Risk assessments--developing the right assessment for your organization
How can project managers assess today’s risks so that they won’t become tomorrow’s problems? Project managers are always on the lookout for risks and don’t sit back and wait for risk events to happen. We must take a proactive approach to managing uncertainty, but it is always helpful if we have a tool that helps us quickly identify, qualify, and quantify risk. Don’t reinvent the wheel! Create a reusable risk assessment that can be used repeatedly and reliably.
In this presentation, participants will learn how to develop their own customized risk assessment tool. Risk assessments take on many forms from very simple matrices to very complex databases with customized algorithms. There are many ways to go about creating a good risk assessment that takes into account those criteria important to your organization. This presentation will provide a step-by-step process for creating risk assessments that project managers or program officers can develop and use later in the in the risk management process.
During this process your team shouldn’t be spending time deciding what methods you’ll be using to identify, qualify, and quantify risks, since that should have been defined previously in the risk management plan. Also, it’s important to remember that as you gather your risks, it is necessary to document as many risks as possible within your risk register and quickly determine their likelihood and impact on a common set of categories included in your risk assessment. Once these risks are identified, categorized, qualified and quantified, they will provide essential input into the rest of the risk management process. It all begins with a robust and flexible risk assessment tool!
Introduction – Is a Risk Assessment Necessary?
Risk assessments are not performed in some organizations because they are perceived as a waste of valuable project time. This perception may be linked to the fact that assessing risk is conducted as a unique and discrete process for each project. Risk assessments can be conducted utilizing a reusable but customizable assessment tool in order to save time. I have spoken with many project managers in corporate America, and I have asked them why they approach risk assessments in this manner. Most project managers state that their projects are too unique and that creating a risk assessment template would be a waste of time or that they just don’t have the time to use such an assessment tool. According to them, assessing and managing risk appears to be the project equivalent of going to the gym to work out – you know it’s a healthy habit, but sometimes you just can’t bring yourself to do it. If we extend this analogy, we know that those who work out regularly are healthier because of it. The same principle applies with project managers; those who are disciplined at risk management have healthier projects because they are probably managing other aspects of their projects with the same discipline.
Risks are commonly discussed in project team meetings when risks arise. However, this process tends to be reactive, and in some cases it may prove catastrophic if risks are addressed too late. Taking the time to proactively identify, qualify, and quantify risks is a discipline that every project manager should pull out from their skills toolbox in order to stave off negative impacts to project scope, cost, time or quality. Having a scalable risk assessment template and risk management plan template in your back pocket will help you ease the pain associated with managing risks.
Organizing Your Risk Assessment Effort
You will first need to determine how a risk assessment will fit within your risk management processes and eventual risk management plan. The best approach is one that is scaled to fit your project, your organization, and your team. As Mark Mullaly puts it, “The risk [assessment] matrix is the start of the risk assessment process, not the finish. The degree to which risks influence our process will determine the strategy we take to deal with the risk, and the response that we plan.” (Mullaly, 2007) A good risk assessment process includes a two fold identification process. The risk identification matrix below (Exhibit 1) identifies the risk dynamics faced on every project. The first process addresses the common risks you and those in the performing organization and/or industry normally face. Some project managers refer to these as the known risks. The other process is to address the unknown or unusual risks that will require you and your team to think outside of the box in order to properly identify them. These are referred to as the unknown unknowns. A good risk assessment will address these.
Exhibit 1: Risk Identification Capability Matrix
This process requires a group perspective in order to maximize the known risks and to minimize the unknown risks. The more people involved in this process the better, but there is a point of diminishing return – so be judicious in the number of people involved. It is preferable that a sampling of senior project managers from throughout the organization be invited to participate for development of the initial risk assessment template – preferably less than 20. Once they are gathered, you will use the following steps to create and update your risk assessment template.
