APM – Managing Risk and Issues 

APMP – Managing Risks and Issues

The APM definition of risk is:

“Combination of the probability or frequency of occurrence of a defined threat or opportunity and the magnitude of the consequence of the occurrence”

However, the above definition is more of a statement of how risk is measured, so a better definition is:
“The project risk is something that might occur, and if it does, will impact on the project’s objectives of cost, time, performance, and quality.  Risk is uncertainty in an outcome.  Risks can be either negative threats or positive opportunities”

The risk management plan

By their nature, all projects are inherently risky.  Therefore the management of risk should be an integral part of the project and carried out over the entire life cycle.

Traditionally, wrists have been thought of solely as negative or vents, but current thinking treats risks as uncertainty which can have both positive and negative impacts.  The term “risk event” covers both threats and opportunities and both can be managed to a single process.

The way in which risk is to be managed in a project is detailed within the risk management plan, which defines how all the risks processes will be carried out.  It does not consider individual risks as the risk management plan is more of a strategy.

The typical content of a risk management plan consists of the following:

• The methodology and data sources
• Roles and responsibilities
• Budgeting for risk management
• Timing, i.e. when risk assessment will be carried out
• Qualitative and quantitative scoring methods
• Risk thresholds
• Reporting format
• How risks will be tracked

The APM risk management process

The purpose of risk management it is to identify all significant risks to the project and manage those risks so as to eliminate or minimize threats, and maximize opportunities.

The APM body of knowledge also identifies and the initiation process before identification.  This step effectively replicates the production of the risk management plan.  The final step is referred to as implementation.

The APM steps are therefore:

• Initiate
• Identify
• Process
• Plan responses
• Implement responses

APM risk identification

There are a variety of techniques for identification of risks, and these are:

Brainstorming.  Using the project team and appropriate stakeholders

SWOT analysis.  Strengths and opportunities generate upside risks.  Weaknesses and threats identified downside risks

Assumptions analysis.  Looking at the assumptions made in the planning to see if any of them constitute a risk

Constraints analysis.  Similarly for project constraints

Using the WBS.  Identifying risks to individual work packages

Interviews.  Interviewing people with knowledge or inside relevant to the risks

There may also be sources of information external to the project that can help the identification process.

For example:

Prompt/checklists.  Using existing prompt sheets and check lists

Post project reviews or lessons learned.  These are from previous projects with some commonality

Risk registers of other projects.  This is using projects with some commonality

APM risk assessment

The purpose of risk assessment is to prioritize the identified risks.  In particular it needs to establish the key risks that require management focused and action

Assessment is based on determining probability and impact and this is most conveniently carried out with the aid of a probability and impact grid

APM probability and impact grid

The probability and impact grid is a simple but effective to all that is used to prioritize identified risks.  It will often use a scale that involves using judgment to place probability and impact from very low to very high

APM qualitative and quantitative risk analysis

The above assessment method is purely qualitative in the sense that the scales are subjective assessments of the probability and impact.

This is sufficient to privatize the risks, but for a full and proper assessment, the analysis should be quantitative.

The probability grade can be converted to a quantitative method by stating probability and impact in numeric terms.  There are also other quantitative techniques such as Monte Carlo and methods and decision tree analysis.

Typically, a pseudo quantitative methods that is often used is to simply apply a scale of 1 to 5 to the impact and probability.  Simply multiplying the scales gives the risk exposure for each risk and can then be used to prioritize all of the risks.

Exposure = probability times impact

A drawback of this method is that it gives the same weight to both probability and impact, whereas in reality, high impact is more serious than high probability.

Highly impact items must be addressed even if they have low probability.

APM benefits and features of the risk method

The probability and impact grid is widely used because it is a simple and effective tool that has many benefits:

• It captures all identified risks
• It is a good visual representation which aids communication
• It facilitates a brainstorming approach that can provide a whole team view
• It provides a simple way for risk prioritize Asian
• It shows individual probability and impact and not just risk exposure
• The levels of risk identified help in selecting the most appropriate actions
• The method gives a basis of measuring overall magnitude of risks to the project

APM risk threats

There are five common strategies for addressing downside risks all threats.

These are applied either individually or in combination:

Avoid.  Avoid the risk and eliminate uncertainty by not doing something or doing it in a different way

Transfer.  Transfer liability or ownership of a risk to someone else such as the client or subcontractor or third party.  Examples here are the use of insurance all back to back contracts

Reduce/mitigate.  If the risk cannot be avoided and is too large to accept, then we must take steps to reduce the probability and/or impact

Accept.  Take it on board and accept the consequences.  The severity/probability of the risk does not justify great effort in managing it

Contingency plan.  Have an alternative plan at hands to implement if the linked risk actually occurs

When the severity of a risk determines that it must be actively managed then the following process should be followed:

• Re-examine the risk to determine its current status and validate the previous evaluation
• Demonstrate the viability of the mitigation plan by value at in the cost of mitigation and comparing with the reduction in exposure
• Decide if the mitigation results in an acceptable level of risk
• If so, decide on who will owned and manage the risk and be empowered to do so.  For any risk, the person who manages that risk should be the person best placed to carry out the appropriate actions

APM risk opportunities

Here are the typical strategies for helping to manage positive risks:

Exploit.  Try and exploit the opportunity by eliminating the uncertainties surrounding that opportunity

Share.  If you do not have the resources to exploit the opportunity yourself, then try to find a partner to share it

Enhance.  Work to increase both the probability and impact of the opportunity

Accept.  Wait and see what happens.

Managing the risks

Each risk has a planned response and must be proactively managed by the person responsible.  In addition, the risk plan needs to be formally reviewed on a regular basis.

The risk situation is bound to change because of the following situations:

• Some risks mature into problems or issues
• Some risks are resolved or to authorize
• Probability/impacts change – either up words or downwards
• New risks arise that were not originally identified
• Project scope changes give rise to risk opportunities

The priority for managing risk is the risk register, and this must be routinely reviewed on a regular basis and when risk events happen.  The overall risk status of the project and the progress of “active” risks will be reported as part of the standard project reporting procedures as defined within the risk management plan and the communications plan.

The benefits of managing risk

On many projects, risks are not actively managed, however as well as being a requirement of good governance, the proper management of risk provide significant benefits:

• Increased understanding of the project leads to more realistic plans and greater probability of delivering to them
• Increased understanding of the risks, least of their minimisation and allocation to the person best situated to manage them
• The understanding of risk helps to determine the most appropriate contract type
• A team view of the risks can lead to more objective decision-making
• Financially and/or technically unsound and risky projects will be discouraged
• There will be a better understanding of the project by stakeholders, leading to increased confidence in its project management
• It focuses management attention on the most significant threats to the project

Drawbacks of managing risk

The risk management cost

Risk management is an overhead requiring are a significant input of effort and cost.  Although this is no different from the input of effort and cost into all planning processes such as scope management and change control, there is one key difference – risk management is about things that may never happen and even if they might, “it won’t happen to me”!

The risk management visibility

Once we have put lots of effort and money into a risk management, the likely result is that it tells us what we didn’t want to know.  We will either have to invest in reducing the risks or accept the project might take a lot longer, nor cost a lot more than we had originally hoped or even show that we should not to the project at all.

Many people have a vested interest in the project and do not wish to hear anything that might endanger it.

APM issue management

In the APM body of knowledge.  They define an issue is a problem that cannot be solved by the project manager.

APM admit that this is not a generally held definition.

A more universal definition of an issue is a problem that requires immediate attention.  Some issues arise out of risk events that had been previously identified, others will come as a complete surprise.

Some issues may necessitate formal changes that require the change control process to be invoked.  Some issues will not cause a formal change but must still be managed.  For example a key resource resigns from the project or a vital piece of equipment breaks down.

It is important to have a formal process in place to manage issues.  If they are caught early they should be easier to be resolved before causing damage to the project’s objectives.

The process is similar to risk management:

Identification.  By their very nature, issues tends to identify themselves

Escalation. At what level in the project/organisation must this issue be addressed for a solution?  Who once the issue?

Monitoring.  The owner monitors the issue and reports on its progress.  An issue log is maintained

Resolution.  The issue is closed when fully resolved to the satisfaction of all parties

Issues can be thought of as risks that were not previously identified or work accepted.

Many issues group risks and issues together and maintain a single risk and issues log