Project risk management includes the processes of planning, identification, analysis, response planning, and risk monitoring and control. The purpose of project risk management is to increase the likelihood and impact of positive events and to reduce the likelihood and impact of negative project events.
Project risk management processes include:
Risk Management Planning – The process of determining how project risk management activities will be performed.
Risk Identification – The process of determining which risks may affect the project and documenting their characteristics.
Qualitative Risk Analysis – The process of prioritizing risks for future analysis, as well as actions to assess the likelihood of occurrence and their impact on the project.
Quantitative Risk Analysis – The process of quantitatively and quantitatively analyzing the effect on the project when the risk occurs.
Response Planning – The process of developing options and actions to enhance opportunities and reduce threats to project objectives.
Risk Monitoring and Control – The process of implementing planned responses, tracking identified risks, monitoring residual risks, identifying new risks, and evaluating the project's risk management processes.
Risk Management Procedure
Risk management is an ongoing, proactive process consisting of several steps, including regular reporting.
Identification of risks
Risk identification is the process of determining which risks may affect the project and documenting their characteristics. Participants in the identification process are the project manager, members of the project team, experts outside the project team, and others.
Risk identification is an iterative process, as new risks may emerge or existing risks become known throughout the project cycle. The frequency of iterations and the participants in the process depend on the specific situation. The minimum frequency of identification is for each stage of the project. Reference: "Risk in projects and organizations is never 100 percent planned", https://managerspost.com/risk-in-projects-and-organizations-is-never-100-percent-planned/
The following documents will be used to identify risks in the project:
- Scope Management Plan
- Communication Management Plan
- Human resource management plan
- Corporate practices
- Materials and documents for the processes
The techniques that will be used to identify the risks are:
- View Documentation
- Information gathering techniques
- Analysis of checklists
- Assumption analysis
- Graphical presentation techniques
- Analysis of strengths and weaknesses
- Expert evaluation
Identified risks are entered in a project risk register.
Qualitative risk analysis
Qualitative risk analysis assesses the priority of the risks identified and recorded in the register, taking into account the likelihood of the risk occurring, the degree of impact on the project objectives, as well as other factors such as response time, accepted risk tolerance, and accepted constraints of the project - price, plan - schedule, scope, and quality. Reference: “Project risk management“, https://bvop.org/learn/pmriskmanagement/
Qualitative risk analysis will be performed throughout the project to keep up-to-date with changes in project risks. Qualitative risk analysis can proceed to quantitative analysis or directly to response planning.
The qualitative risk analysis is registered in the risk register.
Quantitative risk analysis
The quantitative analysis is performed on the risks that are prioritized in the qualitative analysis as significant for the successful implementation of the project. Through this process, numerical expressions of the effect of the occurrence of the risks are given - for a specific risk or in general. Quantitative information provides input to risk management decisions.
Quantitative analysis should be repeated after response planning and also during risk monitoring and control.
The quantitative risk analysis is registered in the risk register. Read more: “What is Project Risk Management“, https://www.policymatters.net/what-is-project-risk-management/
Response planning includes determining a specific person - responsible for the implementation of response actions when the risk occurs. Response planning will be done for risks, depending on their priority.
Response activities are included in the project schedule, project budget, and management plan.
Planned responses must be appropriate, depending on the significance of the risks, cost-effective, realistic in the context of the project, and agreed between teams and with a specific responsible person assigned. Responses must be timely. Further reading: “Risk management plan and analysis: a real example“, https://www.businesspad.org/risk-management-plan-analysis-example/
Planned responses lead to:
- Risk register updates
- Risk-related contract decisions
- Updates to the project management plan
- Update of project documents
- Risk monitoring and control
- The project must be constantly monitored for new, changed, or abandoned risks.
Risk monitoring and control using techniques such as deviation and trend analysis that require the use of performance information. Another purpose of the process is to determine whether:
the design assumptions are valid;
the assessed risks have changed or disappeared;
risk management policies and procedures are followed; Reference: “Methodology for risk assessment and project risk management“, https://www.mmrls.org/methodology-for-risk-assessment-and-project-risk-management/
Monitoring and controlling risks includes selecting alternative strategies, implementing a backup plan, implementing corrective actions, and modifying the project plan.
The project manager periodically reports to the Management Board on the effectiveness of the risk management plan, unexpected effects, and the need for adjustments necessary for adequate risk management.
Risk Management Organization
The risk register is updated periodically, based on reported risk information, issues, current status, and recommendations. All identified risks are entered in the register. Qualitative analysis is performed for all identified risks.
For each risk, the probability of occurrence, the impact of the risk, and the degree of criticality are determined as follows:
Risk impact is categorized on a scale of 1 to 10
- 1 = negligible influence
- 10 = high influence.
- The probability of risk occurrence is categorized on a scale from 0.1 to 1
- 0.1 = 10% probability of the event occurring
- 1.0 = 100% probability of the event occurring).
The degrees of criticality is calculated:
From the impact and probability of the risk
Criticality = Probability * Impact
Depending on the calculated Degree of Criticality, the priority of the risk is determined as follows:
Low-priority risks are classified in the "watch" register.
Risks of medium priority are not managed but are classified in the "watch" register.
High-priority risks should be monitored, analyzed and, if necessary, managed.
Critical priority risks must be managed.
In risk management, the following time types are used for risks:
Permanent – permanently valid
Future - the possibility of appearing after time
Current - currently active
Silenced - no activity at the moment, but with the possibility of a new appearance
Lapsed – active in the past, but with no chance of reappearance
The Project Manager is responsible for the overall risk management process. He is assisted by a risk management board, which includes:
Representatives of the Contracting Authority;
subject matter experts;
representatives of the project sponsor.
Each team member participates in the risk identification process. Qualitative risk analysis is performed by the risk management board. Quantitative risk analysis and response planning are performed by the Project Manager assisted by the Risk Management Board. To perform quantitative analysis and response planning, the project manager may use external experts in the specific project area.
Monitoring and control of risks are carried out by the risk management board.
At each meeting of the Management Board, and if necessary, more often, the project manager reports the status of project risks. The risk register is available to all interested parties.