Effective project risk management using the concept of risk velocity, agility, and resiliency

CAMERON International, Houston, TX, USA


Risk management is a rapidly developing discipline with many varied views, differing descriptions of what it entails, how it should be conducted, and what it is for. There are different methodologies within several standards for defining what the process of risk management should be, but it is worth noting that there is no “one-size-fits-all” approach for conducting adequate risk management. The traditional concept of risk assessment, which relies on the outcome of probability, or likelihood of occurrence, and the impacts based on schedule and cost is outpaced by the speed at which risks move throughout the project life cycle (Deloitte, 2007). Risk prioritization using the two-dimensional approach of probability and impact assists with the ranking of identified risks without detailed thought regarding the rate at which risk is going to impact the business.

This paper describes a new concept of risk response planning, which adopts the concepts of risk velocity, agility, and resiliency. Risk velocity has previously been described by Deloitte Consulting (Deloitte, 2007) and this paper builds upon these findings by proposing a risk response urgency matrix, resource deployment plan, and risk acceptance threshold. Risk velocity emphasizes the rate at which risk events impact projects, therefore improving the robustness of risk assessment. The risk response urgency matrix (RRUM) provides a holistic approach in the prioritization of risk events considering the additional dimension of risk velocity. The paper then introduces the concept of agility for effective resource utilization based on the urgency of risk response before proposing a firm's approach to determining its own risk acceptance threshold.

Considering the dynamic nature of risk events, the ability to generate a more robust assessment using the proposed three dimensional approach of probability, impacts, and velocity provides the opportunity to adequately develop an effective response plan and thereby addresses critical success factors for risk management effectiveness.

Keywords: Risk velocity; agility; risk response urgency matrix; prioritization

Overview of Risk Management

Risk management involves the planning, identification, assessment, plus prioritization of risks. According to A Guide to the Project Management Body of Knowledge (PMBOK® Guide)—Fourth edition (PMI, 2008), risks can be defined as an uncertain event or condition that, if occurs, has an effect on at least one project objective. Uncertainty can come from the financial market, project failures, natural causes or disasters, accidents or events of uncertain or natural process variation.

Risk can be considered as both threat (negative impacts) and opportunity (positive impacts). The risk facing an organization can be viewed as external and internal based on the resulting factors.

For emphasis sake, risk management can be defined as the process for analyzing exposure to risk and determining how best to handle related exposure. The focus of risk management is not only in the identification of risks but also in developing a robust approach to proactively manage the projected impact on business bottom-line. Hence, this paper is focused on such approach for managing and addressing threats and opportunities on projects.

Risk Management Process

Risk Management Planning

Planning involves the process of defining how to conduct risk management activities for a project. It is important to ensure that the type, degree, and visibility of risk management are commensurate with both the risks and the importance of the project to the organization. The development of risk management plan starts when the project is conceived and completed early during project planning phase. The only output from the process is the risk management plan, which is a document that describes how risk management will be structured and performed on the project.

Risk Identification

Risk identification is the process of determining which risks may affect the project and documenting their characteristics. It is an iterative process because new risks may evolve or become known only as the project progresses through its life cycle. There are many techniques available for risk identification and assessment.

Qualitative and Quantitative Risk Analysis

Qualitative risk analysis is the process of assessing the relative significance of each of the project's risks by assigning a probability of occurrence to each. Additionally, it is also assessing the risk impact in terms of numeric cost and or schedule. The assigned values or estimates will generate a stop light system for visual management. Qualitative analysis helps manage risks visually and aids the prioritization of mitigation efforts.

Quantitative analysis, on the other hand, involves the process of mapping related risk events to activities and running Monte Carlo simulation considering the likelihood of occurrence. A view from which we can draw logical conclusions to help make business related decisions.

Risk Response Planning

Response planning is the process of developing options and actions to enhance or exploit opportunities and to reduce threats in order to protect project objectives. It includes the identification and assignment of a risk or action owner to take responsibility for each agreed-to and funded risk response. Response planning is influenced by the organizational guidance for communicating, documenting, and updating a mitigation plan, requirements of methods and tools, needs of decision makers, stakeholders’ expectations, and risk tolerance. The strategies would be continually reviewed for their cost-benefit, achievability, effectiveness, and resource requirement as outlined in the risk management plan. In some cases, a contingency plan is developed to deal with residual risk that remains after mitigation efforts have been exhausted (Simon, Hillson, & Newland, 1997).