Creating Your Risk Assessment
Identify Applicable Risk Types and Organize Them
It is highly recommended that you use facilitated workshop sessions for this process. Once a subject matter expert group is gathered, it is best to explain to them that this process will require everyone to put on their thinking caps and be prepared to think outside of the box during this and any future sessions. Use the topics included in this section as the agenda for your sessions. Once you are ready, ask all participants to do the following:
- Take 20-30 minutes to think of types risk events commonly faced on projects
- Write down each risk event on a separate sticky note
- Take an additional 15 minutes to brainstorm additional risk events that are uncommon but could still occur
- Write down each additional risk event on a separate sticky note
- Ask participants to bring these forward and place them on the board
Then ask participants to form into teams of two or three and compare notes, and ask them to do the following:
- Take an additional 20 minutes to brainstorm specific risk events
- Write down each additional risk event on sticky notes and place them on the board
Now, canvas the group and ask them if these risk events can be categorized.
- Ask participants to identify if specific risk events can be classified and grouped under specific categories
- As categories are identified, ask someone to serve as a scribe and write down each new risk category on a larger sticky note and place this as a heading on the board
- Then ask participants where each identified risk event should be placed according to category
- Adjust until everyone is reasonably satisfied with the placement of all identified risks under specific classifications and groups
- If new risks are identified, ask someone to serve as a scribe and write down each new risk event on a new sticky note and place it under the prescribed risk category
After this is done, you can then conduct a session to build consensus as to whether or not risk categories could be combined or split into more convenient groupings. Continue the review and revision until a general consensus has been reached.
When you have completed this process, you should have a risk categorization matrix (Exhibit 2) that will look something like this:
Exhibit 2: Risk Categorization Matrix
Determine How These Risks Will Be Qualified and Quantified
The hardest part of developing a custom risk assessment template requires that you identify the potential and affect on the project should a risk event occur. The probability of a risk occurring and its impact on a project are used in tandem as decision aids.
Each risk event identified above will require that thorough analysis be conducted in order to identify the criteria and thresholds for the probability and impact, as well as be well documented. Use the team process again to do this. Ask team members to pair up and to take several risk events items. Their job will be to establish the criteria for each and to document what they think the thresholds should be. This process can happen in a group setting or as an assignment outside of group meetings. You can then bring the team together in order to refine the work to be done by the smaller groups.
First and foremost, a qualitative ranking system should be established for these thresholds. Most organizations employ a simple low, medium, high ranking to start with. Specific qualitative criteria then need to be identified for each risk event in order to properly identify what is considered low, medium or high risk. For instance, a particular risk event might include a team member leaving the team. In assessing its likelihood, you may consider the turnover rate of employees in the organization in order to determine the likelihood of this happening with the corresponding ranking of low, medium and high. In assessing the impact you may need to qualify what constitutes low, medium and high risk as well. In a large team, losing one team member may be considered low risk. However, if the team member who is leaving has a unique skill, the risk to the team may be considered a medium risk. If three team members where to leave all at once, this would be considered a high risk to the team.
In quantitative analysis, numerical values for both probability and impact using data from a variety of sources are utilized. Quantitative analysis may consist of simply applying a score to each ranking:
- Low = 1
- Medium = 2
- High = 3
The overall risk level should take into account the probability of the risk arising and the impact to the project. These two scores may be multiplied to give you the overall risk rating for each risk event. This may be referred to as the Probability-to-Impact (PI) ratio. In general if the two scores are low the overall risk would be low. Though it is great to have a single PI score to identify the overall risk posed by each risk event, it is important to consider the strength of both indicators and the overall plan you develop to manage each risk. When you have completed this process, you should have a risk assessment matrix (Exhibit 3) that will look something like this:
Exhibit 3: Risk Assessment Matrix
Determine Your Organization’s Risk Tolerance
When developing your custom risk assessment matrix, don’t forget to consider the risk tolerance levels within your organization. Some industries and related organizations are naturally adverse to risk, while other industries and related organizations require a certain degree of risk. In addition, though your organization has a specific risk tolerance, your leadership or management may have a desirably different risk tolerance. Your probability and impact criteria and eventual scoring should reflect your organization’s risk tolerance including leadership preferences.
