Revision as of 01:02, 29 November 2014

“When trouble is sensed well in advance in can be easily remedied; if you wait for it to show itself any medicine will be too late because the disease will have become incurable. As the doctors say of a wasting disease, to start with it is easy to cure but difficult to diagnose; after time… it becomes easy to diagnose but difficult to cure.” (Machiavelli, 1514) ^[1]

When dealing with a project, uncertainties are to be expected, whether the project is influenced by external or internal factors. If an unexpected event turns out to be harmful to the project it is in general terms considered to be a risk. A risk can be defined as the product of the probability of the risk and the impact of the risk. Should a problem be very likely to happen, but have a little or no impact on the project there is little reason in prioritizing the mitigation of the problem. For a problem having a high impact, but very low probability the need to mitigate this problem is likewise not a priority. The impact of a risk is however more severe than the probability. For instance are smaller injuries, which happen often, easier to accept than heavier injuries, which happen more seldom. The probability of a problem should however not be neglected. A common way to illustrated this is by playing a small game:

In the construction business many factors must by in order for the project to move forward. Six people are given a dice and a problem. Whenever a person rolls a 1 a problem has occurred which delays the project. Thus the probability of a problem happening is 1/6. The probability of no problem happening is:

This means that only a third of the time, the project will progress.

A useful risk management strategy comprises of the following steps:

• Identify - Potential risks are identified.
• Analyze - Identified risks are rated, related to probability and impact.
• Assess - Analyzed risks are ranked and compared to each other to determine which risk to handle first.
• Process - Solutions are found to counter effect the risks.
• Monitor - During the project lifetime, identified risks are monitored and new, potential risks are identified.

This article will examine ways to do a successful risk management.

Definitions

Risk

PMBOK defines a risk as: "An uncertain event or condition that, if it occurs has a positive or negative impact on one or more project objectives such as scope, schedule, cost and quality" ^[2].

But mathematically:

Probability

The probability of a risk is the estimated likelihood of a certain event happening.

Impact

The impact is the consequences a risk may have on a project. The impact can include: Personal injury, monetary loss, delays, ect.

Risk identification

During the risk identification, a project is scrutinized for potential risks. During the scrutinisation experience is a good asset when determining the potential risks, but other methods do however exists. Risk identification is the simplest of the risk management steps, since it only requires the project group to think of possible threads and opportunities. Risk identification is however the most important step and should be repeated iterativly during the project lifetime to ensure the safety of the project.

Identification methods

Instead of relying on experience and common sense, when determining the possible risks, taxonomy-facilitated brainstorming ^[3] could be used. Brainstorming techniques includes:

• Check-lists
• What-if analysis
• Failure mode and effect analysis (FMEA)
• Hazard and operability studies (HAZOP)

These exercises should help the brainstorming and thought processes to identify risks.

Another method^[4] is to ask "What could go wrong?", and answer it when relating to the following subjects:

• Current and proposed staffing, design, process, resources, suppliers, dependencies, operational employment, ect.
• Monitoring test results
• Reviewing shortfalls against expectations
• Analyzing negative trends

Risk analysis

With the risks identified it is now possible to do a risk analysis. This analysis determines each risk's probability and impact.

Probability rating

I can be very tricky to determine the exact probability of a given risk and knowing the probability might increase the complexity of the following risk assessment. A standardized way to rate probability is by using the table below^[5]. Whether the rating is based on experience, common sense or actual facts does not matter at this step.

Note that a probability of 0% is not possible, since that would mean that the event will not happen. Likewise is a probability of 100% neither possible, since that would mean that the event will happen.

Impact rating

Like determining the level of probability of a risk, the level of impact is equally as tricky to determine. There for a rating scale has been presented below^[6]. The difference between impact rating and probability rating is that, the impact rating tries to embrace consequences regarding human health, expenses and delays and compare these different subjects. Therefore is a standardized method of determining level of impact useful. Like probability the rating can be based on experience, common sense or actual numbers.

Uncertainty rating

When the probability and impact is determined for a risk, the risk can be assessed. However it would be wise to consider the uncertainty of the analysis. This can be done by using the table below^[7].

If a "Yes" is the answer to any of the above mentioned questions, then the risk faces certain uncertainties. These uncertainties should be rated in a manner fitting to group doing the risk analysis. An example might be:

• The risk's uncertainty is marked Red if two or more questions have gotten a "Yes".
• The risk's uncertainty is marked Yellow if one question has gotten a "Yes".
• The risk's uncertainty is marked Green

Risk assessment

With the identified risks analysed it is possible to assess them and find the most serious risk. To get an overview it can be helpful to multiply the impact of the risk with its associated probability.

