0.5 … 1.5. The scale needs to be evaluated depending on the project nature. Impact scale is also needed to assess the consequences that event has on the project. The scale is often defined in numbers from 1-5, 1-10 or rank-order such as ”Negligible”, “ Minor”, “Moderate”, “Major” and “Catastrophic”. The likelihood and the impact scale can be seen in Table 1 and Table 2 respectively. [2] [8].


Table 1: Likelihood of an event happening
Rating Likelihood
5
ALMOST CERTAIN: Could occur several times per year
4
LIKELY: Likely to arise once per year
3
POSSIBLE: Likelihood that it may arise over a five-year period
2
UNLIKELY: Could occur over a five to ten year period
1
RARE: Very unlikely but not impossible, unlikely over a ten year period
Table 2: Potential impact on the project
Rating Potential impact
5
CATASTROPHIC:Most objectives may not be achieved
4
MAJOR: Most objectives threatened
3
MODERATE: Some objectives affected
2
MINOR: Easily remedied, with some effort the objectives can be achieved
1
NEGLIGIBLE: Very small impact


These two scales, likelihood and impact, are combined into risk matrix as seen in Figure 5. The risk matrix is divided into four categories green, blue, yellow and red. The green category is representing minor risk, blue is representing medium risk, yellow is representing major risk and red category is representing extreme risk. To place each risk event in the risk matrix a light calculation is needed. The formula for risk value is:


Formula Matrix.jpg


Figure 5: "Risk matrix"

The step 4 is the evaluation of the risk event. Risk value is a number that can be evaluate and therefore be placed into the risk matrix. After the placement of each risk event in the matrix that was consider in the beginning of the RMP the evaluation of risk event expectant is formed. As can be seen in Figure 6, if the risk event falls into the red zone the event needs an urgent attention and needs treatment, but if the risk event falls into the green zone, which is the save zone, the risk can accepted or accepted with minor treatment. Categories for yellow and blue can be treated with attention or investigation.

Figure 6: "Risk explanation"

There is one other option that is available and it is widely used, that is Failure Mode and Effect Analysis (FMEA) technique. By adding detection into the Risk value formula gives the analysis a clearer view how difficult is to detect the risk event that could be a head of us. The detection scale is would also be in the same scale as the probability and the impact. If a risk event would get a 5, it cannot be detected until it is too late, but if an event would receive 1, it would be very easy to detect the risk. The event that receives the highest score from the calculation will have the highest impact.

Risk treatment/response

Risk treatment and response is the final and the fifth step in the RMP. The treatment of risk events involves project manager and team members to identify the range of options to treat the risk event, evaluate those options, and make a plan for the treatment and the implementation. The most appropriate method that the team members find to achieve the wanted outcome is chosen. Risk response can be classified as follows:

  • Mitigating
  • Avoiding
  • Transferring
  • Retaining

It is up to the project manager and the team to choose which risk strategy they will go for. If the risk event is inside the red zone in the risk matrix, like in Figure 6, the project manager needs to pay attention to those risk. Following the guidance in Figure 6, will help the managers and the team to treat and evaluate what to do in next steps.

Mitigating risk

When mitigating risk the team members try usually to reduce one of the two option, likelihood or the impact. Reducing the likelihood of particular event to happen is the first option of every team in the business because if it is successful, the team could eliminate the next option of reducing the impact which could lead to higher cost in the end. It is essential to take an early action to reduce the likelihood of an event to happen because as was mention in the beginning the cost will rapidly increase if the project is started and is well ahead in the project life cycle. Furthermore, it is more effective to take early action than try to repair the damage after the risk has occurred. This part of the process may require many resources or time, but in the end it is very effective way of reducing cost.

Avoiding risk

This strategy is very important and should always be the first to consider in a project. Sometimes avoiding risk or eliminate it is not an option, because it can be too expansive or it could be time consuming. Avoiding risk is done by removing the cause or executing the project phase in a different way than it was planned. Even though we decide to avoid the risk the project objectives needs to be achieved. If the situation comes up that we cannot eliminate the risk that occur in the project, we try to eliminate that risk before the project lunches.

Transferring risk

Risk event could be in full or in part transferred. This strategy involves another stakeholder who is willing to take responsibility and the liability if the risk event happen. Transferring risk to another stakeholder is very common because in practice the aim is to ensure the risk event is in the hand of the stakeholder that is willing and is in the best position to deal with it effectively. Passing risk to another stakeholder in the value chain will always cost premium. Therefore, management team needs to evaluate if it is more valuable to adopt the strategy to another stakeholder or keep it and try to avoid or mitigate the risk.

