CHAPTER 13
Managing Risk
A RISK IS AN UNCERTAIN EVENT or condition that, if it occurs, has a positive or negative effect on the project objectives (scope, schedule, or budget). All projects have a certain degree of risk that needs to be managed. The project manager determines where risks are likely to affect the project, makes contingency plans for them, and responds to them when they occur.
The risk management plan, evolving throughout the planning process, incorporates (1) risk identification; (2) qualitative and quantitative assessments; (3) strategies for prevention, detection, and mitigation of loss; and (4) recovery and restoration of functions.
Projects are investments and the project manager is responsible for achieving specific benefits within targets of time, cost, asset utilization, and resource utilization. However, every investment comes with risks. No one can predict with certainty the source, timing, significance, or impact of problems.
This chapter describes the risk management processes of identifying, analyzing, and responding to project risk. The purpose of risk management is to maximize the results of positive events and minimize the results of adverse events.
Identifying Risk
The first step in developing a risk management plan is to identify the potential risk events.
Considering Possible Sources of Risk
The following are major categories of risk:
Technical: new breakthroughs, design errors or omissions
Administrative: processes, procedures, changes in roles or responsibilities
Environmental: culture of the organization, change in management or priorities, office politics
Financial: budget cuts, cash flow problems, corporate unprofitability, unchecked expenditures, changing economic conditions
Resource availability: specialized skills or critical equipment not available
Human: human error, poor worker performance, personality conflicts, communication breakdown
Logistical: inability to deliver materials or work face-to-face
Governmental: legislated regulations
Market: product failure in the marketplace, change in consumer expectations, new competitor products
Determining Likely Risks
To identify potential risks, simply ask, “What could go wrong?” Review the work breakdown structure for the project, the cost estimates, and resource plans and consider what might happen that could cause any aspect of the project to deviate from the plans. Define specific risk events and describe what specifically might go wrong. For example, ground breaking may be delayed because of legal problems in securing the building permit. Describe the effect of each potential event. Identify what would cause the risk event to happen (often called triggers) and describe any conditions or signs that may warn you of the impending event.
Consider both internal and external events that could affect the project. Internal events are things under the control of the project team, such as work assignments or cost estimates. External events are things beyond the influence of the project team, such as technology shifts or changing economic conditions.
We typically think of risk as a negative event that causes harm or loss to the project. However, risk events can also include opportunities with positive outcomes. A change in economic conditions may increase the available labor force and allow you to hire more workers to complete the project sooner. Although a potentially positive outcome, you need to assess the impact on the project schedule and cost plans and determine your course of action.
You can never anticipate all possible risks, nor should you expend the effort to try to identify every conceivable problem. Simply identify those that are fairly likely. The cost of prevention should never exceed the cost of impact should the potential problems actually occur!
Conducting Ongoing Risk Identification
Risk identification is not a onetime event. Economic, organizational, and other factors will change during the course of the project that may bring to light additional sources of risk. Risk identification should first be accomplished at the outset of the project, and then be updated on a regular basis throughout the life of the project.
Assessing and Prioritizing Risk
Once you have identified the potential risk events to be included in the plan, the next step is to estimate the probability of occurrence and determine the impact if the event were to occur.
You may wish to give greater analysis to potential risks associated with activities on the critical path, since a delay in these activities is more likely to delay the final outcome of the project. Also give attention to points in the network where activities converge, because these tend to have a greater degree of risk.
For each potential risk event, estimate its impact on the time, cost, scope, quality, and resources. Remember that a single risk event could have multiple effects. For example, the late delivery of a key component could cause schedule delays, cost overruns, and a lower-quality product.
To help prioritize the potential risks, categorize them in two dimensions: likelihood (or probability of occurring) and the consequences (impacts). Document the results in a table such as that shown in Figure 13-1. Focus primarily on risks with high impact and a high probability of occurring. Appearing in the top-right quadrant, these are critical risks that are more likely to happen and would have a serious consequence if they do.
In a highway construction project, potential equipment breakdowns may be one such risk. The impact is great because construction stops without functioning equipment. You can influence the probability of such breakdowns by using reliable equipment and having good preventive maintenance plans.
Figure 13-1 Risk Probability vs. Impact.
Next, focus on risks with high impact but low probability. These appear in the top-left quadrant. In our example of a highway construction project, such a risk may be the threat of a union strike over a requested pay raise.
Such a potential risk has great impact because it would halt construction. But if there is a low probability of the union calling a strike, you could delegate this potential problem to company management and union representatives.
Contingency plans should be made for these types of risks because of their high impact.
