Professional Documents
Culture Documents
Risk Management Process
Risk Management Process
opportunities are present, how they could affect a project or organization, and how to respond to
them.
risk management process is an important tool for project managers and should be implemented
from the start of a project. It allows us to identify and characterize risks for a more informed view
of the project. It allows us to accommodate for the cost of risks early-on, and it guides decision-
making throughout the life of the project.
Regardless of the types of risk being considered, the risk management process involves several
key steps:
1. Identify all significant risks that can reduce business value (or cause loss).
3. Develop and select methods for managing risk in order to increase business value to
shareholders.
5. Monitor the performance and suitability of the firm’s risk management methods and
strategies on an ongoing basis.
The first step in the risk management process is to identify all the events that can negatively (risk) or
positively (opportunity)
These events can be listed in the risk matrix and later captured in the risk register.
A risk (or opportunity) is characterized by its description, causes and consequences, qualitative
assessment, quantitative assessment and mitigation plan. It can also be characterized by who is
responsible for its action. Each of these characteristics are necessary for a risk (or opportunity) to be
valid.
In order to be managed effectively, the Risks and Opportunities (R&O) identified must be as precise and
specific as possible. The title of the risk or opportunity must be succinct, self-explanatory and clearly
defined.
Did you know that risk identification is the most important part of the risk
management process? Essential for the success of projects and even for the
organization as a whole, risk identification involves the detection of potential
threats before they can negatively impact collaborators or the company.
Risks are inherent in business and good management can be the determining
factor for success in achieving an organization’s goals, because if you fail to
identify a risk, you also miss an opportunity to avoid it, and missed opportunities
can lead to significant losses.
Risks can come from many sources and having an overview of all of them can be
confusing and complicated.
1. Brainstorming
Brainstorming is the act of bringing together team members to come up with as
many ideas as possible to create something new or to solve problems. This
creative technique explores the team’s diversity of experiences and provides an
opportunity for members to build on each other’s ideas. It’s great for identifying
risks.
With brainstorming, people working on the front lines of the company can share
their perspectives on risk, providing fresh insights on the same processes, thus
helping to close the gap between management and the team.
We identify strengths and weaknesses of the internal environment on the left side
and, on the right side, the opportunities and threats in the external environment:
The SWOT matrix is useful for identifying the positive points of a project or
business, as well as what can be detrimental to achieving goals.
Remember, risk is the uncertainty of a future event, which may be positive (an
opportunity) or negative (a threat).
3. Root Cause Analysis
The tools commonly used for root cause analysis can be very useful for risk
identification as well. We can cite as examples:
• FMEA (Failure Mode and Effect Analysis)
• Cause and effect diagram (Ishikawa or fishbone)
• Pareto charts
• 5 WHYs
Typically, root cause analysis is used after the manifestation of a problem, but we
can also apply it preventively, taking an impact or risk to be avoided as a starting
point.
4. Delphi method
The Delphi method consists of gathering information in an anonymous and
structured manner, usually through questionnaires, managed by a facilitator
responsible for compiling the ideas (risks) identified by the experts.
In each round, the experts individually formulate a list of risks (or answer a
specific questionnaire) and submit it to the facilitator. The results of the first
round, once summarized, provide the basis for the second round, and so on.
Based on the results of the information collected in each round, experts can
review or change their opinions and present new arguments. This process
continues until all participants reach an agreement.
6. Inspections
Very important and essential for identifying risks, the inspection is the process of
visiting facilities and contacting team members.
Another area to be analyzed, and which can provide valuable information, are
documents. For example, it is important to review documents relating to projects,
processes, past audits or performance indicators, as this documentation review
can point out lessons learned, problems and their solutions, thus making you
better prepared should a similar risk occur, or even to identify new risks.
All members of the project can and should identify R&O, and the content of these is the responsibility of
the Risk (or Opportunity) Owners. Risk Managers are responsible for ensuring that a formal process for
identifying risks and developing response plans is conducted through exchanges with risk owners. We
will explain each of these roles in further detail in our next article on Risk Management Team Roles.
• Using the approaches of standard methodologies – such as Failure Modes, Effects and Criticality
Analysis (FMECA), cause trees, etc.
• Using pre-established checklists or questionnaires covering the different areas of the project
(Risk Breakdown Structure or RBS).
