Professional Documents
Culture Documents
PRisk MGT
PRisk MGT
Page 0 of 10
Table of Contents
Introduction ............................................................................................................................................ 2
What is Risk? ........................................................................................................................................... 2
Definitions ........................................................................................................................................... 2
Risk Equation....................................................................................................................................... 3
Project Risk Management ....................................................................................................................... 3
Risk Management Process ...................................................................................................................... 4
Plan Risk Management ....................................................................................................................... 5
Identify Risks ....................................................................................................................................... 5
Subject matter experts ................................................................................................................... 5
External Risk .................................................................................................................................... 5
Internal Risk .................................................................................................................................... 6
Contractual Mitigation of Risk ........................................................................................................ 6
Correct wording of Risk ................................................................................................................... 6
Perform Qualitative Risk Analysis ....................................................................................................... 7
Perform Quantitative Risk Analysis..................................................................................................... 8
Plan Risk Responses ............................................................................................................................ 8
Monitor and control Risk .................................................................................................................... 9
Conclusion ............................................................................................................................................... 9
Reference List........................................................................................................................................ 10
Page 1 of 10
Introduction
Perhaps, the best way to understand project risk management is to first understand the broad field
of project Management and then the challenging field of risk management; then later narrow down
to project risk management.
There is always a need for coordination of risk management strategies. In many organisations there
is as least an office, if not a department, which deals with risk management issues. Projects on the
other hand, are by definition non-permanent and have a start date and an end-date. Managing risk
in such circumstances is likely to be more challenging due to the temporary nature of project
structures.
In this paper, we will analyse the concept of risk in general and project risk management in
particular. We will also endeavour to come up with a process through which project risk
management strategies can be developed. According to PMBOK® Guide 4th edition, to be effective in
dealing with risk we need some sort of identification of the relevant risks, quantification of such risk
through analysis and evaluation, development of risk responses and lastly, to put in place controls
for monitoring the effectiveness of the risk response strategies (Duncan, 1996).
What is Risk?
Definitions
Risk Ma age e t is a out thi gs goi g o g a d hat ope atio s a do to stop thi gs goi g
o g (Slack, Chambers, & Johnston, 2010:573). This definition seems to be a narrow view of risk
management and needs to be understood the context of Slack, et al. (2010) which is strictly
Operations Management.
Page 2 of 10
Risk Equation
In my view Kezner (2009) sums up the definition of risk quite succintly when he defines it as a
function of probability and consequence. Thus:
Risk = ƒ p o a ilit , o se ue e .
In general, risk will increase when either probabality of occurance or the consequences of such an
occurance increase, or decrease when the opposite happens. This part of the definition becomes
very valuable when risks have to be analysed, evaluated or ranked because the definition lends itself
to a mathematical calculation. One can simply extrapolate that the magnitude of risk can be
calculated by multiplying probability by consequence. This of course assumes we have found an
accepable qualitative or quatitative scale to measure the probability and consequence magnitudes.
Thus:
Kerzner (2009:744) introduces two new elements of risk. The first is the root casue of the risk and
most importantly the second, the safeguard or risk response. For example, if getting a tyre puncture
is a risk associated with driving on a particular road, the root causecan be the numerous potholes on
that road. To reduce level of risk while planning to fix the potholes we may put up signs warning
motorists about the potholes. The potholes in this case are the hazard and the warning signs are the
safeguard. Using the same analogy as before, we can see a clear relationship between the hazard
and the safeguard. Thus:
Unlike the relationship between probability and consequence, we have an inverse relationship
between a hazard and a safeguard. If we increase the safeguard the level of risk comes down and if
we reduce the hazard (fewer potholes), the risk will come down and vice versa. Thus:
In conclusion, we may safely say that regardless of type, risk has to do with an uncertain future
occurrence that may have a detrimental or positive effect on project outcomes. The positive part is
included here to indicate that surprises are not always negative and there may be pleasant surprises
that may enhance project outcomes.
The PMBOK® Guide 4th Edition defines Project Risk Management in the follo i g a e : P oje t
Risk Management includes the processes concerned with identifying, analysing and responding to
p oje t isk (Duncan, 1996). From this definition, we can deduce that to manage risk we have to
identify the risk, analyse it and respond to the identified risks. We will see later on that we have to
compliment these three elements with monitoring and controlling. The objective of risk
Page 3 of 10
management therefor can be construed as an effort to decrease of the probability and impact of
negative events or threats and to increase of the probability and impact of positive events or
opportunities.