Determine Final Output Format of the Risk Assessment
The final format of the risk assessment may be produced in Microsoft Word, Excel, Access Database or an application within a Project Management Information System (PMIS). The lowest common denominator will likely dictate the format of the risk assessment in organizations that lack a PMIS. If a PMIS does exist, it should be made available – either as a downloadable template or a customized application. Excel worksheets prove to be the easiest to work with for most organizations because of its ability to use formulas in order to develop scores. Also, there are several “dashboard” tools that take advantage of Excel data or databases and convert them into professional-looking dashboards and project displays.
Create a Plan to Maximize the Risk Assessment’s Applicability to Every Project
Once the risk assessment has been completed, it is important that it be adopted by all project management personnel within the organization. It has been my experience that many such initiatives have failed because they lack an implementation plan. Create an appropriate implementation plan that takes into account the following success factors:
- Presentation, review and approval by executive management
- Centralized storage and placement for easy access via a PMIS repository
- Communication regarding the upcoming availability of the new risk assessment
- Presentation, review and buy-in by all project personnel through targeted training events
- Ultimate ownership and continued quality updates via User Groups sponsored by the Project Management Office (PMO) or Quality Group
Create a Final Risk Assessment That Is Flexible and Scalable
Not all projects are created equal. Since a key aspect of every project is its uniqueness, the risk assessment should be made to accommodate differences amongst projects. Some organizations have risk assessments that are tailored to the types of projects being managed including Information Technology, Marketing, Legal, and so forth.
Also, not every pre-identified risk event applies to every project within these types of assessments. Risk assessment template users should be allowed to bypass specific risk events that do not apply to their project.
Finally, there should be a free-form section at the bottom of the risk assessment to capture additional risks that are unique to each project. Project teams should be encouraged to use this section and apply the same qualification and quantification measures to assure that risks are properly identified and rated.
Determine Process to Update the Risk Assessment
As part of the implementation strategy, it is highly-recommend that regularly-scheduled User Group meetings be set up to review and update the risk assessment tool. This process will ensure continued use of this tool and will help improve the overall quality of each project.
Quickly Assess Risk on New Projects
Conduct Risk Identification and Rating Using the Risk Assessment
If a risk cannot be identified, then it cannot be evaluated and managed. The risk assessment should help project staff quickly manage the most common project risks because they are already identified in the template. Project personnel should also be able to quickly qualify and quantify the risks because these details are included in the risk assessment template. Using the risk assessment template, enter the rating for the probability of the risk occurring and record the rating of the impact of the risk should it occur. Then calculate the PI index.
It is important to note that there is a tendency in every project manager and team member to let the assessment tool do the work and avoid extending risk analysis beyond the borders of the template. There are three important factors required to diagnose the real risks faced on projects using any risk assessment template:
- Bypass those pre-identified risk events that do not apply to your project
- Flush out additional risks through extensive “what if” analysis and document those risk events that have not yet been identified
- Adjust probability and impact criteria where necessary to pre-existing and new risk events
Once the risk assessment has been completed by the project team it should be reviewed regularly. For projects that face critical, time-constrained deliverables and where quality is critical, weekly risk assessment reviews may be considered standard operating procedure. On the other hand, other “less-critical” projects may require only monthly or quarterly risk assessment reviews.
The results of the risk assessment should be directly tied to the risk management plan. Within this plan, each qualified risk will require that an appropriate risk response be developed and assigned to appropriate team members who are responsible for identifying these risk events should they occur.
5 Steps to Better Manage Risks
So, how do we manage risk once your risk assessment matrix is complete? As stated earlier, the process of simply identifying, qualifying and quantifying risks is the starting point, not the end. The degree that risks will influence our project will determine our strategies for responding to risk events when they occur. A solid risk Management Plan should be developed that proactively addresses how we will avoid, mitigate, or transfer risk. Here are some best business practices when developing and executing against your risk management plan:
- Involve senior management – required senior management involvement should not be overlooked. Involve them in the process of risk planning and the selection of risk response strategies. Again, their risk tolerance may be different from what you assume. It is best to incorporate their risk tolerance into the plan.
