Risk management approach – the ‘how’ of risk management.
What could possibly go wrong with my project ?
That statement gets to the heart of what managing a project risk is all about, and although it is a simple question, best practice of risk management is often ignored and this is a major cause of project failure along with that of creating a risk management strategy.
It is not good enough to simply say that risks will be managed, what is needed first is an agreed approach to risk management for each individual project – this is the risk management strategy itself.
Surprisingly, the actual approach needed is very straightforward; simply identify the risks that may threaten your project objectives, and then implement some form of management action either to prevent the risk happening in the first place, or to minimize and control it.
Risks are normally seen as negative threats, but they can also be positive opportunities. Gambling is an example where the risk is to lose your money, whereas the positive opportunity is to increase your money investment.
Note that both types are bound together by their impact and probability, and should be included in the risk management strategy document.
Probability is common to both and in one case impact is positive for opportunities, and in the other impact is negative for threats.
The PRINCE2 definition of risk is ‘and uncertain event or set of events that, should it occur, will have an effect on the achievement of objectives’. Put another way, a risk is something that may or may not occur in future, but if it does it will have some impact (positive or negative) to the project objectives.
The risk management approach
Resist the temptation to start identifying risks and how you will manage them, as the first step is to decide how you will approach and handle the potential risks within your project. This will be different for every single project, because the size, importance, complexity and ‘riskiness’ of every project is different. This is the risk management strategy.
PRINCE2 uses the risk management approach document to define the risk approach used for a particular project, and this forms part of the project initiation documentation.
‘PRINCE2 is too bureaucratic’. I thought I would get that in the first, before we start looking at the contents of a typical risk management strategy document. For small simple low risk projects, the following sections may need little input, possibly just one sentence will suffice.
As with all PRINCE2 management documents, for the risk management strategy ask yourself two questions:
- What is the risk to the project of missing out this particular section or including minimum information?
- What is the minimum information needed in this section two provides just enough information for management control?
I will now describe the contents of the risk management strategy document and the type of information that is required under each sub-heading:
risk management approach – Introduction.
Laying down the purpose, objectives, responsibilities and scope for risk management within this particular project. Consider the project management team and other key stakeholders (for example third parties), when defining risk responsibilities.
The scope of risk management is also important as it helps clarify the boundaries of risk management, and by inference clarifies what aspects of risk will need to be managed by others to support the risk management strategy.
For example, once the end product becomes operational, there may still be some residual risks which because if they were to occur, would do so during the product’s operational life. The appropriate individual or organisation responsible for managing such risk should be clarified within the scope statement.
risk management approach – Risk management procedure.
If you have been known risk management procedure within your organisation, then it may not be necessary to duplicate that here, but merely point the reader to where such information can be found.
PRINCE2 describes its risk management strategy procedure as a sequence of:
The above four steps are used in parallel with the fifth step of communicate.
The above steps actually represent two activity groups within risk management strategy, the first being risk analysis, the second being risk management (the implement step). This is another way of looking at risk management, having identified, assessed, and planned risk responses, each risk action is implemented as an activity within resources, and risk management includes monitoring such actions have the desired effect, correcting them is needed, and reporting the status of risks to management.
risk management approach – Tools and techniques.
There are many established tools and techniques to assist in risk management strategy, and here are a few examples that you may like to include:
- The Delphi technique
- Assumption analysis
- Influence diagrams
- Flowchart diagrams
- Ishikawa diagrams
- Swot analysis
- Tornado diagrams
- Monte Carlo analysis
risk management approach – Records.
This describes how risks will be recorded which normally done using a risk register for those risks that are formally managed and the daily log for those that will be informally managed.
The risk register structure and implementation may be stated here as part of the risk management strategy if helpful.
risk management approach – Reporting.
This section is also covered within the communication management strategy, and you may decide to include risk reporting within that document rather than repeating it within the risk management strategy. However, the reporting section does remind the reader that the reporting of risks is vital.
Consider the following aspects to help define the risk reporting approaches within the risk management strategy:
- Who is the owner of individual risks and what reporting responsibilities do they have?
- Who is responsible for ensuring that risk responses are carried out?
- What reports are being used within this project and what aspects of risks should be included?
- Based on the risk tolerance, to whom should risks be escalated?