If the rating system proposed earlier is used, the risks will be arranged from 1 to 25, with severity increasing with the product. This is the most basic form of risk assessment.

The risk matrix

The probability-impact matrix for risk assessment^[8]

When dealing with risks it is normal to prefer several smaller risks rather than one serious risk. This means that the impact of a risk is a little heavier than the probability, which should be taken into account when doing a risk assessment. To help classifying the risks a matrix has been produced to the right. Each risk can be plotted into this matrix, where the color code tells the severity of the risk, with red being the most dangerous risks and green the most harmless.

Prioritization of the risk should then be carried out within each color-set using the previously defined method to determine the risk's severity. Should two risks have the same severity, the risk with the highest impact rating will be prioritized before the other. When the impact of two risks are the same, they will receive the same level of prioritization.

Considerations should be taken when using the matrix, since it has its limitations^[9]:

• The matrix does not consider interactions between two or more risks.
• The matrix does not map uncertainties.
• The matrix' trade-off between likelihood and consequences is fixed and might not suit all projects.

Risk processing

When the risks have been determined and assessed, it will be natural to determine what to do about them. This depends on the previously made risk assessment.

Risk processing using the probability-impact matrix

Any risks in the red area of the matrix should be avoided.

Any risk in the the yellow area should be either mitigated, transferred or researched/nurtured depending on the malignancy and probability of the risk.

Any risk in the green area should most likely be accepted.

However some of the green risks could be yellow, depending on their uncertainty level.

Risk processing without using the probability-impact matrix

If the probability-Impact matrix was not used the following method can be used to determine a risk response:

Harmful risk - responses:

• Avoid: For high probability, high impact
• Transfer: For low probability, high impact
• Mitigate: For high probability, low impact
• Accept: For low probability, low impact

Useful risk – responses:

• Accept: For high probability, high impact
• Research: For low probability, high impact
• Accept: For high probability, low impact
• Accept: For low probability, low impact

Risk process responses

Below is a list^[10] of responses and possible solutions to use depending on the probability and impact of the risk. The list is only a framework. For a defined risk, the actual solution can be found within these frames.

Accept the risk

Whether the risk is harmful or not, if the probability is low there is no need for doing anything to mitigate it. The occurrence of the event opposed to price of mitigating it will mostly be always turn out to too expensive. Should a benign risk with a high impact and high probability be determined for a project, then this too should also be accepted, since it is very likely to happen.

Mitigating the risk

Malignant risks with low impact, but a frequent occurrence should be mitigated. This is done by making contingency plans, investing in safety equipment and other actions which can lower the probability and/or impact.

Transfer the risk

For malignant risks, with a low probability, but high impact, the most reasonably course would be to transfer the risk to someone else. This can be done by outsourcing the risky parts or by buying insurance in case the risk happens.

Avoid the risk

Should a risk be harmfully serious and very likely too happen, no insurance company will help. These occurrences should be avoided at all cost. This can be done in numerous ways depending on the risk. The safest way to avoid the risk is to change the part of the project which is in danger. If this is not possible, then the project should either be canceled or delayed until the risk no longer is probability or impact has lessened.

Research/nurtur the risk

In the rare cases where a benign risk will have a major impact on a project, but not likely to happen, the risk should be further researched, leading to ways to improve the likelihood. It goes without saying that the cost of implementation should not be larger than the potential gains. If the research proved fruitful the risk should be nurtured to a more probable level.

Risk Monitoring

With the risk processing is done, the first iteration can be considered concluded. It is however important to keep monitoring the identified risks and be mindful of need risks which may arise during a project. When ever a new risk arises it should be sent through the same analysis as the previously determined risks.

This will decrease the likelihood of negative impacts on the project, thus encourage a more successful project.

Conclusion

Risk management is an important tool to use, if a successful project is to be achieved. Risk management should be implemented as early as possible in the process as possible, but does also require recurring follow-ups to ascertain:

• The analysed levels of each risk relates to the current state.
• The effectiveness of the risk response is adequate.
• Newly arisen risks are handled.

References

1. ↑ [Niccolo Machiavelli “The Prince”]
2. ↑ ["A Guide to the Project Management Body of Knowledge ( PMBOK® Guide )—Fifth Edition"]
3. ↑ [NASA "NASA Risk management handbook"]
4. ↑ [Department of Defense "Risk management guide for DOD acquisition]
5. ↑ [Department of Defense "Risk management guide for DOD acquisition]
6. ↑ [Department of Defense "Risk management guide for DOD acquisition]
7. ↑ [NASA "NASA Risk management handbook"]
8. ↑ [Department of Defense "Risk management guide for DOD acquisition]
9. ↑ [NASA "NASA Risk management handbook"]
10. ↑ [NASA "NASA Risk management handbook"]