Developed by Charalampos Filis

The Risk Management is a methodology which aims to control the uncertainties that may occur in a project.The methodology started to be studied after the World War II, when large companies with diversified portfolios began to be developped and the need for insurance against the risks started to grow. Project and Risk managers must eliminate the uncertainties, in order to ensure that the project will achieve its goals. The uncertainties and the risks can be related to the duration of activities, to the absence of adequate resources, to the time and cost or other external factors, that can cause undesired effects to the project's performance. In order to manage these risks effectively and efficiently there are processes that can be implemented to deal with risks. The processes include 2 different phases:the 1st phase is the risk analysis which identifies,analyzes and prioritizes the risks of a project. The 2nd phase is the risk management which includes the development of the risk management planning, the evaluation of the progress and the reevaluation of the existing or potential risks. To enhance the effectiveness of the project risk management methodology and its processes a root cause analysis and its corrective actions can be implemented, in order to ensure that the causes of the problems during the project will not reoccur later in the project or future projects

History

Risk Management began to be studied after World War II, in order to protect individuals and companies from various losses associated with accidents ^[1] . Several sources (Crockford 1982, Harrington and Neihaus 2003, Williams and Heins 1995) date the origin of modern risk management to 1955-1964. During the 1950s, new forms of risk management emerged due to the fact that the risk of several new businesses was high and impossible to be insured. Specifically, in the 1960s new planning activities started to be developped such as risk prevention or self-protection and self insurance activities against different kind of losses or risks. Later in the 1970s, financial risk managenent ^[1] was a first priority for many companies including banks and insurers. The reason was that many companies were exposed to risks that were related to price fluctuations such as interest rates, exchange rates or prices of the raw materials. The next decade, the use of derivatives as risk management tool expanded rapidly as companies intensified their financial risk management. Companies also developped internal risk management models and capital calculations formulas to deal with anticipated risks, as the international risk regulation ^[2] had already began.

The table below presents some of the most important milestones in the history of risk management.

Fig. 1: Milestones in the history of Risk Management

Uncertainty in Project Management

The uncertainties in any project^[3], are the facts that can cause negative or positive effect on the objectives of the project. Most of the project management activities aim to manage the uncertainties that may occur from the earliest stages of the project's life cycle. The lack of available information or knowledge are considered to be some of the basic reasons that cause uncertainties in a project^[4]. Although they can affect the project's final performance, uncertainties stem from factors that cannot be anticipated or measured. Some examples include unforseen tasks, unexpected resource requirements and faulty allocations of time. However, uncertainties can be positive as opportunities and negative as threats. Risk Management is considered to be the methodology that undertakes the management of both threats and opportunities. Traditionally, managers focus on identifying, evaluating and managing threats^[5] ( or as some call it, risks). Nevertheless, the last decade there has been a stronger focus on how to manage the opportunities facing a project. The uncertainties can occur throughout the project's life cycle, but also in the pre-execution stages when they contribute to uncertainty in five areas.

The table below illustrates the five areas of uncertainty

Fig. 2: Areas of uncertainty

All these areas are really important and they affect the project's final performance. As the list goes down the areas become fundamentally more important to the project's performance. For instance the variability associated with estimates involves the other four areas and each of them involves dependencies on later areas in the list.

The six Ws framework for the roots of uncertainty

Fig. 3 :The six Ws framework for the roots of uncertainties

The most important issues that risk management aims to address are related to objectives and relationships between project's parties. Such issues need to be taken into consideration very early in the project and throughout the project's life cycle. For this purpose Chris Chapman[1] and Stephen Ward[2] offer a six Ws framework^[6] which is based on the following questions:

1. Who - who are the parties ultimately involved ? (parties)

2. Why - what do the parties want to achieve ? (motives)

3. What - what is it the parties are interested in ? (design)

4. Whichway - how is it to be done ? (activities)

5. Wherewithal - what resources are required ? (resources)

6. When - when does it have to be done ? (timetable)

Answering these questions which are associated with the uncertainty, is fundamental in order to achieve effective identification and management of both theats and opportunities that may occur during the project's life cycle. In figure 3, the flow lines show how the roots of uncertainties influence the project. The arrows indicate the knock-on effects of the uncertainties on each entity. In the earliest stages of the project's life cycle, uncertainty is considered to be in its highest level. The complex part in many projects is to highlight the nature of the important roots of uncertainties. Nevertheless, we can identify that the what, whichway and wherewithal describe the quality of the project, therefore the lower part of figure 3 corresponds to the cost-time-quality triad which is really important for the project's performance.

