What Are The Categories and sources of risk in your project?

All projects have risks. If a potential risk of the project is not identified early, then the project will be at a high risk to complete as per schedule, within budget and to meet the expected quality. One of the current difficulties faced by a new Project Manager today is not having a sample or general risk list to refer to when identifying the project risk.

This article provides a sample and general project list that a new project manager can refer to at the beginning of their project to identify a potential risks within their project.

Project Risk Identification

Project Risk Management includes the processes of conducting risk management planning, identification, analysis, response planning, and controlling risk on a project. The objectives of project risk management are to increase the likelihood and impact of positive events, and decrease the likelihood and impact of negative events in the project.

The three main constraints on projects can be classified as schedule, scope and resources, and the mishandling of each can cause a ripple effect on the project, which would then face imminent collapse.

Scope Risk

Defining what is required is not always easy. However, so as to ensure that scope risk is minimized, the deliverables, the objectives, the project charter, and of course, the scope needs to be clearly defined.

All scope risks, be they quantifiable or not, needs to recognized. Scope creep, hardware defects, software defects, an insufficiently defined scope, unexpected changes in the legal or regulatory framework and integration defects can all be classified under the broad umbrella of scope risk.

There are a variety of methods that help stakeholders identify the scope of the project. The risk framework analyses the project’s dependency on technology and the market and then assesses how changes in each would affect the outcome of the project.

Similarly, the risk complexity index looks at the technical aspects of the projects, which can be easily quantified and allocated a number between 0 and 99 to indicate the risk of the project.

Risk assessment, on the other hand, uses a grid of technology, structure and magnitude to assess the proposed risk of the project.

A work breakdown structure, commonly abbreviated as WBS, also considers the risks of projects, which are ill defined and where the stated objectives are ambiguous.

Scope risks can be minimized and managed with savvy planning. Defining the project clearly, managing the changes in scope throughout the duration of the project, making use of risk registers to better manage risks, identifying the causative factors, and the appropriate responses to risky situations and developing greater risk tolerance in collaboration with the customer, would pay great dividends in the long run.

Schedule Risk

Keeping to timelines and agreed critical paths is one of the most difficult situations that project managers now face.

An extensive reliance on external parties whose output is not within the project’s scope of control, estimation errors, which most often are too optimistic, hardware delays and putting off decision making, all tend to delay the project at hand.

To minimize schedule risks, there are a few time-tested methods that can be put to good use. The process flow of the project should be broken down into small, clearly defined components where the allocated timeframe for each process is relatively short in duration (this makes it easy to identify things when tasks veer off schedule, at its earliest).

Be wary of team members or external parties, who hesitate to give estimates or whose estimates seem unrealistic based on historical data and previous experience.

When formulating the critical path, ensure that any holidays that arise are in-built into the equation, so that realistic expectations are created, right from inception. Defining re-work loops too is also recommended, wherever possible.

Resource Risk

People and funds are any project’s main resource base. If the people are unskilled or incompetent to perform the task at hand, if the project is under-staffed from the beginning, or if key project members come on aboard far after the inception of the project, there is an obvious project risk that has ill-planned human resources as its base.

Similarly, from a financial perspective, if insufficient funds are provided to carry out the necessary tasks, be it relevant training programs for the people in question or be it inadequate investments in technology or required machinery, the project is doomed to fail from inception.

Estimating project costs accurately, allocating a suitable budget to meet these costs, not placing undue expectations on the capacity of the staff in question and avoiding burn-out at a later date are all factors that help minimize the project resource risk.

Outsourced functions merit even more attention to detail, as it is for the most part, it is away from the direct purview of the project manager. Clearly defined contracts and regular monitoring would lessen this risk substantially.

Conflict management, which too generally arises with the progression of a project, should also be handled in a skilful manner, so that the project has a smooth run throughout its entire duration.

