All projects bring with them an element of risk. In the best-planned projects there are uncertainties and unexpected events can always occur for example project staff might leave unexpectedly, the budget might suddenly be cut or a fire or theft might affect the project progress.
The majority of risks are however related to the fact that your plan is based on estimates and they are therefore manageable. Risk management is a mechanism to help you to predict and deal with events that might prevent project outcomes being delivered on time.
Identifying risks
You will undertake an initial risk assessment as part of starting up the project. Basically you are asking the questions:
- What could possibly happen to affect the project?
- What is the likelihood of this happening?
- How will it affect the project? and
- What can we do about it?
The sort of areas you will be looking at for associated risks are:
- The activities along the timeline and any threats to completion and to timescales
- The project components: people, equipment, infrastructure requirements, other resources
- Dealings with contractors and suppliers
- Other projects that might have an impact
- Organisational changes that might take place during the project
- Outside influences that might affect the project such as changes in funding, government policy or the requirements of a funding body
Greatest risk often occurs where there is some sort of interface. This may be an interface between systems, departments, processes or organisations.
The assessment of likelihood of the risk occurring and potential impact if it does occur will come from the experience and knowledge of project stakeholders and others consulted during the risk analysis process. In other words, identifying risks is best done as a team effort. People with different skills, experiences and specialisms will see individual risks differently and you want a balanced, rather than a biased, analysis.
You can think of risks in terms of a matrix:
Your greatest effort will be focussed on addressing the risks that are most likely to occur and those that will have the biggest impact if they do occur.
Recording risks
You will need to maintain a risk log or register. This should record:
- A description of the risk
- The likelihood of the risk occurring
- The potential impact of the risk
- Details of mitigating actions to be taken
- Identification of any early warning signs that indicate the risk is about to occur
- The risk owner
- Details of any contingency plans where applicable
In order to effectively manage risk it is important that each risk is allocated to an identified owner. This should be someone within the project team whose responsibility it is to keep an eye on the situation and ensure that the necessary mitigating actions are actually carried out.
Responses to the initial risk assessment may include:
- Risk transfer – move the risk to someone more able to deal with it eg contract out the supply and support of the hardware infrastructure
- Risk deferral – alter the plan to move some activities to a later date when the risk might be lessened eg wait till a statutory change has ‘bedded-in’ before changing a related process
- Risk reduction – Either reduce the probability of the risk occurring or lessen the impact eg increase staffing resource on the project
- Risk acceptance – Sometimes there’s not a lot you can do other than accept the risk and ensure that contingency plans are in place
- Risk avoidance – Eliminate the possibility of the risk occurring eg use alternative resources or technologies
Managing risk is an ongoing process. The nature of the risks you are facing will alter as the project progresses eg staff recruitment may be a big issue at the start of a project whereas staff retention is the issue as the project draws near to an end. At the very minimum you should review your risk assessment and management plan at each stage boundary before moving into the next stage of the project.