- What form should be risk report take, and should it include the output of any risk tools or techniques?
risk management approach – Timing of risk management activities.
This section should cover the management control points and the inclusion of risk management activities at such points. An obvious example here is the end stage assessments, and using the project risk status as part of the evidence for making an informed choice about whether or not to continue with the project.
In addition, to ensure that appropriate risk responses are embedded within the next stage plan as well as sufficient resources provision for such responses.
Risk management approach timing should also include risk reviewing during each stage, as it may be appropriate that formal or informal risk reviews should occur at regular time intervals within each stage.
As part of the ‘Controlling a Stage’ process, the project manager regularly reviews the stage status, and such risk reviews could easily be included here and form part of the risk management strategy.
risk management approach – Roles and responsibilities.
This summarizes the roles and responsibilities of the various steps within the risk management procedure as well as the project management team roles and responsibilities.
It will also tie together the previous sections of teams and techniques, records, reporting, and risk management activities to bind together roles and responsibilities within the risk management strategy.
risk management approach – Scales.
This is where you decide what scales to use for risk elements such as probability and impact. These are normally in the form of numeric and/or descriptive. Examples might be a 1 to 5 scale, or high, medium high, medium, medium low and low.
The probability-impact grid (p-1 grid) is an example here, and although the PRINCE2 Manual calls it a summary risk profile, it forms an important part of a risk management strategy.
risk management approach – Proximity.
This refers to the time frame from the present day to the time-point when an individual risk can occur. Put another way, it describes how soon a risk can happen.
Proximity within the risk management strategy may be stated in terms of days, weeks or months, or it may be stated in terms of within the current stage, within a future stage/within the project, or in the product’s operational life.
By the very nature of an individual risk, some proximities will be date-specific, while others may always occur at a fixed time frame from the individual risk’s root cause.
risk management approach – Risk categories.
Categorizing sets of risks can be helpful in determining risk owners and risk reporting. Risk categories have as many potential definitions as the environment within which the project is to be run. Examples may be:
- ‘SMART’ categories
- Project management
- The customer’s customers
- The suppliers
- Organizational risks
- External risks
- Resistance to change
- Lack of knowledge of project management
- Stakeholder-caused risks
- Sponsor-caused risks
- Cultural risks
- Schedule risk
- Cost risk
- Quality risk
- Performance or scope risk
- Resources risk
risk management approach – Risk response categories.
PRINCE2 suggests nine response categories that may be chosen for both threats and opportunities.
Which response you choose should be based on a balance between the cost and time investment of a particular response and the probability and impact (including risk severity) of the risk, and included within the risk management strategy.
Risk responses for threats are:
- Fallback (contingent action)
Risk responses for opportunities are:
risk management approach – Early warning indicators.
These may relate to individual risks (in which case they are more likely to be identified within the risk register for a specific risk), or at the project level.
There are various techniques for determining an aggregated risk level, and these are often stated in numerical terms. In combination of with risk categories, such aggregated risk levels and their numerical status, may be monitored against an agreed maximum
Such agreed maximums may be used as an early warning indicator to take some form of predefined action.
The use of probability and impact metrics are likely to be used as early warning indicators as well as the effectiveness of risk response actions.
risk management approach – Risk tolerance.
Similar to above, forecasts of plus or minus risk tolerance bounds are an important PRINCE2 management control and hence risk management strategy, and represents the point where I risk situation should be escalated to the next management level.
Some risks may have zero tolerance and so any deviation must be reported immediately.
risk management approach – Risk budget.
It is optional in PRINCE2 that a risk budget be set. A risk budget is there to provide the funding for both the management and the response actions of risks with a project.
Since a risk budget is not mandatory, and if you chose not have one in your project, then the risk management strategy will describe how such risk management and responses will be covered within the project budget.
This section shall include not only the risk budget value itself, but how it is to be managed. Examples might be that the whole risk budget be given to the project manager, that the project board own and manage it, or that some form of steering group manages the budget on behalf of the project board.
In the latter case, some form of ‘rules of engagement’ needs to be determined, such as the steering group only manage small risks, all that there is a maximum monetary value on the portion of risk budget given to them. The inference here is that the project board manage the large and most expensive risks.