Risk management process (RMP) is a concept or a framework to managing risk both internal and external in all industries. It is a concept that has been coming popular for project managers in projects to improve performance and increase the profit. This concept helps management teams to construct a strong and systematic approach to the risk identification. With risk process and strong project management practice the problems in a project can by decreased and could also help to resolve problems that occur later on in projects.

Risk vary in projects because of the uniqueness of every project and due to that fact the concept RMP is very robust approach. Identification, understanding and managing critical risk that can harm the project a concept needs to be followed.

Risk management in project should be throughout the project life cycle. In some cases the risk management is primarily done in the design phase of the project, but should be also manage in the construction phase. The RMP is a five step process that is following ^[1].

Figure 1: "Risk event graph" ^[2].

1. Step 1 – Establish the context
2. Step 2 – Identify the risk
3. Step 3 – Analyse the risk
4. Step 4 – Evaluate the risk
5. Step 5 – Treat the risk

The risk management process is essential to manage those risk that can occur in projects and to be able to mitigate those risks. Studies have shown that the changes of risk event occurring are in the idea, planning and the start-up phase of each project. As represented in Figure 1 the total cost impact is less if the risk event will occur earlier and therefore it is very important to use that period to minimize or mitigate around a potential risk. Moreover, as it goes further into the project phase the increase in cost is very steep ^[2].

This wiki article aims to go through those steps mention above with few techniques and methods that are well known in risk management and how to apply them along the project life cycle. Furthermore, the background of risk management, advantages and RMP limitation will also be discussed.

Overview

Introduction

The risk management term has history in America from the early 1950s and it has been developing since then around the world. It was not until 1963 “The Journal of Risk and Insurance” published nine articles regarding risk management. From the year 1963 and until 1967 an increase in academic interest was shown. It was not until early seventies that the risk management awareness increase in Europe and that is due to the expansion that happened in the United States in early years ^[3]. With the awareness of risk around us the expansion of the subject has aroused and is coming mainstream in businesses today.

What is risk, risk management and what purpose/value does risk management process have?

Risk is the likelihood and the impact of a certain event with potential to effect the goal or the objective of the project. To avoid these unexpected risk events that the future has, risk management process is a concept to follow throughout the project life cycle and to be able to maximize the efficiency and the effectiveness ^[4].

Risk management examine the future that is head of us and the uncertainty that it has. Uncertainty can both be good and could also be bad. With examination of the uncertainty that the future has, could lead us to avoid the threats and steer and aim us towards the opportunities ^[5]. Even though risk management is not just avoiding risk or taking one, it is a development that has to have complete understanding of the risk that are relevant to the project ^[1].

The basic RMP principle should always be included when dealing with risk in projects because it helps the management team to efficiently understand and manage unwanted risk. The following main phases of RMP are: Establish the context, identify the risk, analyse the risk, evaluate the risk and treat the risk ^[6].

Application of risk management process

The RMP is not a standalone concept that can be implemented into project or organization. To be able to managing risk effectively through the RMP a well define risk management framework has to be clear. The framework will provide the foundation for success risk management. The RMP at each step will communicate with the risk management framework, as can be seen in Figure 2, and therefore establish a holistic approach to risk management.

Figure 2: "Risk management framework and process"^[1].

RMP can be seen in Figure 3, the five steps in the RMP are well defined and easy to follow with good management practice. In this section the five RMP steps will be explain further and how it can be applied to managing risk. In those five steps that is within the RMP is the risk assessment. Risk assessment is an overgroup of 3 steps, identify risk, analyse risk and evaluate risk. Inside these subgroups of risk assessment are few methodologies that are used to help the management team to establish the right outcome of the RMP. These methodologies will be mention briefly to explain what is used in practice today.

Figure 3: "Risk management process (RMP)"^[1].

Even though the communication, consult, monitoring and review is not part of the five steps, it is key element of risk management. It is essential to communicate and consult with stakeholders, from early stage, in the value chain during all five steps of the RMP. Stakeholders have to understand the basis in decisions and why action is needed for specific risk. This is done by effective communication both internally and externally with stakeholders within and outside the organization.

Establish the context

Figure 4: "SWOT"

The first step in the RMP is establish the context and is key to effective and great risk management. The context will act like a supervisor to ensure that all activities will remain relevant throughout the process. There are various context that needs to be taken into account and to articulate the objective of the project or organization. Establishing the context can be found with SWOT analysis, by identify strengths, weakness, opportunities and threats. The SWOT, Figure 4, analysis can identify the PESTEL, which is the political, economic, social and technological, environmental and legal condition of the context. Context can be divided in external and internal context. Furthermore, the context will set the scope for the risk criteria for later processes and should be establish each time it is implemented.

Risk identification

How to identify risks?