Acceptance/retaining risk

The least strategy that we would use is to accept a risk event to happen, but sometimes project manager or teams need to accept the risk event can occur, because it could be that it is too expensive or too large to transfer or reduce the event. Project managers should be well aware of the risk events that could occur and sometimes they have to take conscious decision to accept the risk knowing it is very slim changes of that event occurring. When acceptance of any risk, project managers and teams are acknowledging to take on the risk when it occurs.

Monitoring risk

Risk monitoring is not part of the five step process that are in RMP concept. Risk monitoring is not a step that has to be done or take. Monitoring risk should be throughout the life cycle of a project and done at each step in the RMP, because that ensures that new and changing risk events will be detected and manage before it occurs by implementing risk response action. To be able to monitor all risk events, meetings should be held regularly to maintain and update old and inform if there is a new threat. To identify new threat, the project manager and the team need to go through the steps that are in the process and repeat them until the project life cycle is over, because there are not many risk that remain static [9].

Case study example

WIP

Advantages

Advantages of RMP is the result in the end where projects and other objectives of the organization will be delivered in time and under cost. This process will maximize the efficiency of risk management and how it is built the risk will be discovered throughout the project life cycle. This process is just one of the things risk managers and teams need to think about. This process will only help the risk management team to increase the level of control, by going through those five steps. Furthermore, if the risk management framework is clear and the relationship with the RMP, there is higher likelihood of a great success in the project.

Limitations

The limitations of this process can be few. The process does not monitor how well the risk management team will work and what methodologies they use in the five steps. It is also up to the risk manager to decide the experts that are going to be within the team. It can be difficult to choose the right team and the right employees that can work to gather in an efficient way. Furthermore, the risk management team has to decide what technique/methods or tool to discover the risk, the process will not help the team to choose between.

Annotated Bibliography

Annotated bibliography: Does the article properly cite and acknowledge previous work? Does it briefly summarize the key references at the end of the article? Is it based on empirical data instead of opinion?


References used in the Wiki-article:

  • Lark, J.(2015). ISO 31000, Risk management .[1].
    • Independent, non-govermental standar. Great practical guide to follow when addressing risk


  • Larson, E. W. and Gray, C.F (2010) Project Management, The Managerial Process (5th ed.).McGraw - Hill/Irwin, NY[2].
    • Book about project management, it goes through modern project management. Practical information about risk and the process how to handle different kind of risk depending on size of the project. Shows various method to managing risk and have snapshots from practice to get the audience to participate


  • Neil, G.C.(1982) The Bibliography and History of Risk Management: Some Preliminary Observations, 7(23),169-179[3]
    • The Geneva Papers on risk management. This paper goes through the history of the risk management and when articles, papers where published. It shows when the topic "risk management" is growing starting in the USA and moving to Britain


  • Smith. N.J., Merna, T. and Jobling P.,(2006) Managing Risk in Construction Projects [4].
    • Written by a group of academics and practitioners, this guide is for construction practitioners having to manage real projects. It shows how the risk management process improves decision making in conditions of uncertainty.


  • Kozin. I.,(2015) Course 42172: Risk and decision making [5].
    • This is an introduction slides from lecture in risk and decision making from Technical University of Denmark


  • Gajewska. E. and Ropel. M.,(2011) Risk Management Practices in a Construction Project – a case study[6]
    • This is a master thesis from Chalmers university and it gives a good overview of RMP in construction project and what methods are used to day


  • Heldman, K. (2005) Project Manager´s Spotlight on Risk Management [7].
    • Handbook that gives a great overview of the risk management process and the qualitative and quantitative methods that can be used

References

  1. 1.0 1.1 1.2 1.3 1.4 1.5 Lark, J.(2015) ISO 31000, Risk management.
  2. 2.0 2.1 2.2 2.3 2.4 2.5 2.6 Larson, E. W. and Gray, C.F (2010) Project Management, The Managerial Process (5th ed.).McGraw - Hill/Irwin, NY
  3. 3.0 3.1 Neil, G.C.(1982) The Bibliography and History of Risk Management: Some Preliminary Observations, 7(23),169-179
  4. 4.0 4.1 Smith. N.J., Merna, T. and Jobling P.,(2006) Managing Risk in Construction Projects
  5. 5.0 5.1 Kozin. I.,(2015) Course 42172: Risk and decision making
  6. 6.0 6.1 Gajewska. E. and Ropel. M.,(2011) Risk Management Practices in a Construction Project – a case study.
  7. 7.0 7.1 7.2 7.3 Heldman, K. (2005) Project Manager´s Spotlight on Risk Management. California: SYBEX Inc.
  8. Duijm, N.D. (2015) Recommendations on the use and design of risk matrices
  9. Risk Management Task Group (2012) Project Risk Management Handbook: A Scalable Approach
Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox