The Risk Management Process is a clearly defined method of understanding what risks and

opportunities are present, how they could affect a project or organization, and how to respond to
them.

risk management process is an important tool for project managers and should be implemented
from the start of a project. It allows us to identify and characterize risks for a more informed view
of the project. It allows us to accommodate for the cost of risks early-on, and it guides decision-
making throughout the life of the project.

Regardless of the types of risk being considered, the risk management process involves several
key steps:

1. Identify all significant risks that can reduce business value (or cause loss).

2. Evaluate the potential frequency and severity of losses.

3. Develop and select methods for managing risk in order to increase business value to
shareholders.

4. Implement the risk management method chosen.

5. Monitor the performance and suitability of the firm’s risk management methods and
strategies on an ongoing basis.

The 4 essential steps of the Risk Management Process are:

1. Identify the risk.

2. Assess the risk.

3. Treat the risk.

4. Monitor and Report on the risk.

 Four Steps of the Risk Management
Process

Step 1: Risk Identification

The first step in the risk management process is to identify all the events that can negatively (risk) or
positively (opportunity)

These events can be listed in the risk matrix and later captured in the risk register.

A risk (or opportunity) is characterized by its description, causes and consequences, qualitative
assessment, quantitative assessment and mitigation plan. It can also be characterized by who is
responsible for its action. Each of these characteristics are necessary for a risk (or opportunity) to be
valid.

In order to be managed effectively, the Risks and Opportunities (R&O) identified must be as precise and
specific as possible. The title of the risk or opportunity must be succinct, self-explanatory and clearly
defined.

Did you know that risk identification is the most important part of the risk
management process? Essential for the success of projects and even for the
organization as a whole, risk identification involves the detection of potential
threats before they can negatively impact collaborators or the company.

Risks are inherent in business and good management can be the determining
factor for success in achieving an organization’s goals, because if you fail to
identify a risk, you also miss an opportunity to avoid it, and missed opportunities
can lead to significant losses.

Risks can come from many sources and having an overview of all of them can be
confusing and complicated.

1. Brainstorming
Brainstorming is the act of bringing together team members to come up with as
many ideas as possible to create something new or to solve problems. This
creative technique explores the team’s diversity of experiences and provides an
opportunity for members to build on each other’s ideas. It’s great for identifying
risks.

With brainstorming, people working on the front lines of the company can share
their perspectives on risk, providing fresh insights on the same processes, thus
helping to close the gap between management and the team.

This methodology is simple and requires no specialized training. It can be used

to identify different types of risks, helping everyone from the teams on the factory
floor to top management.
2. SWOT matrix
Generally used for strategic planning in companies and for new projects, the
SWOT (Strengths, Weaknesses, Opportunities and Threats) matrix can be a
valuable tool for identifying risks from a new perspective.

We identify strengths and weaknesses of the internal environment on the left side
and, on the right side, the opportunities and threats in the external environment:

The SWOT matrix is useful for identifying the positive points of a project or
business, as well as what can be detrimental to achieving goals.
Remember, risk is the uncertainty of a future event, which may be positive (an
opportunity) or negative (a threat).
3. Root Cause Analysis
The tools commonly used for root cause analysis can be very useful for risk
identification as well. We can cite as examples:
• FMEA (Failure Mode and Effect Analysis)
• Cause and effect diagram (Ishikawa or fishbone)
• Pareto charts
• 5 WHYs
Typically, root cause analysis is used after the manifestation of a problem, but we
can also apply it preventively, taking an impact or risk to be avoided as a starting
point.

4. Delphi method
The Delphi method consists of gathering information in an anonymous and
structured manner, usually through questionnaires, managed by a facilitator
responsible for compiling the ideas (risks) identified by the experts.

In each round, the experts individually formulate a list of risks (or answer a
specific questionnaire) and submit it to the facilitator. The results of the first
round, once summarized, provide the basis for the second round, and so on.
Based on the results of the information collected in each round, experts can
review or change their opinions and present new arguments. This process
continues until all participants reach an agreement.

This method is an effective way to reach a consensus, especially when many

people are involved. Furthermore, anonymity means that experts can express
their opinions freely and avoid errors, reviewing earlier opinions in each round.
5. Interviews
Risks can be identified through interviews with project participants or experts in
the area in question to carry out the risk assessment. With the diversity of their
experience and expertise, you can obtain a greater number of opinions in the risk
identification process.

6. Inspections
Very important and essential for identifying risks, the inspection is the process of
visiting facilities and contacting team members.

Inspections are usually guided by checklists, which list items, processes,

equipment or facilities to be checked. The goal is to identify, prevent and correct
situations that are non-compliant with expected standards.

6. Review requirements and documentation

Requirements contain significant risks. In addition to ensuring the delivery of
quality products, projects and services, compliance with legal requirements also
avoids fines, penalties and various financial losses. For this reason, an analysis
and review of applicable requirements is essential.

Another area to be analyzed, and which can provide valuable information, are
documents. For example, it is important to review documents relating to projects,
processes, past audits or performance indicators, as this documentation review
can point out lessons learned, problems and their solutions, thus making you
better prepared should a similar risk occur, or even to identify new risks.
All members of the project can and should identify R&O, and the content of these is the responsibility of
the Risk (or Opportunity) Owners. Risk Managers are responsible for ensuring that a formal process for
identifying risks and developing response plans is conducted through exchanges with risk owners. We
will explain each of these roles in further detail in our next article on Risk Management Team Roles.

Below are examples of tools to help identify R&O:

• Analysis of existing documentation

• Interviews with experts

• Conducting brainstorming meetings

• Using the approaches of standard methodologies – such as Failure Modes, Effects and Criticality
Analysis (FMECA), cause trees, etc.

• Considering the lessons learned from R&Os encountered in previous projects

• Using pre-established checklists or questionnaires covering the different areas of the project
(Risk Breakdown Structure or RBS).

Step 2: Risk Assessment

There are two types of risk and opportunity assessments: qualitative and quantitative. A qualitative
assessment analyzes the level of criticality based on the event’s probability and impact. A quantitative
assessment analyzes the financial impact or benefit of the event. Both are necessary for a
comprehensive evaluation of risks and opportunities.

Qualitative Assessment

The Risk Owner and the Risk Manager will rank and prioritize each identified risk and opportunity
by occurrence probability and impact severity, according to the project’s criticality scales.

Evaluating occurrence probability (P):

This is determined preferably based on experience, the progress of the project, or else by speaking to a
risk expert, and is on a scale of 1 to 99%.

For example, suppose the risk that: “the inability of supplier X to conduct studies on a modification Y by
the end of 2025” is 50% probable. This could be determined from feedback and analysis of the supplier’s
workload.
Evaluating impacts severity (I):

To assess the overall impact, it is necessary to estimate the severity of each of the impacts defined at
the project level. A scale is used to classify the different impacts and their severities. This ensures that
the assessment of the risk and opportunity is standardized and reliable.

The criticality level of a risk or opportunity is obtained by the equation: Criticality = P x I

The purpose of the qualitative assessment is to ensure that the risk management team prioritizes the
response on critical items first.

Quantitative Assessment

In most projects, the objective of the quantitative assessment is to establish a financial evaluation of a
risk’s impact or an opportunity’s benefit, should it occur. This step is carried out by the Risk Owner, the
Risk Manager (with support of those responsible for estimates and figures), or the management
controller depending on the organizational set up in the company. These amounts represent a potential
additional cost (or a potential profit if we are talking about an opportunity) not anticipated in the
project budget.

For this, it is therefore necessary:

• To evaluate the additional costs incurred by financially reviewing:

o Hours of internal engineering

o Hours of subcontracting

o Additional work to do

o Amendments and/or claims made to contracts

o Etc.

• To calculate the cost of the undesired event’s consequences by adding these values.

This step will make it possible to estimate the need for additional budget for risks and opportunities of
the project.

Step 3: Risk Treatment

In order to treat risks, an organization must first identify their strategies for doing so by developing a
treatment plan. The objective of the risk treatment plan is to reduce the probability of occurrence of the
risk (preventive action) and/or to reduce the impact of the risk (mitigation action). For an opportunity,
the objective of the treatment plan is to increase the likelihood of the opportunity occurring and/or to
increase its benefits. Depending on the nature of the risk or opportunity, a response strategy is defined
for the project. The following 7 strategies are possible:
 The 7 Risk Response Strategies

7 Risk Response Strategies

• Accept: Do not initiate any action but continue to monitor.

• Mitigate/Enhance: Reduce (for a risk) or increase (for an opportunity) the probability of

occurrence and/or the severity of impact.

• Transfer/Share: Transfer responsibility of a risk to a third party who would bear the
consequences of the problem (share the benefits of a realized opportunity).

• Avoid/Exploit: Entirely eliminate uncertainty / take advantage of the opportunity.

Monitoring the progress of the treatment plan is the responsibility of the risk owner. They must report
regularly to the risk manager, who must keep the risk register up to date.

Note: The cost of a risk mitigation plan must be integrated into the budget of the project.

When defining a treatment plan:

• Each action begins with an action verb and has a clear purpose.

• Each action has an actionee and a deadline.

• Actions that could generate costs must be tracked and considered in the project.

• For example: to reduce the risk of my car breaking down, a treatment plan could be to have it
checked annually by a repair shop.

When does risk become an issue?

Anticipating Risks and Opportunities

It is possible that, despite the actions put in place to mitigate or prevent it, a risk probability could
increase and reach 100%. Once a risk is confirmed, we no longer refer to it as a risk but as an issue. The
Risk Manager must then inform the various project stakeholders who will relay that a risk has become
an issue and transfer it to the issue log.

Step 4: Risk Monitoring and Reporting

Risks and opportunities and their treatment plans need to be monitored and reported on. The frequency
of this will depend on the criticality of risk/opp. By developing a monitoring and reporting structure it
will ensure there are appropriate forums for escalation and that appropriate risk responses are being
actioned.

Risk monitoring refers to an organization’s framework for staying aware of its current risk exposure,
including the implemented risk management system and any other activities that inform the
organization’s risk decisions. It is a key component of determining individual risk appetites – in other
words, the decision of how much risk can be tolerated – and often leads to the creation of key risk
indicators (KRIs).

While business risk monitoring happens at the end of the risk management process and as a result of it,
it needs to be ongoing and reviewed often, to ensure that appropriate risk responses are actioned in a
timely fashion.
The risk monitoring process can be overseen by a dedicated risk team but it’s also common for
compliance teams, anti-fraud teams, or trust and safety teams to take that responsibility.

In the previous article we identified the Risk and Opportunity Management Plan or ROMP as one of
the five essential elements of Project Risk Management. It should include not only the project
stakeholders and steering members, but the governance cadence for monitoring and reporting on risks
and opportunities. How this is organized and governed is defined by the Risk Manager in conjunction
with the Project Manager.

We will go over both of these roles as well as additional roles within the Risk Management Team in
more detail in our next article.

REFERENCES:

27 Sept 2021 https://www.migso-pcubed.com/blog/risk-management/four-step-risk-management-

process/

https://www.360factors.com/blog/five-steps-of-risk-management-process/