Risk Monitoring and Control

This process involves the tracking of identified risks, monitoring of residual risks, identifying new risks and ensuring that risk response plans are executed and evaluated for the effectiveness throughout the project life cycle. At this stage, the effectiveness of all of the project risk management processes is reviewed as part of knowledge management effort, to provide improvements to the management of the current project as well as future projects.

Concept of Risk Velocity

The traditional concept of risk assessments that relies on the outcome of probability or likelihood of occurrence and the impacts based on schedule and cost are outpaced by the speed at which risks move throughout the project life cycle. Risk prioritization using the two-dimensional approach of probability and impact assists with the ranking of identified risks without considering the rate at which risk is going to impact the business. Mitigation strategies are developed in order to address the root cause of risk based on risk exposure. Incorporation of risk velocity in the assessment of risk events helps to improve the risk prioritization process and subsequent development of adequate response planning. The addition of risk velocity in the assessment of risk events will create a three-dimensional approach for risk prioritization. This will create a comprehensive assessment of the speed at which the risk will impact the organization. The aim of this concept is to enhance the proactive management by introducing another element to the traditional analysis. The velocity can be classified using the following indicators, namely: L – low speed, M – medium speed, and H – high speed. The graphical illustration (see Figure 1) of this concept creates a high-level visual analysis of risk impact assessment based on risk response urgency. This is a combination of the probability/likelihood of impact, cost/schedule impacts and risk velocity (time-to-impact). The approach will help establish a realistic and robust assessment of risk/opportunity events to develop aggressive measures to address related impacts per the organization's resilience.

Risk response urgency matrix

Figure 1: Risk response urgency matrix.

The matrix in Figure 1 shows how risk response urgency is introduced to ascertain the significance of a risk event as a direct result of its velocity. On the X-axis, the risk or opportunity event profile is first determined from the Probability and Impact (P&I) Matrix and the resulting score or profile is plotted against its Risk Velocity on Y-axis to help understand the urgency of response to be adopted. This is repeated for all identified risks that have been scored using the traditional Probability X Impact Matrix so as to rank/prioritize them in order of response urgency. The risk velocity (in days) is plotted against the risk profile as derived from the P&I Matrix and the Risk Response Urgency value is determined. This is repeated for all identified risks and the associated urgency values noted. Based on the outcome of the urgency values, the risks are then ranked in order of response urgency to determine how important and crucial the response. For instance, a risk profile of 72 from the P&I Matrix with 30 days’ time-to-impact gives a response urgency value of 2.40, which is the same for a risk with a profile of 36 from the P&I Matrix and 15 days time-to-impact. Refer to Figure 2 for comparison using two different scenarios. In scenario 1, risks are prioritized using only the profile score from the P&I Matrix, while in scenario 2 they are ranked after due consideration of the velocity per the response urgency value.

Risk prioritization comparisons

Figure 2: Risk prioritization comparisons.

In a research survey conducted by Deloitte Risk Integration Strategy Council (2007), while 70% of finance executives agree that risk velocity is a core consideration, only 11% have introduced it into their risk assessments.

Risk prioritization matrix

Figure 3: Risk prioritization matrix.

Source: Deloitte; Risk Integration Strategy Council Research

From Figure 3, a three-dimensional approach to proper risk assessment is presented to ascertain the importance of risk velocity in risk prioritization. Risk A, shows a high probability and impact with low time-to-impact. The risk is projected to impact in 18 months while Risk B shows a high probability and impact with high speed with a two months’ time to impact. High priority is placed on Risk B due to its high speed to impact (Deloitte, 2007).

Agility Concept

Resource allocation is a major challenge in risk management as several questions have been asked in the past regarding the idea of opportunity cost. Resources spent on risk management could have been deployed to more profitable activities. The agility concept addresses the resource management challenge as related to risk management in order to justify the prioritization as well as time and money spent on managing risks. Massive resources are ineffective if they arrive at the wrong time in responding to risk events while agile responses don't help much if the resources aren't enough to address the threat at hand. Risk impact increases proportionally with the time it takes to successfully mitigate it. It is not a static concept rather it is dynamic in nature. Although risks are not mathematical functions, mathematics are used to help us evaluate the risk profile. Agility can be defined as the speed of response to a particular risk while considering the velocity of the risk. When assigning a risk or action owner, it is important to build and retain cooperation and consensus in order to avoid contractual disagreement.

