Risk Management

Location:  PMKI > PM Knowledge Areas > Risk Management. 
The PMKI Library

PMKI Index
Download
the PMKI
Taxonomy

This subject covers the processes involved in the identification and management of risk within a project or program to achieve and maintain a risk profile acceptable to the key stakeholders.

Topics included in Risk Management:

- Risk Management Overview
- Risk Management
- Practical Risk Management Tools & Courses
- Industry Perspectives on Risk
- Complexity, People & Risk
- Useful External Web-links & Resources.

Other related sections of the PMKI:

- Risk Assessment
- Schedule Risk Assessment


Risk Management Overview

What is a risk?

RiskIt is a simple fact of life that all project work operates in the presence of uncertainty! The generally accepted definition of a risk is: “an uncertain event or condition that, if it occurs, will have a positive or negative effect on a project objective”. Where:

  • Uncertainty: is caused by the lack of knowledge about future events, this includes opportunities as well as threats
  • Risk: is an uncertainty that matters, the uncertainty has the potential to positively, or negatively, affect a project objective, whereas
  • Hazard: is the cause of a negative risk.

Each risk is something (an event or a condition) which may or may not occur in the future. This concept is vital to a proper understanding of risk, and planning the management of risk, and dealing with their consequences. Each risk describes something that has not occurred yet, indeed some risks may never occur - a 20% probability of a risk occurring means there is an 80% probability of the risk not occurring. This makes the management of risk different from the management of things which have happened in the past (usually identified by a variance in a project report), and from things that currently exist and are, or will, affect the work such as issues (see WP1089), problems (see WP1013) or constraints.

There are two classes of uncertainty that create risk:

  • Epistemic uncertainty arises from an incomplete knowledge about the future. This means the degree of uncertainty is reducible. We can take specific actions to increase knowledge by investing in obtaining better knowledge (research) and/or refining estimates and models to improve their reliability. These risk handling activities are incorporated in the project, budgeted, scheduled, and tracked for progress until the uncertainty has been reduced to an acceptable level, but you can never achieve a complete knowledge of future events, there will always be a degree of uncertainty.
     
  • Aleatory uncertainty arises from the unpredictable, random nature, of physical systems. This class of risk is irreducible. We can only provide an appropriate level of contingency to compensate the project from the risk if it occurs. The amount of margin needed is modeled using Monte Carlo Simulation, heuristics, or other tools, and assigned to appropriate points in the project. As time elapses, the adequacy of the remaining contingency is tracked through a margin burndown chart (click through to see more on assessing risk using Monte Carlo).

In addition to these known unknowns that can be assessed, there are also two types of unknown unknowns; knowable unknowns and unknowable unknowns:

  • Knowable unknowns can be identified and brought into consideration by an effective risk management process, but you often do not know what you don't know.
     
  • Unknowable unknowns are intrinsically unmanageable. There will always be some unforeseeable surprises ranging from minor annoyances through to Black Swans waiting to surprise you. Resilience is needed to deal with the consequences as the unidentified risk unfolds.
     

Managing risk

To manage risk effectively you need to identify the uncertainties that matter, and deal with both their positive and negative affects. This is best achieved by following a structured process that takes into account the risk tolerance of both the organization's management and the other people affected by the risk exposure and/or risk management decisions. Peoples perception of what is an acceptable or unacceptable level of risk will vary significantly and the ultimate aim of risk management is to manage the risk affecting your project that is acceptable to the key stakeholders, not to simply list and analyze them.

The major challenge is that a possible event of condition, that may occur in the future, is something that can only be imagined or estimated, and these estimates will be influenced by each individual's perceptions and past experiences. Because past and current events and conditions can be analyzed and measured this experience can be useful in assessing future risks, but only in part. There are no guarantees past events will reoccur at the same intensity in the future.

Effective risk management requires the application of sufficient effort to achieve a realistic modification in the risk exposure of your project (or program) that makes the level of exposure acceptable, whilst recognizing it is impossible to remove all risk. Generally, any effort spent on risk minimization should be offset by an increase in the expected value of the project, whilst recognizing some classes of risk are simply unacceptable and have to be removed to allow the project to proceed.

Simple risk assessments focus on the probability of a risk occurring and the likely impact if it happens. Practical risk assessments expand on these basic elements to define a more complete range of criteria and takes into account the effect of cognitive bias on peoples ability to make rational assessments of any potential gain or loss. These concepts are discussed below, the resources on the Risk Assessment page cover the techniques and tools used to calculate and assess the risk exposure of a project or program.