The Scope of Project Risk Management

Project Risk Management(PRM)^[6] is the systematic process of identifying, analyzing and responding to project risks, in order to take advantage of the impact of positive events that may occur and to decrease the probability of negative events to occur. The project risk management is based on an integrated analysis of all the sources of uncertainty that outlined above. Really effective PRM will develop plans that will address all the six Ws questions. The PRM includes important processes that must be designed and planned at the highest level within a company. The project managers are responsible for the management of the risks, while at the same time they have to gain the support of the stakeholders as far as the risk identification, the planning and the implementation of the responses are concerned.

Why do we need Risk Management ?

Nowdays, risks are part of every firm's financial and economic activity. The risk management is a process in a project's life cycle that aims to reduce the possibilities of its failure and increase the possibilities for its success. However, there are unexpected events that may occur, that can bring benefits or do harm in a project. A more rigorous approach to risk management at all levels of the business can contribute to^[7] :

- Secure project/business objectives

- Improve project/business performance

- Facilitate improves customer service

- Learn from past experiences

- Focus on due diligence

- Address changing markets

- Fulfil corporate governance regulations

Risks can turn into opportunities, but also can cause negative impacts in the project's performance. Most of the effort of business and project management is focused on the elements that could bring success to the project. However, the last few years it is believed that spending time focusing on the elements that could cause failure, can yield important benefits.

Project Risk Management features

Project Risk Management promotes an original way of thinking among the business. It ensures that during a project's life cycle all the risks that will be generated, have to be evaluated objectively in order to select the best actions that will mitigate the risks and increase the possibility of success. An effective project risk management should satisfy some basic factors^[8] :

• Consider both downside risks (threats) and upside risks (opportunities).

• Challenge project participants and draw from their expertise.

• Promote innovative thinking.

• Focus management attention on key areas of risk.

• Incorporate a standard risk management framework, while remaining flexible to adopt to project specific issues.

• Allow for the ongoing management of risk with continuity through all phases of the project development.

Benefits of effective Project Risk Management

The risk management has a great impact on a project's performance. The correlation between project processes and their outcomes have been investigated over the last years. There is a general agreement that risk management is one of the most influential processes for providing benefits^[9] in terms of project time, cost and quality. Moreover, using risk management in an effective way will enhance the ability of stakeholders to make better decisions in order to achieve mission and goals. It also provides managers with useful tools to anticipate changes and to allocate appropriate resources. Specifically, project risk management enhances the flexibility within a business, while at the same time enables a better compliance management system for the company.

Project Risk Management Processes

Fig. 4 :Project Risk Management Processes

In general, project risk management is a process that aims to identify and manage the events that could negatively affect projects. Risks measure a project's inability to achieve its objectives withinh specified constrains. Constains may include cost, schedule, and technical performance objectives. The importance of risk management can be measured, based on two different components. The first one is the probability of failing to achieve specified objectives, while the second is the impact of failing to achieve these objectives. The risk management processes designed for projects are characterized by the six elements^[8] illustrated in figure 4. This process is iterative and continuously performed throughout the project's life cycle. The first part of the whole process includes three elements and addresses the risk analysis part. The other part addresses the risk management of the project and includes the last three elements.

Elements in the two parts :

• Risk Analysis : Identify Risks --> Analyze Risks --> Prioritize Risks

• Risk Management : Develop Management Plans --> Evaluate Progress --> Reevaluate Risk Exposure

Risk Analysis

Risk Identification : Risk Identification^[10] is the process of determining events that could potentially prevent the project from achieving its objectives. For effective risk identification, it is required that you have defined the scope of the project. Moreover, the involvement of as many as possible stakeholders in the process will contribute to the achievement of better results. Specifically, there are tools that managers can use in order to enhance the effectiveness of this important process. Tools such as :

- documentation reviews, checklist and project assumption analysis

- information gathering techniques : brainstorming, nominal group, interviews, root cause analysis

- diagramming techniques : process/system flow charts, influence diagrams

- SWOT

- expert judgment

Analyze Risks : This element of the process can be divided to two sub-stages: the first one is the qualitative analysis that focuses on identification and subjective assessment of risks and the second one is the quantitative analysis that focuses on the objective assessment of the risks. A qualitative analysis allows managers to identify the risk sources or factors. This procedure is usually associated with some form of assessment which includes the description of each risk and its impact or a subjective labelling of each risk. In general, the main idea is to identify key risks which will then be analysed and managed in more detail. On the other hand, the quantitative analysis involves more sophisticated techniques, usually requiring computer software. This procedure includes the measurement of uncertainties in cost and time estimates and also the probabilistic combination of individual uncertainties. An initial quantitative analysis is essential, as it brings valuable benefits in terms of understanding the project and its problems.

Prioritize Risks : In the risk prioritization element, all the identified risks, their impact assessments and their probabilities to occur are processed in order to create a most-to-least critical rank of identified risks. The major purpose of this element is to provide an input to the 'management phase' where resources need to me managed and allocated.