Now that we have defined risk and project risk management, we can look at the actual process of
managing risk, and eventually narrow down to project risk management. The following model
depicts how Slack, et al. (2010:573) see the risk mamanagement process.
Figure 1 above proposes a process whereby potential causes of risks or failure are assessed. After
this,
a) prevention measures are put in place to try and prevent failure and,
b) to mitigate against the effects of failure and lastly
c) if failures do occur, to try and recover from these.
Slack (2010) lists supply failures, human failures, organisational failures, technology and product
failures as exmples.
A number of authors, including Kerzner (2009) and the PMBOK® Guide 4th Edition recommend the
following steps in Project Risk Management:
Page 4 of 10
Plan Risk Management
In the planning of Project Risk Management you will need the Project Scope Statement, Cost
Management Plan, Schedule Management Plan, Communications Management Plan and
Enterprise environmental factors.
In planning for Risk Management we need to face the challenges of how risk is going to be
quantified, qualitatively or quantitatively, or even both. It must be noted that at this stage
the actual risks have not yet been identified.
The output for this part of the Risk Management Process will be a clear plan which contains
mainly, a risk management strategy, methods to execute a program for risk management
and the resources required to execute the plan.
Identify Risks
The first input to be used in the identification of risks is the output from the previous step,
which is the Risk Management plan. Other inputs will include the Activity Cost Estimates
from the work breakdown structure (WBS), activity duration estimates, Stakeholder Register
and the Quality Management Plan.
Various tools can be used to yield information about risks. The starting point could be
documentation of risks from previous similar projects, checklists developed for this purpose,
SWOT analysis and some expert judgements. There are advantages and disadvantages for
using one or the other tool but suffice it to say that the final product must be a Risk Register.
External Risk
External risk can be divided into unpredictable and predictable risk. Examples of
unpredictable external risk include natural disasters, government legislation and war.
Predictable external risk relates to matters such the cost of money, lending rates, availability
of raw materials and competition. Examples are legislation, weather, politics, and civil
unrest. Fortunately, most of external risk is insurable.
Page 5 of 10
Internal Risk
Internal risk on the other hand is more directed at events and occurrences, which originates
from within the organisation. These can be fairly anticipated and their likelihood and impact
estimated with a certain accuracy. Examples here are wrong product specifications, staff
turnover, project budget overrun, etc. Both internal and external risks have to be identified
Another important distinction to be made is between Business Risk and Insurable Risk. By its
very nature, business is risky. Actually, it is nearly impossible to have any return on
investment without accepting a certain level of risk. What will differ from person to person,
or from one project manager to another, is the level of risk they are willing to undertake.
People differ in their risk appetite or as Kerzner (2009: 746) puts it, we differ in the way we
perceive utility (or level of satisfaction) as against the stakes (or the monetary value of gains
or losses). To some of us, regardless of the rewards there is just no way we are willing to
take certain levels of risk; but to some if the rewards are big enough they will take
disproportionate levels of risk. He calls the former risk averters and the latter risk seekers.
Theoretically, there is also a group that is risk neutral and will always take a proportionate
level of risk for equally proportionate rewards.
IF THEN BECAUSE
Employees go on a strike The project will be delayed The tasks are labour
intensive and there is no
replacement labour
Risk Consequence Root Cause
The approach to risk identification can be process based or according to the work
breakdown structure. The former systematically looks at the processes involved where risk
may occur whilst the latter concentrates on the tasks and the sub-tasks to see which ones
are risky. There are no bad or good approaches or a one size fits all. The main thing is to
come up with a robust risk register.
In conclusion, it can be mentioned that risk identification is not a once off task in the life of
the project, but it is part of the project risk management cycle to be revisited cyclically.
Some hidden risks will only be identifiable late in the life of the project whilst others may
disappear on their own. As a result, the risk register is not a static document but a dynamic
one that needs to be updated periodically.
Page 6 of 10
Perform Qualitative Risk Analysis
Risk analysis is a systematic process to estimate the level of risk for identified and approved
risks (Kerzner, 2009:761). To perform this step you will need a risk register, a risk
management plan and the project scope statement. Analysing risk begins with a detailed
evaluation of the risks according to the risk register. The idea is to accumulate enough data
about the risk so that the probability of its occurrence and the severity of its impact can be
estimated. In most cases the root cause, the historical facts and the current prevailing
circumstances will yield enough data to be able to put some weight on both variables.