Top


Risk Management    

Risk management is one of the least appreciated aspects of modern management. Most organizations are excessively risk averse, and in their attempts to avoid ‘all risk’ expose themselves to more adverse outcomes than if they actively embraced and managed risk (some examples are discussed in the Industry Perspectives section below).

Risk management should be an inclusive process, no client can avoid the ultimate risks associated with its project such as the liquidation of its prime contractor; these major events inevitably impact the client and by attempting to quarantine itself from ‘all risk’, the client simply passes the benefit of any favorable outcomes to its contractor. To manage risk effectively you need to deal with the uncertainties that matters by following a structured process that takes into account the people aspects such as senior management's risk tolerance.

Manage RiskWP: Risk Management. Managing risks is important because it focuses attention on the uncertainties that matter. This paper looks at the core elements of risk management.

WP: Types of Risk. Risks fall into four broad categories and are created by a variety of factors outlined in this paper.

WP: Risk Assessment. Risks always involve uncertainty, and matter because they have the potential to affect objectives. This means that each risk must be linked to at least one objective and its potential impact assessed objectively (see more on risk assessment).

PP: The Meaning of Risk in an Uncertain World. This paper describes the key aspects of risk management needed from the client, the contracting organization and the project to optimize overall risk management and places risk management within a 'Complexity Theory' and stakeholder management framework (discussed in more detail below). Particular focus is on reducing the variability in projected outcomes (closing in on the Mean) to minimize the contingencies needed to compensate for expected variability, and the competencies required at each level to manage risk events to optimize project outcomes in a complex environment.

Prs: Portfolio governance and risk – it’s all about the stakeholder. There is no such thing as a ‘risk free’ project and the art of portfolio management is to balance the risks and rewards of investing in projects, whilst keeping the overall risk exposure at a level that is acceptable to the organization, and still generate the expected rewards.

Blg: The reference case for management reserves. This post looks at reference class forecasting a technique that enhances the accuracy of the budget estimates by basing forecasts on actual performance in a reference class of completed, comparable projects.

Blg: The language used to define risks can contribute to failure. A corporate culture that prevents the honest description of a risk, or allows imprecise definitions, is a significant threat to pragmatic risk management.

Art: Radical Uncertainty. Making predictive models more mathematical does not improve the accuracy of the predictions, a different paradigm is needed in a complex world.

Art: Every Decision is a risk! When a decision maker has to choose between a number of viable alternatives with the selection of the best option being influenced by information (usually insufficient) and preferences founded on values and ethics, the decision involves uncertainty and therefor incorporates an element of risk. No process can guarantee a good outcome from every decision, but working through the pragmatic process outlined in this article can help increase the probability of an acceptable outcome (see more on decision making).

Art: Risk Reassessment - the role of ‘sentinels’. An element in most risk processes is identifying ‘risk triggers’ or early warning indicators that tell management a risk event is likely to occur before the main impact hits.

WP: Root cause analysis. Some valuable techniques for understanding the root cause of a problem or an issue in complex situations.

Blg: Black Swan Risks. The key definition of a ‘black swan’ proposed by N.N. Taleb is that the ‘black swan’ was unpredicted and unpredictable, but in hindsight it appears that it should have been foreseeable.

Blg: Resilience v Risks. Resilience is the ability of a system to return to its original state after being disturbed. Build resilience into you business unit or project team and you have the capacity to deal with the consequences of unforeseen risks.

Art: Murphy's Law is not an excuse. Designing potential problems and failures out of the overall system pays dividends; success is designed in, not tested in. To apply Murphy’s Law proactively, you need to think through everything before you start work and ask yourself if this part fails, does the system still work, will it still do the function it was supposed to do? What are the single points of failure? What are the processes someone can do incorrectly?

Blg: Risk mitigation requires courage – How Cockcroft’s Folly saved 100s of lives! This post describes the moral courage exhibited by Sir John Cockcroft in doing the right thing rather than the easy thing to guard against an accident that ‘could not happen’, but did! His decision saved much of northern England from becoming a nuclear wasteland. Thinking through this dilemma puts a whole new perspective on risk assessment and mitigation – in the right circumstances ‘black swans’ can kill.

WP: Issues Management. When a risk occurs, the management focus changes, you are now dealing with an issue that has to be resolved or managed. Every issue is a current problem that will negatively impact the successful delivery of the project if it is not managed effectively, but issues are not all equally important. 

Top


Practical Risk Management Tools & Resources


Risk RegisterRisk Register - Excel Template.

A practical template for identifying and prioritizing the risks associated with a project or program.
   