Risk identification is the second step in the RMP. This step is a critical step in risk management where the project manager assembles a team with stakeholders that have the relevant experience. The team tries to produce a list of possible risk that could affect the project from the get-go and through the project life cycle.

The team usually use brainstorming technique to find possible risk events. When using the brainstorming technique the team members have to have open mind and try to come up with as many possible risk events that could occur. Furthermore, team members have to consider the project that is in front of them and also try to learn from mistakes that had occur in other projects that are in the past. In the risk identification process a common mistake is often done, that is to focus primarily on objectives rather than events that could produce consequences. For example, focusing on objectives like failing cost estimation or time schedule instead of thinking what event could cause these events to happen ^[2].

[1] incorporated with work breakdowm structure (WBS) is an effective method to help management teams to identify risk events from the objectives. Breaking down these objectives into macro risk helps the team to check specific areas that are interesting.

This identification process of risk should involve more than the core team inside the organization. All stakeholders in the value chain, for example, customers, sponsors, subcontractors and vendors should have some input into the identification process because it makes them more committed to the project.

https://en.wikipedia.org/wiki/Risk_breakdown_structure

Risk analysis (Step 3) and risk evaluation (Step 4)

Step 3 and 4 are the risk analysis and evaluation of the events that where produced in step 2, risk identification. Even though the name risk can be a threat not all risk events need further inspection. Some of the risk in projects can be ignored while others need more attention because they pose threat to the project. Managers need to screen out these events that pose no threat to the project and try to focus on other risk events that have more potential to harm the project in any way.^[2].

For analyzing risk, scenario analysis is most commonly used method. Scenario analysis is a method that team members have to analyze and assess the severity of each risk event that has been conducted in step 2 in terms of, likelihood of the event happening and the impact of the event.

Risk event that have the greatest effect on the project should receive highest priority. The best way to analyze the risk events is to have a scale ranging from “Rare” to “Almost certain” or have more precise scale with probabilities ranging from for example 0.1, 0.3, 0.5 … 1.5. The scale needs to be evaluated depending on the project nature. Impact scale is also needed to assess the consequences that event has on the project. The scale is often defined in numbers from 1-5, 1-10 or rank-order such as ”Negligible”, “ Minor”, “Moderate”, “Major” and “Catastrophic”. The likelihood and the impact scale can be seen in Table 1 and Table 2 respectively. ^{[2] [7]}.

These two scales, likelihood and impact, are combined into risk matrix as seen in Figure 5. The risk matrix is divided into four categories green, blue, yellow and red. The green category is representing minor risk, blue is representing medium risk, yellow is representing major risk and red category is representing extreme risk. To place each risk event in the risk matrix a light calculation is needed. The formula for risk value is:

Figure 5: "Risk matrix"

The step 4 is the evaluation of the risk event. Risk value is a number that can be evaluate and therefore be placed into the risk matrix. After the placement of each risk event in the matrix that was consider in the beginning of the RMP the evaluation of risk event expectant is formed. As can be seen in Figure 6, if the risk event falls into the red zone the event needs an urgent attention and needs treatment, but if the risk event falls into the green zone, which is the save zone, the risk can accepted or accepted with minor treatment. Categories for yellow and blue can be treated with attention or investigation.

Figure 6: "Risk explanation"

There is one other option that is available and it is widely used, that is Failure Mode and Effect Analysis (FMEA) technique. By adding detection into the Risk value formula gives the analysis a clearer view how difficult is to detect the risk event that could be a head of us. The detection scale is would also be in the same scale as the probability and the impact. If a risk event would get a 5, it cannot be detected until it is too late, but if an event would receive 1, it would be very easy to detect the risk. The event that receives the highest score from the calculation will have the highest impact.

Risk treatment/response

WIP

Monitoring risk

WIP

Advantages

WIP

Limitations

WIP

References

1. ↑ ^{1.0 1.1 1.2 1.3} John Lark.(2015) ISO 31000, Risk management.
2. ↑ ^{2.0 2.1 2.2 2.3 2.4} Larson, E. W. and Gray, C.F (2010) Project Management, The Managerial Process (5th ed.).McGraw - Hill/Irwin, NY
3. ↑ Neil, G.C.(1982) The Bibliography and History of Risk Management: Some Preliminary Observations, 7(23),169-179
4. ↑ Smith. N.J., Merna, T. and Jobbling p.,(2006) Managing Risk in Construction Projects
5. ↑ Kozin. I.,(2015) Course 42172: Risk and decision making
6. ↑ Gajewska. E. and Ropel. M.,(2011) Risk Management Practices in a Construction Project – a case study.
7. ↑ Duijm, N.D. (2015) Recommendations on the use and design of risk matrices

Annotated Bibliography