Is continually reevaluating the risks that
have been defined and identifying new ones.
Risk management is both a planning and a
managing activity. It is not enough to set down some risks
at the start of the project and then ignore them. You must
manage them.
Managing risks means continually reevaluating
the risks that have been defined and identifying new ones.
There are three main mechanisms for managing project risks;
since they are only potential problems, they are lower in
priority than real ones. Therefore to manage risks, you must
ensure that they are an overt part of the project team's,
and your, consciousness.
All team members must be aware of the risks
that have been identified and awake to situations that
affect them.
To keep risks visible, devote part of each team meeting to a
"risk review" in which the risks are addressed one by one,
and team members are instructed to comment on any thing that
affects each risk. The purpose of the risk review is not to
take action; it is to identify what risks, if any, have
changed. The risk review also uncovers new risks as team
members become attuned to dangerous situations.
Your project status report should include a
section entitled "Risk Review" in which you report on risks
that have become more, or less, probable or serious.
By regularly reporting risks, you are also able to prepare
management for unpleasant news so that it does not come as a
surprise.
Project manager reflection is thinking time
apart from the daily activities of the project. Devote part
of that thinking time to reviewing existing risks and
identifying new ones.
Prepare a risk management work sheet, similar
to the one in Table 2.1.
The sample work sheet contains a short name
of the risk to be used in status reports or risk reviews, a
longer description, and a table to track how the risk has
changed. When a risk has been eliminated, enter "Resolved"
under "Comments." The risk management work sheet keeps the
risks visible.
What If others claim that you have overstated
the risks?
You may be faced with complacency on the part of the client
or an unwillingness to plan for problems.
This becomes serious when the client refuses to expend
resources to mitigate a risk that you see as high or extreme
2.1
Actions
2.1
Actions
Seek other, less expensive mitigation
procedures
that you can use to reduce the risk to some
extent.
Document your reasons for categorizing the
risks as you did.
Statethe probability and describe the impact
in graphic terms. Present your analysis to the
steering committee and request the resources you need to
mitigate the risk.
Table 2.1: Risks management worksheet
Risk Management Worksheet
Project :
_______________________ Date : ______
Short name of the risk :
Description of the risk:
Date
Comments
Probability
Impact
Degree
If
you are not given the resources you requested, alert your
management to the danger and ask if they can apply leverage
to the client.
Plan the actions
you will take if the risk materializes.
You could be faced with a large number of
high or extreme risks, all of which require effort and
action. You could also be led into mitigation procedures
that are excessive, expensive, and time-consuming.
If the risk assessments of others lead to a
large number of high or extreme risks, ask the complainants
whether they really believe the project is this risky and,
if so, whether it should be undertaken. Most people will
back down and acknowledge that things are not as risky as
they have made out.
Honor the risk assessment from others
who are knowledgeable, but do not be intimidated into
abandoning your own view of the risk. You will encounter
people who will claim, usually loudly, that a risk is
"unacceptable" and cannot be mitigated except by the most
extreme safeguards.
If your experience and that of others on your team tells you
that this opinion is alarmist, respect the risk, but prepare
your plans based on a more reasonable assessment.
ý
2.2
Identifying Risk
and Risk Classification
A hazard chance of bad consequence
Business Risks
Insurable Risks
Lead to loss only
and are caused by external, unpredictable
factors
2.2 Identifying
Risk and Risk Classification
Risk can be
defined as: hazard chance of bad consequence or loss
exposure to mischance.
This definition captures the essence of project risk, except
that it implies that things are only expected to go wrong.
On projects, some risks carry an inherent chance of
profit or loss, and some carry a chance of loss only. The
former are called business risks and the latter insurable
risks.
2.2.1 Business Risks
The majority of risks are business risks.
That is true for any part of the operation, but especially
for projects. On a project, business risks may include:
response of the market to a product; inflation weather or
the performance of technology and resources. The manager's
role is to increase the chance of profit and reduce the
chance of loss. However, the expectation is that, on
average; the risks will turn out worse than better because
although the likelihood of profit and loss may be the same,
the maximum, possible loss is very much greater than the
maximum profit. The weather may be kind as often as it is
unkind. However, bad weather can stop work completely or
even destroy previous work, but good weather seldom allows
work to proceed at double the normal pace.