For each risk you can:
- Define the risk category and allocate a short name.
- Describe the risk using an effective 'risk meta language'. All you have to do is 'fill in the gaps'.
- Prioritize the risk using a powerful qualitative assessment process developed for a US1 billion oil
    project.
- Determine the optimum response.

The key to successful risk management is defining each risk concisely and unambiguously. Mosaic's Risk Register is designed to help with this:

Risk Assessment

The spreadsheet compiles the risk data for transfer into the risk management plan. The spreadsheet contains a comprehensive 'help' page focused on implementing effective risk management (included in the Sample). This is a very robust, easy to use tool that ensures that all of the identified risks are effectively managed (maximum number of risks per spreadsheet = 200).

Download a free sample: Download Sample Spreadsheet

Buy the full version. Spreadsheet price: Australian $20.00




Risk Management PlanRisk Management Plan - Excel Template.

A practical template for pro-actively managing the risk treatments outlined in the risk register.
 

For each risk you:
- Copy the information from the risk register focusing on the urgent and important risks.
- Define the actions needed to implement an effective risk treatment.
- Allocate a responsible manager for each action (as well as for the overall risk).
- Monitor the status of the action including the transfer of appropriate information into the project
   schedule and cost plan.
- Keep notes to track decisions and sequence actions.

This is a simple tool that provides the critical link between identifying risks in the Risk Register and implementing the actions needed to treat the risks.

Download a free sample: Download Sample Spreadsheet

Buy the full version. Spreadsheet price: Australian $10.00

 



Risk ManagementThe Standard for Risk Management in Portfolios, Programs, and Projects

The Standard for Risk Management in Portfolios, Programs, and Projects is an update and expansion upon PMI’s popular reference, The Practice Standard for Project Risk Management.. The standard focuses on the “what” of risk management (i.e., the key considerations for effective risk management). It is primarily written for portfolio, program, and project managers, but is a useful tool for leaders in risk management, business consumers of risk management, and other stakeholders of the portfolio, program, and project management professions.

It helps:
- Identify the core principles for risk management,
- Describe the fundamentals of risk management and the environment within which it is carried out
- Define the risk management life cycle, and
- Apply risk management principles to the portfolio, program, and project domains within the context of
   an enterprise risk management approach

Buy from PMI or Amazon.

 



NASA Risk ManagementNASA Risk-Informed Decision Making (RIDM)

The purpose of this handbook is to provide guidance for implementing the risk-informed decision making (RIDM) requirements of NASA. It is general enough, and contains a sufficient diversity of examples, to enable the reader to adapt the methods as needed to the particular decision problems that he or she faces. The handbook highlights major issues to consider when making decisions in the presence of significant uncertainty, so that the user is better able to recognize and avoid pitfalls that might otherwise be experienced. Download the handbook.

     



CSRUHJoint Cost Schedule Risk and Uncertainty Handbook

This handbook defines processes and procedures for performing cost and schedule risk and uncertainty analysis in support of life cycle cost estimates for major projects and programs. Methods described include the older CISM (Cost Informed by Schedule Method) and more recent FICSM (Fully Integrated Cost and Schedule Method).  Download the handbook.

     


Commercial Risk Management Software

Blg: The Schedule Compliance Risk Assessment Methodology (SCRAM). SCRAM focuses on schedule feasibility and root causes for slippage. It makes no judgment about whether or not a project is technically feasible.

Visit our project controls software page

Top


Industry Perspectives on Risk

Construction RiskPP: Risk Attitudes in the Construction Industry - Avoidance Does Not Work. Risk management is one of the least appreciated aspects of modern construction management. Most client organizations are excessively risk averse, and in their attempts to avoid ‘all risk’ expose themselves to more adverse outcomes than if they actively embraced and managed risk. An example of the impossibility of avoiding, or contracting out of, ‘all risk’ is the new Wembley Stadium, delivered years late and $millions lost. Contrast Wembley with the construction phase of BAA’s Terminal 5 project at Heathrow Stage 1, and the need for an effective risk attitude by organizations becomes obvious. BAA’s management set out to actively manage ‘all risks’ in the Terminal 5 project and delivered one of the most successful major construction projects in Europe. By effectively engaging in its project, BAA could help mitigate adverse risk events and collect benefits from favourable risk outcomes. In this context, ‘effective engagement’ included both having the right risk attitude, as well as being a knowledgeable client that could partner effectively with its contractors to proactively manage project risk. Unfortunately the proactive engagement with managing risk did not flow through to the opening of T5.....