There are two types of risk and opportunity assessments: qualitative and quantitative. A qualitative
assessment analyzes the level of criticality based on the event’s probability and impact. A quantitative
assessment analyzes the financial impact or benefit of the event. Both are necessary for a
comprehensive evaluation of risks and opportunities.
Qualitative Assessment
The Risk Owner and the Risk Manager will rank and prioritize each identified risk and opportunity
by occurrence probability and impact severity, according to the project’s criticality scales.
This is determined preferably based on experience, the progress of the project, or else by speaking to a
risk expert, and is on a scale of 1 to 99%.
For example, suppose the risk that: “the inability of supplier X to conduct studies on a modification Y by
the end of 2025” is 50% probable. This could be determined from feedback and analysis of the supplier’s
workload.
Evaluating impacts severity (I):
To assess the overall impact, it is necessary to estimate the severity of each of the impacts defined at
the project level. A scale is used to classify the different impacts and their severities. This ensures that
the assessment of the risk and opportunity is standardized and reliable.
The purpose of the qualitative assessment is to ensure that the risk management team prioritizes the
response on critical items first.
Quantitative Assessment
In most projects, the objective of the quantitative assessment is to establish a financial evaluation of a
risk’s impact or an opportunity’s benefit, should it occur. This step is carried out by the Risk Owner, the
Risk Manager (with support of those responsible for estimates and figures), or the management
controller depending on the organizational set up in the company. These amounts represent a potential
additional cost (or a potential profit if we are talking about an opportunity) not anticipated in the
project budget.
o Hours of subcontracting
o Additional work to do
o Etc.
• To calculate the cost of the undesired event’s consequences by adding these values.
This step will make it possible to estimate the need for additional budget for risks and opportunities of
the project.
In order to treat risks, an organization must first identify their strategies for doing so by developing a
treatment plan. The objective of the risk treatment plan is to reduce the probability of occurrence of the
risk (preventive action) and/or to reduce the impact of the risk (mitigation action). For an opportunity,
the objective of the treatment plan is to increase the likelihood of the opportunity occurring and/or to
increase its benefits. Depending on the nature of the risk or opportunity, a response strategy is defined
for the project. The following 7 strategies are possible:
The 7 Risk Response Strategies
• Transfer/Share: Transfer responsibility of a risk to a third party who would bear the
consequences of the problem (share the benefits of a realized opportunity).
Monitoring the progress of the treatment plan is the responsibility of the risk owner. They must report
regularly to the risk manager, who must keep the risk register up to date.
Note: The cost of a risk mitigation plan must be integrated into the budget of the project.
• Each action begins with an action verb and has a clear purpose.
• Actions that could generate costs must be tracked and considered in the project.
• For example: to reduce the risk of my car breaking down, a treatment plan could be to have it
checked annually by a repair shop.
It is possible that, despite the actions put in place to mitigate or prevent it, a risk probability could
increase and reach 100%. Once a risk is confirmed, we no longer refer to it as a risk but as an issue. The
Risk Manager must then inform the various project stakeholders who will relay that a risk has become
an issue and transfer it to the issue log.
Risks and opportunities and their treatment plans need to be monitored and reported on. The frequency
of this will depend on the criticality of risk/opp. By developing a monitoring and reporting structure it
will ensure there are appropriate forums for escalation and that appropriate risk responses are being
actioned.
Risk monitoring refers to an organization’s framework for staying aware of its current risk exposure,
including the implemented risk management system and any other activities that inform the
organization’s risk decisions. It is a key component of determining individual risk appetites – in other
words, the decision of how much risk can be tolerated – and often leads to the creation of key risk
indicators (KRIs).
While business risk monitoring happens at the end of the risk management process and as a result of it,
it needs to be ongoing and reviewed often, to ensure that appropriate risk responses are actioned in a
timely fashion.
The risk monitoring process can be overseen by a dedicated risk team but it’s also common for
compliance teams, anti-fraud teams, or trust and safety teams to take that responsibility.
In the previous article we identified the Risk and Opportunity Management Plan or ROMP as one of
the five essential elements of Project Risk Management. It should include not only the project
stakeholders and steering members, but the governance cadence for monitoring and reporting on risks
and opportunities. How this is organized and governed is defined by the Risk Manager in conjunction
with the Project Manager.
We will go over both of these roles as well as additional roles within the Risk Management Team in
more detail in our next article.
REFERENCES:
https://www.360factors.com/blog/five-steps-of-risk-management-process/