2.2.2 Insurable Risks
Insurable risks lead to loss only, and are
usually caused by external, unpredictable factors.
These are called insurable. But it is not always possible to
find a company to provide cover. For example, war and civil
disturbance are insurable risks, but are excluded from most
policies. Insurable risks fall within four areas:
·
Direct property damage
·
Consequential loss
·
Legal liability
·
Personal loss.
Direct damage can be to the facility, or to
plant and equipment being used in its delivery, and may be
caused by fire, bad weather, or damage during
transportation. Consequential loss is lost production
arising from the facility's being unavailable due to direct
property damage. It may be lost revenue or the cost of
providing temporary cover. Legal liability may arise from
damage to property or injury to a third party, or may be due
to the negligence of others. It will also cover liability
under a contract for the failure of the facility to perform
either because it is late or because it fails to meet its
specification. Finally, there is the risk that members of
the team may suffer injury arising directly from their work
on the project.
ý
2.3
Definition of Persuasion
2.3 Risk
Management
Risk management is the process by which the
likelihood of risk occurring or its impact on the project is
reduced.
It has five steps:
1-
Identify
the potential sources of risk on the project.
2-
Determine
their individual impact, and select those with a significant
impact for further analysis.
3-
Assess
the overall impact of the significant risks.
4-
Determine
how the likelihood or impact of the risk can be reduced.
5-
Develop
and implement a plan for controlling the
risks and achieving the reductions.
Identifying Risk
Where control of risk lies
2.3.1 Identifying Risk
One way of classifying risk is by
where control of the risk lies.
However, project managers must have the right mental
attitude to risk, and expect risks where they are
least expected. In that way, they will be better
able to respond to risks as they occur.
They must also be aware that exposure
to risk can vary throughout the project management
life cycle.
Classifying Risks
Five classifications according to
where control lies
2.3.2 Classifying Risks
There are five classifications of
risk according to where control lies:
a)
External Unpredictable:
These
are risks beyond the control of managers or their
organizations, and are totallyunpredictable. They can be listed, but we
cannot say which will be encountered on a given
project. They arise from the action of government,
third parties, or acts of God or from failure to
complete the project due to external influences.
Government or regulatory intervention can relate to
supply of raw materials or finished goods,
environmental requirements design or production
standards or pricing. Many projects have been killed
by the unexpected requirement to hold a public
enquiry into environmental impact. Whether a change
of government at an election falls in this or the
following category is a moot point. Action of third
parties can include sabotage or war, and acts of God
are natural hazards such as an earthquake, flood, or
the sinking of a ship. Failure to complete can arise
from the failure of third parities to deliver
supporting infrastructure of finance, or finance, or
their failure through bankruptcy, or a totally
inappropriate project design. By their nature, these
risks are almost all "insurable risks."
b)
External Predictable Uncertain:
These
risks are beyond thecontrol of managers or their organizations.
We expect to encounter them, but we do not know to
what extent. There is usually data that allow us to
determine a norm or average, but the actual impact
can be above or below this norm. There are two major
types of risk in this category: the first is the
activity of markets for raw materials or finished
goods, which determines prices, availability and
demand; the second is fiscal policies affecting
currency, inflation and taxation. However, they also
include operational requirements such as
maintenance, environmental factors such as the
weather, and social impacts – all are business
risks.
c)
Internal Technical: These
risks arising directly from the technology of the
project work of the design construction oroperation of the facility or the design of the
ultimate product. They can arise from changes or
from a failure to achieve desired levels of
performance. They can be 'business" or "insurable
risks" although in the latter case the risk is borne
by the parent organization, not by an outside
insurance company. (The premium paid is the
investment in other products which far exceed
expectations).
d)
Internal Non-Technical:
These
are risks within the control of project managers, or
their organizations, and are non-technical in
nature.
They usually arise from a failure of
the project organization or resources (human
material or financial) to achieve their expected
performance. They may result in schedule delays,
cost over-runs or interruption to cash flow. These
are usually "business" risks.
e)
Legal: Legal
risks fall under civil and criminal law.