This paper describes the key aspects of risk management needed from the client, the contracting organization and the project to optimize overall risk management and places risk management within a stakeholder management framework. Particular focus will be on reducing the variability in projected outcomes (closing in on the Mean) to minimize the contingencies needed to compensate for expected variability, and the competencies required at each level to manage risk events to optimize project outcomes.

PP: Construction - A Risky Business. This 2005 paper identifies some of the factors creating risk in the Australian construction industry and suggests ways to better align risk and reward. We hypothesize, that the efficient management of risk involves both contractors and clients working together to deliver the right project for the right price, utilizing modern forms of contract such as 'Collaborative Working Agreements', unfortunately the challenges identified are still relevant in the current market.
- Download the PowerPoint presentation.

PP: The Meaning of Risk in an Uncertain World. The examples used in this paper show the impossibility of avoiding, or contracting out of, ‘all risk’. The 'new' Wembley Stadium, delivered years late and $millions lost is contrasted with the British Airports Authority’s (BAA’s) Terminal 5 project at Heathrow. The need for an effective risk attitude by organizations becomes obvious.

BAA's management set out to actively manage ‘all risks’ in the Terminal 5 project and delivered one of the most successful major construction projects in Europe. By effectively engaging in its project, BAA could help mitigate adverse risk events and collect benefits from favorable risk outcomes. In this context, ‘effective engagement’ included both having the right risk attitude, as well as being a knowledgeable client that could partner effectively with its contractors to proactively manage project risk. Unfortunately the proactive engagement with managing risk did not flow through to the opening of T5.....
- Click through for more construction and engineering papers.

Top


Complexity, People & Risk

Risk-v-RewardPP: A Simple View of ‘Complexity’ in Project Management.  Complexity theory helps understand the social behaviours of teams and the networks of people involved in and around a project. This paper traces the development of ‘Complexity Theory’ from its origins in Chaos Theory and develops a range of practical suggestions for improving the effectiveness of both communication practice and risk management practice within project management practice based on insights derived from ‘complexity theory’ (click through to see more on complexity theory).

Prs: Risk Management and Complexity Theory - The Human Dimension of Risk. The outcome of projects is always uncertain and risk management has become a ‘hot topic’ in recent years. However, despite all of the interest, risk management remains one of the least appreciated aspects of modern management. Whilst arguably the key competence (or competitive advantage) of every organization is its ability to effectively manage the risks inherent in its environment; most organizations are excessively risk averse, and in their attempts to avoid ‘all risk’ expose themselves to more adverse outcomes than if they actively embraced and managed risk.

This presentation outlines the key aspects of risk management from the human perspective, with a view to optimizing the overall risk management for a project and its host organization. Particular focus is on the risk attitudes and competencies required at each level of management to optimize risk. It concludes by developing a range of practical suggestions for improving the effectiveness of risk management practice within projects based on an understanding of ‘complexity theory’ applied to the project environment.

Blg: Stakeholders and Risk. One of the interesting similarities between stakeholder management and risk management is the challenge of knowing what we know and more importantly understanding what we don’t or can’t know.

Blg: Stakeholder Risk Tolerance. The skills that a mature organization brings to the art of ‘risk management’ is to focus effort on managing risks that can be managed, providing adequate contingencies for those risks that cannot be controlled and deciding how much residual risk is sensible.

Blg: Stakeholders and Reputational Risk. Your reputation is created in the minds of other people - creating it, managing it, and protecting it is hard work.

         

Top


Useful External Web-links & Resources

M_o_R - Management of Risk. A route map for risk management: https://www.axelos.com/best-practice-solutions/mor

ATOM Risk Management - Active Threat & Opportunity Management, a practical method for managing risk on projects (book): http://www.atom-risk.com

Risk Doctor - Papers, books and advice on project risks by Dr David Hillson - http://www.risk-doctor.com

MRID - Making Important and Risky Decisions by Dr David Hillson & Ruth Murray-Webster - https://making-decisions.com/


PGCS For papers on Risk Management presented at the PGCS Annual Symposium see:
https://www.pgcs.org.au/papers/risk/

Top

 

EVM Work Sheet

Easy Stakeholder Management

Work Performance Management


Stakeholder Work Sheet

Stakeholder on a Page


Communication Plan

Risk Register


Risk Management Plan

Project Charter Template


Easy EVM

Easy CPM

Work Performance Management


Risk Register

Stakeholder Work Sheet


Easy EVM

Easy CPM


Risk Register

Stakeholder Work Sheet

Work Performance Management


Risk Management Plan

Work Performance Management