- Consider the overall costs associated with each risk event response strategy where possible. Using a risk leverage calculation will help. Shari Lawrence Pflegger states that risk leverage is “the difference in risk exposure divided by the cost of reducing the risk. In other words, risk reduction leverage is (risk exposure before reduction-risk exposure after reduction)/ (cost of reduction).” (Pflegger, 2007) Knowing if a particular risk response is financially practical should be considered when choosing an appropriate risk response strategy.
- Assign specific risk events and corresponding risk responses to specific owners. These risk owners will serve as scouts or “lookouts” that are responsible for identifying these risk events before they are about to occur or as soon as they occur. Train them or gain agreement on early warning signs for particular risk events.
- Update your risk assessment regularly. Don’t wait until it is too late. Risk management is not like a Ronco™ Rotisserie where you can “set it and forget it.” You must be willing to reassess possible risk events. Add regularly scheduled risk reviews to your project schedule and maintain a disciplined approach to revising risk probability and impact ratings. As projects move through time, risk ratings may increase or decrease for particular risk events. Some risks will drop off your risk assessment entirely, while new risk events will need to be added to your risk register.
4 Steps on How to Communicate Risk
- Make sure risks (no matter how large or small) are identified and documented in your weekly project status reports. It is better to provide appropriate advanced notice early on rather than waiting for a risk event to occur.
- Update your risk management plan and specific risk responses in conjunction with your risk assessment. Be prepared to deal with new risks in a proactive manner.
- Develop project dashboards that are web enabled and available to all project stakeholders. I have had a lot of success in developing dashboards that are used primarily by executive management and project management personnel. Providing up-to-date risk assessment information via such mechanisms quickly provides a snapshot of the health of a project in regards to risks. Though there are many PMIS applications that provide this function, I have found it very beneficial to create interactive dashboards from data contained in my standard risk assessment template and publish these dashboards to the web. The following dashboard component example (Exhibit 4) is a simple mechanism that can be accessed by all project stakeholders.
(Interactive version of this file can be found at: http://pmi07.pcg-global.com)
Exhibit 4: Risk Dashboard Component
- Develop an escalation process to deal with high-priority risk events. When a high-priority risk occurs it is best to know who to contact right away and who else will be informed once a risk event occurs. Using the regular chain of command may prove ineffective where speed and/or executive approval is required.
Responding to Risk
A new risk management response approach used by project managers is the creation of a pre-identified risk response SWAT team that will quickly respond to risks once they occur. This team may be composed of project team members and executive managers that have agreed to participate in advance. Their responsibilities will include:
- Assess the severity of a risk once it occurs
- Determine if the previously defined risk response is appropriate to the risk event
- Update the risk response strategy if necessary
- Assist in implementing the appropriate response
- Document the results of the applied risk response strategy and communicate lessons learned
Again, this approach can be tailored appropriately to any project. The SWAT team may consist of a few people including the project manager, an analyst and an executive manager to provide approval, or it may include a large team which includes very specific technical and business specialists who are skilled at dealing with and responding to risks.
In the end, using a disciplined approach to risk management similar to the discipline used to mange scope, cost and time will be made easier by using a standard risk assessment tool that is tailored to your organization as well as to your project. The best project organizations are those who realize that a risk assessment template is a valuable asset in managing the organization’s bottom line. Sure, it may seem that it requires a bit of time to organize and develop, but in reality it will save time and money in the long run.
Mullaly, M. (February 2007). Just a 4-Letter Word? Retrieved 05/02/2007 from Gantheadd.com web site: http://www.gantthead.com/content/articles/235206.cfm.
Pfleeger, S. L. (2007). Assessing Project Risk. Retrieved 05/02/2007 from: http://www.ais.msu.edu/Internal/ProjectMgt/documents/AssessingProjectrisk.html.
© 2007, Joseph W. Kestel, PMP
Originally published as a part of 2007 PMI Global Congress Proceedings – Atlanta, Georgia