Revision as of 10:17, 21 September 2017

Abstract

Pro-active risk and opportunity management considers risk and opportunity events in a project with the purpose of mitigating the risk and enhance the opportunities before they occur. Risk events occur from uncertainties within a project whereas negative outcome is a risk for the project but positive outcomes can become opportunities for the stakeholders of the project.

A process/model to gain risk control for a pro-active risk and opportunity management is first identifying risks then assess the risks and last treat the risks which result in risk control. There is a fourth step to the process giving after treatment the risk management will be reviewed for analysing the success rate of the risk response/treatment.

Risk as definition is probability P times the impact I giving the formula:

Therefore is key elements in risk management the probability and impact that the events will occur and have. For pro-active risk management the key is then to manage these two values, done with different models and methods described further in the article, with the outcome of mitigated risk and enhanced opportunity events.

Introduction

For risk management there is in general four stages to ensure risk control the process is shown on figure 1. The four risk stages that form the risk control will be analysed with the perspective of pro-active risk and opportunity management.

Figure 1. Four stages of classic risk management towards risk control.^[1]

For the first face in risk control the identification of the subject/risk event must be specified hereby will identify risks be analysed.

Identify Risks

The identification of risks has the purpose to determine if risk events occur whether they are positive or negative for the project. ^[2] For positive outcomes the event will be known as "opportunity" for the project, whereas the negative events is known as "threats" for the project. This can change the life cycle of the project process.^[3] E.g. can an opportunity mitigate the time development of a certain product within the project or a delivery can be done more cost beneficial if two stakeholders within the project collaborate. Negative outcomes of events will be seen as threats for the project this can e.g. cause cost overruns or time delays. This can be resource based managers that can not produce a product because the detail drawings are delayed. The drawing department is delayed do to the client not being able to give early and precise instructions on what the product must fulfil. Hereby will the identification help risk managers to locate the problem of the delay and begin assessing it. Identification analysis will only analyse where events could occur but the assessment and treatment of the events is further steps into the process of risk control. Additionally from the DS/ISO standard should the identification process involve many stakeholders within the project e.g. project customers, project manager, project team, senior managers, risk managers, clients, users etc. ^[3] The second step in pro-active risk management is assessing the risks that have prior to the project been identified.

From DS/ISO the primary inputs of this face is the project plans whereas the primary outputs is risk register.^[3]

Assess Risks

The assessment/analysis of the events that has been identified is to prioritize which risks are the most severe and should be dealt with immediately.^[2][3] How to determine the priority is through analysis of the probability for the event occurrence and the impact it will have on the project objectives. ^[1] Which will lead to the risk given by the formula:

Time-frame and key stakeholders risk tolerance must be considered when the impact of the risk is determined. E.g. if a risk is analysed to directly affect the client or the main investors the impact of that risk will be considered high compared to a risk that a resource based manager in the project could experience. This is due to the importance of the stakeholders if the investors in the project withdraws the funding and the project falls apart. Whereas if a resource based manager experiences threats the worst outcome could be time delays or cost overruns this should of course be mitigated as much as possible but the effect on the project will be considerably lower.

Considering pro-active risk management the goal is to analyse the identified risks before the project has begun with the benefit of cost savings. A golden rule within a projects process is that the earlier important decisions are made the cheaper it is to change.

The impact in the equation of risk can be considered in four categories cost, time, scope and quality as shown in figure 2. Already discussed is the cost and time influence in a project but the scope within the project must also be considered when investigating impact. Scope measures the hole process of producing a product with a high impact this can lead to the scope being effectively useless or unacceptable. Furthermore is the quality of the project measured when observing impact. E.g. must the client be informed of the reduction of quality with the purpose of approving the product or discard it.

Figure 2. Impacts within a project with four project objectives.^[1]

From DS/ISO the primary inputs in the assessment is the risk register and project plans hereby giving the output of prioritized risks.

Opportunities in a project that is realised in the early faces is the assessment used to provide the stakeholders with information of how well the opportunities can be exploited. Thus giving them a analysis of how to reach the goal and what that goal then provides within the project.

Treat Risks

The third process step in controlling risks is the treatment with the purpose of determining the actions needed to reduce the risks and enhance opportunities that have been analysed in the assessment. ^[3] This stage put resources into the opportunities and risks found in the identification process and analysed in the assessment. Thus providing information of where the investment should be and how that investment will pay of. This stage in the process towards risk control measures the necessary treatment for risks. From DS/ISO it is stated: "Risk treatment includes measures to avoid the risk, to mitigate the risk, to deflect the risk or to develop contingency plans to be used if the risk occurs." ^[3] How well a treatment of risks is handled determines the projects success with the degree that the outcome of a bad treatment can lead to project failure. While a good treatment can lead to enhanced cost benefits and minimise the time schedule.

DS/ISO determines the input of the treat risk process as risk register and project plans with the outcome of risk responses and change requests.

Risk Review

Risk management is a constant process of the four stages with the control at focus. The next stage has a goal of reviewing/monitoring the treatment and update the risk register ^[1]. The monitoring of the treatment is for assurance of effectiveness and quality of that process. If mistakes were to occur in the treatment the monitoring process will have the purpose of detecting it thus providing the treatment to be fulfilled without incompletions or gaps. The update of the risk register is the link to back to the identification because here new risk and old will be indentified and then analysed once again to ensure the treatment was complete hereby providing risk control.

Risk Control

DS/ISO defines the inputs and outputs for controlling risks as shown in figure 3

Figure 3. Inputs and outputs for risk control.^[3]

References

1. ↑ ^{1.0 1.1 1.2 1.3} Geraldi, Joana and Thuesen, Christian (2017) Lecture from project management MEP-4, Publisher: Technical University of Denmark
2. ↑ ^{2.0 2.1} Geraldi, Joana and Thuesen, Christian and Stingl, Verena and Oehmen, Josef (2017) How to DO Projects? A Nordic Flavour to Managing Projects Version 1.0, Publisher: Dansk Standard
3. ↑ ^{3.0 3.1 3.2 3.3 3.4 3.5 3.6} Guidance on project management (2013) DS/ISO 21500 Version 2.0, Publisher: Dansk Standard