Of lesser priority are the risk events that fall in the bottom two quadrants because their impact on the project is low. An example of a risk that may appear in the bottom-right quadrant (low impact but high probability) is late delivery of trees and bushes for landscaping along the roadside. The impact is low because traffic may begin using the highway even if the landscaping is not yet completed. Your contingency plan may be to have an alternate vendor in place, ready to deliver the trees and bushes if the primary vendor fails.
Finally, consider the potential risk events in the bottom-left quadrant (low impact and low probability). An example of such a risk may be the late arrival of permanent signs for the highway. The probability of failure on the part of an experienced vendor may be low. The impact is also low because you can continue to use the temporary signs until the permanent ones are installed.
Along with these two factors of impact and probability, also consider your ability to do something about the potential risks, either in preventing them from happening or in responding to their impact when they do happen.
Responding to Risk
The purpose of risk response is to minimize the probability and consequences of negative events and maximize the probability and consequences of positive events.
Planning Responses to Risk
A response plan should be developed before the risk event occurs. Then, if the event should occur, you simply execute the plan already developed. Planning ahead allows you the time to carefully analyze the various options and determine the best course of action, so you are not forced to make a quick and perhaps not well-thought-out response to a threatening situation.
Possible Responses to Risk
In developing a response plan, consider ways to avoid the risk, transfer it to someone else, mitigate it, or simply accept it.
Avoiding. It may be possible to eliminate the cause and, therefore, prevent the risk from happening. This may involve an alternative strategy for completing the project. For example, rather than assigning work to a new, less expensive contractor, you may choose to reduce the risk of failure by using a known and trusted contractor even though the cost may be higher. You can never avoid all risk, but you can try to eliminate as many causes as possible.
Transferring. It may also be possible to transfer some risk to a third party, usually for the payment of a risk premium. For example, you can avoid the chance of a cost overrun on a specific activity by writing a fixed-price contract. In such a case, the contractor agrees to complete the job for a predetermined (higher) price and assumes the potential consequences of risk events. If the risk is low, you could choose to accept the risk and write a cost-plus contract, paying the contractor only the actual costs plus a predetermined profit. Other examples of risk transference include the purchase of insurance, bonds, guarantees, and warranties.
Mitigating. Mitigation plans are steps taken to lower the probability of the risk event happening or to reduce the impact should it occur. For example, you can reduce the likelihood of a product failure by using proven technology rather than cutting-edge technology. Mitigation costs should be appropriate to the likelihood of the risk event and its potential impact on the project. Some mitigation strategies may not take a lot of effort but may have large payoffs in eliminating the potential for disaster. On a project with a tight deadline, the risk of delayed delivery of raw materials may be disastrous. If two vendors can provide materials at essentially the same price, but one has a much larger inventory and a significantly better history of on-time delivery, choosing the vendor with the better track record may be an easy mitigation strategy with a potentially large payoff.
Accepting. When there is a low likelihood of a risk event, when the potential impact on the project is low, or when the cost of mitigation is high, a satisfactory response may be to accept the risk. For example, midway into a project to reengineer a manufacturing plant to increase efficiency and output, the economy moves into a recession. The company chooses to proceed with the project anyway and accept the risk that lower sales may reduce the return on investment below what was expected.
Developing a Response Plan
After considering the options of avoiding, transferring, mitigating, or accepting the risk, the outcome of response planning is a risk management plan, contingency plans, and reserves. The risk management plan documents the procedures that will be used to manage risk throughout the project. It lists potential risk events, the conditions or signs that may warn of the impending event, and the specific actions to be taken in response. Contingency plans describe the actions to be taken if a risk event should occur. Reserves are provisions in the project plan to mitigate the impact of risk events. These are usually in the form of contingency reserves (funds to cover unplanned costs), schedule reserves (extra time to apply to schedule overruns), or management reserves (funds held by general management to be applied to projects that overrun).
After identifying your plans to avoid, transfer, mitigate, or accept the risk, you may need to add specific activities to the work breakdown structure and other plans.
Acting on the Response Plan
The project manager and other team members monitor the project throughout its life, looking for triggers and signs that may warn of impending risk events. When risk events happen, corrective action identified in the risk management plan is taken.
When an unplanned risk event occurs, a response must be developed and implemented. This is often called a workaround. After the response is implemented, the risk management plan should be reviewed and updated if necessary. It may also be necessary to adjust other project plans or the basic project objectives.
As changes in the project occur, it may be necessary to repeat the steps of identifying, assessing, and planning responses to risk.