Project Risk Management

Managers can plan their strategy based on four steps of risk management which prevails in an organization. Following are the steps to manage risks effectively in an organization:

• Risk Identification
• Risk Quantification
• Risk Response
• Risk Monitoring and Control

Let’s go through each of the step in project risk management:

Risk Identification

Managers face many difficulties when it comes to identifying and naming the risks that occur when undertaking projects. These risks could be resolved through structured or unstructured brainstorming or strategies. It’s important to understand that risks pertaining to the project can only be handled by the project manager and other stakeholders of the project.

Risks, such as operational or business risks will be handled by the relevant teams. The risks that often impact a project are supplier risk, resource risk and budget risk. Supplier risk would refer to risks that can occur in case the supplier is not meeting the timeline to supply the resources required.

Resource risk occurs when the human resource used in the project is not enough or not skilled enough. Budget risk would refer to risks that can occur if the costs are more than what was budgeted.

Risk Quantification

Risks can be evaluated based on quantity. Project managers need to analyze the likely chances of a risk occurring with the help of a matrix.

Using the matrix, the project manager can categorize the risk into four categories as Low, Medium, High and Critical. The probability of occurrence and the impact on the project are the two parameters used for placing the risk in the matrix categories. As an example, if a risk occurrence is low (probability = 2) and it has the highest impact (impact = 4), the risk can be categorized as ‘High’.

Risk Response

When it comes to risk management, it depends on the project manager to choose strategies that will reduce the risk to minimal. Project managers can choose between the four risk response strategies, which are outlined below.

• Risks can be avoided
• Pass on the risk
• Take corrective measures to reduce the impact of risks
• Acknowledge the risk

Risk Monitoring and Control

Risks can be monitored on a continuous basis to check if any change is made. New risks can be identified through the constant monitoring and assessing mechanisms.

Risk Management Process

Following are the considerations when it comes to risk management process:

• Each person involved in the process of planning needs to identify and understand the risks pertaining to the project.
• Once the team members have given their list of risks, the risks should be consolidated to a single list in order to remove the duplications.
• Assessing the probability and impact of the risks involved with the help of a matrix.
• Split the team into subgroups where each group will identify the triggers that lead to project risks.
• The teams need to come up with a contingency plan whereby to strategically eliminate the risks involved or identified.
• Plan the risk management process. Each person involved in the project is assigned a risk in which he/she looks out for any triggers and then finds a suitable solution for it.

Risk Register

Often project managers will compile a document, which outlines the risks involved and the strategies in place. This document is vital as it provides a huge deal of information.

Risk register will often consists of diagrams to aid the reader as to the types of risks that are dealt by the organization and the course of action taken. The risk register should be freely accessible for all the members of the project team.

Project Risk; an Opportunity or a Threat?

As mentioned above, risks contain two sides. It can be either viewed as a negative element or a positive element. Negative risks can be detrimental factors that can haphazard situations for a project.

Therefore, these should be curbed once identified. On the other hand, positive risks can bring about acknowledgements from both the customer and the management. All the risks need to be addressed by the project manager.

The benefits of risk management in projects are huge. You can gain a lot of money if you deal with uncertain project events in a proactive manner. The result will be that you minimise the impact of project threats and seize the opportunities that occur. This allows you to deliver your project on time, on budget and with the quality results that your project sponsor demands. Also, your team members will be much happier if they do not enter a fire fighting mode needed to repair the failures that could have been prevented.

This article gives you the ten golden rules to apply risk management successfully in your project. They are based on personal experiences of the author who has been involved in projects for over fifteen years. Also, the big pile of literature available on the subject has been condensed in this article.

Rule 1: Make Risk Management Part of Your Project

The first rule is essential to the success of project risk management. If you don’t truly embed risk management in your project, you can not reap the full benefits of this approach. You can encounter a number of faulty approaches in companies. Some projects use no approach whatsoever to risk management. They are either ignorant, running their first project or they are somehow confident that no risks will occur in their project (which of course will happen). Some people blindly trust the project manager, especially if he or she looks like a battered army veteran who has been in the trenches for the last two decades. Professional companies make risk management part of their day to day operations and include it in project meetings and the training of staff.