Qualitative risk analysis has its own challenges. The basic challenge is how we put a risk on a
scale to find its magnitude. Since we are using qualitative methods and not quantitative
ones, we have a problem of identification of absolutes. It is quite possible to be certain that
a particular event will happen or not happen (where probability is equal to 1). In this case,
can we still classify that event as a risk? The answer is No. This is a business environment
eventuality that must just be planned for. For instance, if you are building a house you know
that one day it will rain. Therefore, houses must have roofs. Building a house without a roof
and subsequently citing rain as a risk and weighing its probability and impact does not make
sense. However, it makes a lot of sense to list a tornado as a risk and measure its probability
and its impact. This will determine how strong should be your roof and how much are you
willing to spend on it as against the losses which may be suffered should there be a tornado
and the roof is blown off. However, can we have one risk being exactly half (50%) of the
other? This brings us to the question of different classes of risk scales.
There are generally about six types of accepted classes of scales (Kerzner, 2009). In summary
they are as follows:
a) Nominal Scale: Numbers allocated have no mathematical meaning and serve only as
labels. An example of this is motor vehicle registration numbers.
b) Interval scale: The numerical allocation does indicate magnitude but has no meaningful
zero point or, zero does not mean the total absence of anything. Thermometer scale is a
good example.
c) Ordinal Scale: This is the scale quite common in measuring risk. The rank order is
meaningful in that high risk may be allocated the number 3; medium risk the number 2
and low risk allocated the number 1. Zero will not be allocated as it would denote the
total absence of risk and therefore irrelevant. However, the interval between 1 and 2 is
not necessarily equal to the interval between 2 and 3. It must be kept in mind that these
scales are usually a result of subjective reasoning and therefore resultant mathematical
outcomes should be treated with caution.
d) Calibrated Ordinal Scale: Coefficients are estimated by evaluating additive utility
function. These type of scales are not common in measuring risk as they pose challenges
in estimating the coefficients.
e) Ratio Scale: Whereas the usual temperature scales, Celsius and Fahrenheit are regarded
as interval scales due to their lack of an absolute zero pint, Kelvin and Rankine scales are
ratio scales because they have an absolute zero.
Page 7 of 10
f) Estimate of Probability scale: These are estimation of occurrence such as in weather
forecast. Estimate of Probability scales are widely used in project risk management.
The main reason why scales are so important in risk management is that they provide a
handle on managing risk. Since in any situation there are an infinite number of risks, it is not
possible to focus on all of them and there needs to be some sort a ranking order so that
management attention is drawn to the right places.
Decision trees are also a valuable tool where probability has to be calculated for various
outcome combinations. In a situation where two trucks, T1 and T2, are available for parcel
deliveries at various addresses, and either route R1 or route R2 may be used, depending on
the address on the parcels, we may be interested in the probability that parcel P1 will be
delivered using truck T1 on route R2.
The type of distribution to be used can also be a challenge. Distributions may be continuous
or discreet (only whole numbers). The rule of thumb is that the data should dictate what
type of distribution is appropriate not vice versa.
If this is a positive risk then we may ask ourselves what do we do to exploit the opportunity
to the advantage of the project and also how to enhance it.
Risk responses are in the main planned activities designed to proactively deal with a
probable situation in the future. These activities must be allocated to individuals who have
the responsibility to carry them out. Risk response strategies are not damage control
strategies. They do not wait for the event to occur and then kick into action. Theoretically, if
they are 100% effective, the risk event will never even occur. The strategies will however
Page 8 of 10
also cover for the eventuality of the occurrence of that particular event. For example, if
there is a risk of fire at a refinery, the basic aim is to put measures in place such that there is
no fire at all. However, if this unfortunate event does happen, we will need evacuation plans
and safety exits for staff and emergency firefighting equipment.
Conclusion
Page 9 of 10
Reference List
Duncan, W. (1996). A Guide to the Project Management body of knowledge. North Carolina, USA:
National Information Standards Organisation.
Johnson, G., Scholes, K., & Whittington, R. (2005). Exploring Corporate Strategy (Seventh ed.).
Edinburgh Gate: Prentice Hall.
Slack, N., Chambers, S., & Johnston, R. (2010). Operations Manangement. Essex: Prentice Hall.
Page 10 of 10