Paper about Risk Management and its process

1. Maria Gomez | 1
Risk Management
Gray (2010, 211) defines Risk as “an uncertain event or condition that, if it occurs, has a positive or
negative effect on project objectives”, where uncertain means something that could happen but we
are not sure about it.
Dealing with these uncertain events is what is called Risk Management and the Project Manager is
the one responsible for it. Meredith (2010, 205) quoted the PMBOK Guide and define risk
management as “the systematic process of identifying, analysing and responding to project risk”.
Having a well prepared risk management plan is one of the factor that help a project to end
successfully. In every project's life cycle we can find situation where the reality was not even close
of what the plan says, and the project manager must be able to deal with the situation and/or
mitigate the consequences where possible.
Risk Management process
Identification
This phase is intended to identify and list the risks (as many as possible) that can be found in a
particular project. A project is such an independent and unique entity there is no literature or past
experiences (although they always help) that can provide the project manager with a list of “most
common” risks (Maylor, 2010, 218-232). Therefore it is necessary to hold some kind of
brainstorming meeting involving team's members, clients and/or stakeholders to identify potential
risks.
Some of the tools use during these meetings are:
• Risk Breakdown Structures (RBSs): this model is based on the Work Breakdown Structure
(WBS), used in the planning stage to organized the work to be done in order to success in
the project. Following the same structure, a RBS would define all the areas where risks are
likely to appear from a general point of view and going down as many levels as necessary
increasingly detailing these areas (Hillson, 2002). These approach is more useful and easier
to implement when the project has been planned used a WBS, as consulting the latter will
help avoiding a risk event to be missed (Gray 2010, 212-234).
Jan 2011

2. Maria Gomez | 2
• Risk Profile: this is defined as a list of question to be hand in to the stakeholders that are
based in previous experiences and refer to common areas of a project where risk are more
likely to appear. These questions came normally from a Risk Management Data Bank, “a
permanent record of identified risks, methods used to mitigate them, and the result of all risk
management activities” (Meredith 2010, 207).
Analysis
In this stage the Project Manager has to analyse and prioritise the list of risks produced in the
previous stage. Normally a good place to start is by assessing for each risk:
• How likely the event to occur
• What the impact would be if the event occurs.
There are quite a few methods or techniques to do this. Maylor (2010, 223-232) divided them into
two different approaches:
Qualitative Approach
Analysing every risk in terms of the two elements cited before (likelihood and impact) is the first
step to take. The scale for each of them may vary and be specific for each project, but in general
these tend to be numeric, going from 1 (very low probability / impact”) to 5 (very high probability /
impact) . One way of representing is known as “Risk Severity Matrix” (Fig 1). Normally this matrix
is generic for each organization, so the Project Manager only needs to allocate each event in their
correct cell.
Figure 1: Risk Severity Matrix (NASA, 2009)
Jan 2011

3. Maria Gomez | 3
As an extend of this method we have Failure Mode and Effect Analysis (FMEA), where we need to
include to the above data a new variable: Detection difficulty, which can be defined as “the ability
to detect a failure associated with each cause” (Meredith, 2010, 208). This new parameter needs to
be scale as the other two. Once we have all the number, we can calculate the Risk Priority Number
(RPN) for each event by using the equation: Severity x Likelihood x Difficulty.
Quantity Approach
We are talking here about statistical techniques that help by assessing the project's risk. This
techniques may be mandatory for some project before they start as some companies or public
organizations tend to decide if a project is worth to be execute based on the outcomes of these
techniques. These techniques normally are executed by using simulation software. One of the most
popular is called PERT (Program Evaluation and Review Technique) and it can be used to asses the
overall risk of the project (Gray 2010, 219).
Plan
The third step in the Risk Management Process is to decide what the response would be for each
risk. These can be classified in 4 groups (Gray 2010, 219-229):
Mitigate
There are two strategies to mitigate a risk and these are based on the parameters we have used to
identify the risks:
• Reduce the probability of the event to occur
• Reduce the impact that the event can have in the project
Avoid
This implies removing the task that may cause the event. Obviously this cannot be the solution for
all the risks as some of the tasks causing risks are essential for the project.
Transfer
This means to outsource the activities involve in the risk. The chosen third party will assume the
responsibility of the risk if it occurs so it will not necessary mean that the risk will disappear.
Jan 2011

4. Maria Gomez | 4
Retain
This involves accepting the loss or gain when the risk occurs. It is although necessary to have a
contingency plan to be implemented when the risk falls into this category. This plan should include
a detailed list of actions to be taken. Examples of this can be having a list of alternative suppliers or
having a contingency fund.
Monitoring
Finally and once the project has started the Project Manager needs to constantly monitor the tasks
where the risks are likely to occur and update the plan with new risks or any modification on the
existing ones. It is useful to have what it is called a Risk Register which normally contains a list of
the risks with description and the rest of the data that have been collected and calculated in the
previous steps (likelihood, impact, response plan, etc.) (Maylor 2010, 222).
Jan 2011

5. Maria Gomez | 5
References
- Gray, C., 2010. Project management : the managerial process 5th ed., Dubuque Iowa ;London:
McGraw-Hill Contemporary Learning; McGraw-Hill [distributor].
- Hillson, D., 2002. Use a Risk Breakdown Structure (RBS) to Understand Your Risks. Available at:
http://www.risk-doctor.com/pdf-files/rbs1002.pdf [Accessed January 22, 2011].
- NPR 8553.1B - NASA Environmental Management System - Chapter3: Planning. Available at:
http://nodis3.gsfc.nasa.gov/displayDir.cfm?
Internal_ID=N_PR_8553_001B_&page_name=Chapter3 [Accessed January 23, 2011].
- Maylor, H., 2010. Project management 4th ed., Harlow England; New York: Financial Times
Prentice Hall.
- Meredith, J., 2010. Project management : a managerial approach 7th ed., Hoboken N.J.: Wiley.
Jan 2011