Rule 2: Identify Risks Early in Your Project

The first step in project risk management is to identify the risks that are present in your project. This requires an open mindset that focuses on future scenarios that may occur. Two main sources exist to identify risks, people and paper. People are your team members that each brings along their personal experiences and expertise. Other people to talk to are experts outside your project that have a track record of the type of project or work you are facing. They can reveal some booby traps you will encounter or some golden opportunities that may not have crossed your mind. Interviews and team sessions (risk brainstorming) are the common methods to discover the risks people know. Paper is a different story. Projects tend to generate a significant number of (electronic) documents that contain project risks. They may not always have that name, but someone who reads carefully (between the lines) will find them. The project plan, business case and resource planning are good starters. Other categories are old project plans, your company Intranet and specialist websites.

Are you able to identify all project risks before they occur? Probably not. However if you combine a number of different identification methods, you are likely to find the vast majority. If you deal with them properly, you will have enough time left for the unexpected risks that take place.

Rule 3: Communicate About Risks

Failed projects show that project managers in such projects were frequently unaware of the big hammer that was about to hit them. The frightening finding was that frequently someone of the project organisation actually did see the hammer, but didn’t inform the project manager of its existence. If you don’t want this to happen in your project, you better pay attention to risk communication.

A good approach is to consistently include risk communication in the tasks you carry out. If you have a team meeting, make project risks part of the default agenda (and not the final item on the list!) This shows risks are important to the project manager and gives team members a natural moment to discuss them and report new ones.

Another important line of communication is that of the project manager and project sponsor or principal. Focus your communication efforts on the big risks here and make sure you don’t surprise the boss or the customer! Also, take care that the sponsor makes decisions on the top risks because usually some of them exceed the mandate of the project manager.

Rule 4: Consider Both Threats and Opportunities

Project risks have a negative connotation: they are the bad guys that can harm your project. However, modern risk approaches also focus on positive risks, the project opportunities. These are the uncertain events that are beneficial to your project and organisation. These good guys make your project faster, better and more profitable.

Unfortunately, a lot of project teams struggle to cross the finish line, being overloaded with work that needs to be done quickly. This creates a project dynamic where only negative risks matter (if the team considers any risks at all). Make sure you create some time to deal with the opportunities in your project, even if it is only half an hour. The chances are that you will see a couple of opportunities with a high payoff that doesn’t require a big investment of time or resources.

Rule 5: Clarify Ownership Issues

Some project managers think they are done once they have created a list of risks. However, this is only a starting point. The next step is to make clear who is responsible for what risk! Someone has to feel the heat if a risk is not taken care of properly. The trick is simple: assign a risk owner for each risk that you have found. The risk owner is the person in your team that has the responsibility to optimise this risk for the project. The effects are really positive. At first, people usually feel uncomfortable that they are actually responsible for certain risks, but as time passes they will act and carry out tasks to decrease threats and enhance opportunities.

Ownership also exists on another level. If a project threat occurs, someone has to pay the bill. This sounds logical, but it is an issue you have to address before a risk occurs. Especially if different business units, departments and suppliers are involved in your project, it becomes important who bears the consequences and has to empty his wallet. An important side effect of clarifying the ownership of risk effects is that line managers start to pay attention to a project, especially when a lot of money is at stake. The ownership issue is equally important to project opportunities. Fights over (unexpected) revenues can become a long-term pastime of management.

Rule 6: Prioritise Risks

A project manager once told me, I treat all risks equally. This makes project life really simple. However, it doesn’t deliver the best results possible. Some risks have a higher impact than others. Therefore, you better spend your time on the risks that can cause the biggest losses and gains. Check if you have any showstoppers that could derail your project. If so, these are your number one priority. The other risks can be prioritised on gut feeling or, more objectively, on a set of criteria. The criteria most project teams use is to consider the effects of a risk and the likelihood that it will occur. Whatever prioritisation measure you use, use it consistently and focus on the big risks.