Risks under civil law arise from contractual
arrangements with clients, contractors or third
parties, or from licenses, patent rights contractual
failure or from force majeure (a unilateral claim by
one party to a contract). Risks under the criminal
law are duties imposed on both the owner and
contractor. Under the Health and Safety at Work Act
1974, all employers - not just in the engineering
industry - have a duty of care for their employees
and for the public. Therefore, project managers,
their employers (the contractors) and design teams
can be held responsible if their negligence causes
injury to any of the parties involved with the
project; including: the project team while working
on the project, users while operating the facility,
and consumers using the product produced by the
facility. There have been successful prosecutions in
the engineering industry. With some of the modern
uses of computer systems, programmers must be aware
of the software errors leading to injury of a user
or consumer.
Techniques for Identifying Risk
2.3.3 Techniques for Identifying Risk
There are five techniques for
identifying risk.
They are listed separately, but are in practice used
interactively:
1-
Expert Judgmentuses personal intuition andawareness.
This is the simplest technique, but is sufficient
only on the simplest projects. The use of checklists
against the categories identified above can help.
2-
Plan Decompositionshows risks inherent in the
interdependency of work.Any event that lies
at the startor completion of many activities
is a potential risk. These occur at bottlenecks
in the network. When analyzing the plan, you should
also look at all external interfaces such as
external supply, for potential failure of third
parties.
3-
Assumption analysis
is win/lose analysis and focuseson events
that might be detrimental, considering both
events we want to occur but may not and events we do
not want to occur but may. Expert judgment is needed
to foresee these events and check for completeness.
Table 2.2 contains an assumption analysis on the
purchase of a computer system.
4-
Decision driversare influences that might determine
whether or not certain events may occur (inside
and outside the project). Win/lose analysis can
be used toderive the list of decision
drivers. It can be particularly damaging if
decisions are made for the wrong reason: political
versus technical, marketing versus technical,
solution versus problem, short term versus long
term, new technology versus experience.
5-
Brainstorminguses social interaction to
enhance the above techniques
ý
2.4
Expecting the
Unexpected
2.4 Expecting
the Unexpected
The secret of clear risk identification is to
be able to predict possible causes of divergence from plan.
It is the experience of many people that failure occurs on a
project where they least expect it. This is known as
Sad's Law or Murphy's Law. It is sometimes stated
as: if something can go wrong it will; if something can't go
wrong it will!
Table 2.2: Win/lose analysis for the purchase
of a computer system
System offered vs. system
specified
Winners
Losers
Quick cheap product
Developer
Sponsor
User
Lots of nice to haves
Developer
User
Sponsor
Driving too hard a bargain
Sponsor
User
Developer
The value of this attitude is that if you
expect things to go wrong you will be on your guard for
problems, and will be able to respond quickly to them. The
failures may be ones you had predicted or ones you least
expect. If you anticipate problems, and plan appropriate
contingency, you will not be disrupted when those problems
occur. If the unexpected then also occurs, you will be able
to focus your management effort into the areas that might
now cause greatest disruption. This attitude of expecting
risks and being ready to respond is sometimes known as
risk thinking. To some people it comes naturally; others
require structured, logical processes of risk identification
and analysis to support their response.
2.5
Variation of
Risk with the Project Management Life Cycle
Like quality the impact of riskvaries throughout the project
management life cycle.
2.5 Variation of
Risk with the Project Management Life Cycle
Like quality the impact of risk varies
throughout the projectmanagement life cycle. The later in the cycle risks
occur, the more expensive are their consequences, but to
counteract that, the less likely they are to occur. Risk can
be reduced at the design stage by choosing a proven design
rather than an untested one, or during the implementation
stage by choosing proved methodologies. Whenever novelty is
introduced the risk of failure grows throughout the life of
the project.
2.6
Isolating Risk
in the Work Breakdown Structure
2.6 Isolating
Risk in the Work Breakdown Structure
Similarly, it is usually possible to isolate risk in the
work breakdown structure by identifying it as being
associated with a certain part of the project.
Risk Assessment and
Risk Management(2)