Risk Management

Develop Management Plan : After the risk analysis phase a management plan^[11] needs to be developped for each risk. Like the previous elements, risk management planning is a continuous process that includes the monitoring of risk handling actions. The risk management planning process must identify what actions are needed, when these actions need to be completed and who is responsible for their implementation and resolution.

Evaluate Progress : This element of the process is focused on assessing the progress^[11] of the risk-handling actions defined in a risk's management plan. During the project, it allows re-evaluation of the situation in order to ensure a successful outcome. In general, it provides businesses the opportunity to continuously improve their performance, their planning and estimating, and risk management process itself

Reevaluate Risk Exposure : This activity aims to identify and assess new risks and exposures, while reevaluating^[11] the existing risks and exposures as the project progresses. The intent of this activity is also to look towards the next set of key project events and to identify specific risks that may occur and affect the project's performance.

Root Cause Analysis and Corrective Actions

During the project's life cycle all the major processes aim to reduce the project risks. However, for the unforseen risks or problems that may occur throughout the project, the risk management considers to be too late since it has already been completed and the lessons learned is too early since that is conducted in the end of the project. For this purpose, project managers and project teams need to deal with these risks in a direct and effective way in order to ensure the final performance of the project. Root Cause Analysis^[12] is a critical process which identifies how, what and why an event occurred so that actions can be taken to prevent future occurrences. Unfortunately, the actions taken by the project teams in order to solve a problem often only address the problem itself and not the underlying causes. As a result, the source of the risks or problems is not solved which implies that the risks or problems will reoccur during the project's life cycle or in the future. Hence, the effective implementation of a root cause analysis requires Corrective Actions to be taken which aim to deal exclusively with the causes of the problems or risks. The corrective actions consist of two major phases :

Fig. 5 :Ten-step problem solving model

• Diagnosis : Investigation to identify the root causes of the problem

• Solution : Taking actions to prevent the causes from reoccurring

A ten-step problem solving model will be presented to provide a more detailed breakdown of these steps. Steps 1 to 5 are for the problem diagnosis and from 6 to 10 for the solution.

1. Define the problem

2. Understand the process

3. Identify possible causes

4. Collect data

5. Analyze data

6. Identify possible solutions

7. Select solutions

8. Implement solutions

9. Evaluate the effects

10. Institutionalize the change

Limitations of the methodology

The effective implementation of a project management methodology requires the recognition of its limitations^[13]. As far as the project risk management is concerned, there are basic reasons why businesses would not choose this methodology for projects :

• Lack of data : Many risk assessment analysis techniques involve gathering data. Unfortunately, creating accurate models or simulations that will be able to predict events that may occur is a procedure that requires extensive data collection, which can be expensive and not completely reliable.

• Insufficient Analysis Expertise and Time : Using computer software to simulate activities that can cause negative impacts on a project, has become a more cost-time efficient method. However, it requires high level of skills and knowledge to intepret the results correctly. Complex projects with many variables require trained personnel, who may not be assigned to the project.

• Training : A part of the time that is spent on research and development will have to be allocated for training to ensure proper execusion of the project risk management.

• Motivation : Employees that are already associated to their mundane activities need to adjust to new measures.

• Subjective Judgement: People perceive things in a different way, in the sense that everyone can see things from his perspective. Specifically, in projects some people identify some factors as risks, while others can see opportunities behind those factors.

• Update risks in real time: Risks are evolving in time, due to the fact that projects take place under different circumstances every time. However, managers fail to update and revaluate these risks periodically and the project's performance can be negatively affected.

References

1. ↑ ^{1.0 1.1} Risk Management:History, Definition and Critique by Georges Dionne (2013)
2. ↑ Project Risk Management,Future Developments by Dr David Hillson(2011)
3. ↑ Dr. Oddmund Granli (2009), Project risk/uncertainty management
4. ↑ Agnar Johansen (2014), Uncertainty Management
5. ↑ Eric Mcconnell (2010), Opportunity/Threats Management
6. ↑ ^{6.0 6.1} Project Risk Management by Chapman-Ward 2nd edition
7. ↑ Techniques for managing risks, Keith Anderson-Calvin Hastings-Lester Sherman (2012)
8. ↑ ^{8.0 8.1} Project Risk Management, Methodology and Applications by Marco de Santis (2014)
9. ↑ Benefits of Risk Management in Projects, Programs and Portfolios Kenneth K.(2008)
10. ↑ Risk Identification in Project Management by Donna Ritter (2014)
11. ↑ ^{11.0 11.1 11.2} Processes step by step in Project Management.David Hillson (2013)
12. ↑ Root Cause Analysis and Corrective Actions by Gareth Byatt (2011)
13. ↑ Limitations, Risk Project Managemet by Tara Dugan(2010)