Understanding the nature of a risk is a precondition for a good response. Therefore, take some time to have a closer look at individual risks and don’t jump to conclusions without knowing what a risk is about.

Risk analysis occurs at different levels. If you want to understand a risk at an individual level, it is most fruitful to think about the effects that it has and the causes that can make it happen. Looking at the effects, you can describe what effects take place immediately after a risk occurs and what effects happen as a result of the primary effects or because time elapses. A more detailed analysis may show the order of magnitude effect in a certain effect category like costs, lead time or product quality. Another angle to look at risks is to focus on the events that precede a risk occurrence, the risk causes. List the different causes and the circumstances that decrease or increase the likelihood.

Another level of risk analysis investigates the entire project. Each project manager needs to answer the usual questions about the total budget needed or the date the project will finish. If you take risks into account, you can do a simulation to show your project sponsor how likely it is that you finish on a given date or within a certain time frame. A similar exercise can be done for project costs.

The information you gather in a risk analysis will provide valuable insights into your project and the necessary input to find effective responses to optimise the risks.

Rule 8: Plan and Implement Risk Responses

Implementing a risk response is the activity that actually adds value to your project. You prevent a threat occurring or minimise negative effects. Execution is key here. The other rules have helped you to map, prioritise and understand risks. This will help you to make a sound risk response plan that focuses on the big wins.

If you deal with threats, you have three options, risk avoidance, risk minimisation and risk acceptance. Avoiding risks means you organise your project in such a way that you don’t encounter a risk anymore. This could mean changing supplier or adopting a different technology or, if you deal with a fatal risk, terminating a project. Spending more money on a doomed project is a bad investment.

The biggest category of responses are the ones to minimise risks. You can try to prevent a risk occurring by influencing the causes or decreasing the negative effects that could result. If you have carried out rule 7 properly (risk analysis) you will have plenty of opportunities to influence it. A final response is to accept a risk. This is a good choice if the effects on the project are minimal or the possibilities to influence it prove to be very difficult, time-consuming or relatively expensive. Just make sure that it is a conscious choice to accept a particular risk.

Responses to risk opportunities are the reverse of the ones for threats. They will focus on seeking risks, maximising them or ignoring them (if opportunities prove to be too small).

9: Register Project Risks

This rule is about bookkeeping (however don’t stop reading). Maintaining a risk log enables you to view progress and make sure that you won’t forget a risk or two. It is also a perfect communication tool that informs your team members and stakeholders what is going on (rule 3).

A good risk log contains risk descriptions, clarifies ownership issues (rule 5) and enables you to carry our some basic analyses with regard to causes and effects (rule 7). Most project managers aren’t fond of administrative tasks, but doing your bookkeeping with regards to risks pays off, especially if the number of risks is large. Some project managers don’t want to record risks because they feel this makes it easier to blame them in case things go wrong. However, the reverse is true. If you record project risks and the effective responses you have implemented, you create a track record that no one can deny. Even if a risk happens that derails the project. Doing projects is taking risks.

Rule 10: Track Risks and Associated Tasks

The risk register you have created as a result of rule 9, will help you to track risks and their associated tasks. Tracking tasks is a day-to-day job for each project manager. Integrating risk tasks into that daily routine is the easiest solution. Risk tasks may be carried out to identify or analyse risks or to generate, select and implement responses.

Tracking risks differs from tracking tasks. It focuses on the current situation of risks. Which risks are more likely to happen? Has the relative importance of risks changed? Answering these questions will help to pay attention to the risks that matter most for your project value.

Conclusion

An organization will not be able to fully eliminate or eradicate risks. Every project engagement will have its own set of risks to be dealt with. A certain degree of risk will be involved when undertaking a project.

The risk management process should not be compromised at any point, if ignored can lead to detrimental effects. The entire management team of the organization should be aware of the project risk management methodologies and techniques.

Enhanced education and frequent risk assessments are the best way to minimize the damage from risks.