For a risk event that falls within the high urgency region in the risk response urgency matrix, adequate and competent resource(s) are deployed in a timely fashion to address the potential impact before the risk is realized. Constant monitoring of the response actions are carried out as they are implemented to determine their effectiveness. The strategies are then reviewed in order to effectively manage the risk. Issues arising from such response action may be escalated to upper management so as to show visibility and solicit for more support to manage the risk.

Concept of Risk Resiliency

The effectiveness of risk management is determined by both agility and resiliency. Resiliency can be attributed to the organization's tolerance for risk management. An agreed risk level threshold is an important piece when defining the acceptable level of risk. The established threshold will drive the target for risk responses. The resiliency will assist in defining the metrics for measuring the effectiveness of responses. In the absence of such threshold, too much time might be spent on reducing risk below what would have been acceptable or responses might not address the root cause in reducing the risk exposure (Hillson, 1999).

As risk events move from one region to another within the risk response urgency matrix, a proper reassessment of its impact to scope, cost, and schedule is carried out by subject matter experts (SMEs). Further response action in terms of time, cost, and resource will be dependent on the organization's tolerance for risk acceptance.


Early actions to protect against the negative effects of a risk can make it more acceptable. Preventative (proactive) actions are always better than curative (reactive) ones as they are more effective and less expensive, and if successful can lead to overall risk event avoidance (Burke, 2008).

The risk management process will not deliver its benefits if response development is ineffective. Risk management will be more meaningful and effective if one can put the response plans into action through effective communication (Nayak, Akkiraju, Mantripragada, Torok, 2010).

The concept of risk velocity, agility, and resiliency provides a balanced approach in addressing critical success factors for risk management effectiveness.

Considering the dynamic nature of risk events, the best way to generate a more robust comprehensive assessment of risk is to be able to estimate how much time there may be to prepare a response. This will assist in developing strategies based on risk exposure prioritization, effective resource allocation, and time-to-impact. The importance of effective risk management for projects cannot be overemphasized. Attention should be given to ensure comprehensive identification and objective assessment of project risks. However, identification and assessment will be worthless and useless unless responses can be developed and implemented to address these risk events.


Burke, L. (2008, May/June). How enterprise risk management increases value for your organization. Florida CPA Today. Retrieved from http://www.ficpa.org.

Deloitte Risk Integration Strategy Council Research, (2007). Consider Velocity, Importance and Use of Risk Velocity in Risk Assessments, November 2007.

Hillson, D. A. (1999). Take no risks with risk. Project Magazine, 12 (1), 14–16.

Nayak, N., Akkiraju, R., Mantripraga, N., & Torok, R. (2010). A knowledge-based decision support tool for enterprise risk management. IBM Research Report June 7, 2010.

Project Management Institute (2008). A guide to the project management body of knowledge (PMBOK® guide)—Fourth edition. Newtown Square, PA: Author.

Simon, P. W., Hillson, D. A., & Newland, K. E. (Eds.) (1997). Project risk analysis & management (PRAM) guide. High Wycombe Bucks, UK: Association for Project Management.

©2012 Project Management Institute



Related Content

  • Project Management Journal

    Getting Past the Editor's Desk member content locked

    By Klein, Gary | Müller, Ralf To reach acceptance, every research paper submitted to Project Management Journal® (PMJ) must pass several hurdles. This editorial aims to declare the editorial process and reveal major reasons for…

  • Project Management Journal

    Narratives of Project Risk Management member content locked

    By Green, Stuart D. | Dikmen, Irem The dominant narrative of project risk management pays homage to scientific rationality while conceptualizing risk as objective fact.

  • Project Management Journal

    Coordinating Lifesaving Product Development Projects with no Preestablished Organizational Governance Structure member content locked

    By Leme Barbosa, Ana Paula Paes | Figueiredo Facin, Ana Lucia | Sergio Salerno, Mario | Simões Freitas, Jonathan | Carelli Reis, Marina | Paz Lasmar, Tiago We employed a longitudinal, grounded theory approach to investigate the management of an innovative product developed in the context of a life-or-death global emergency.

  • Project Management Journal

    Investigating the Dynamics of Engineering Design Rework for a Complex Aircraft Development Project member content locked

    By Souza de Melo, Érika | Vieira, Darli | Bredillet, Christophe The purpose of this research is to evaluate the dynamics of EDR that negatively impacts the performance of complex PDPs and to suggest actions to overcome those problems.

  • Project Management Journal

    Navigating Tensions to Create Value member content locked

    By Farid, Parinaz | Waldorff, Susanne Boche This article employs institutional logics to explore the change program–organizational context interface, and investigates how program management actors navigate the interface to create value.