The whole point of undertaking a project is to achieve or establish something new, to venture, to take chances, to risk. Thus, risk has always been an intrinsic part of project work . However, in today's markets, with heavy competition, advanced technology and tough economic conditions, risk taking has assumed significantly greater proportions.
Generally, when we speak of taking a risk we tend to think only of those things which are highly chancy or hazardous. Yet many risks are so commonplace in everyday life that we scarcely give them a thought. Instead, we react to them subconsciously, and take precautions that experience has taught us are only prudent.
In crossing the road, for example, we take the precaution of looking both ways, and only cross when the road is clear. If we are in a hurry, we might “take a chance” (increase the risk) by crossing when we see a sufficient gap in the traffic. If the traffic is heavy, and the risk appears to be extreme, then we might walk further to a designated crossing area at an intersection, traffic lights or to an overpass, if available.
Rarely do we systematically assess all the risks involved in reaching our destination. Even less do we consider the consequences if our chances fail to come off except, perhaps, once a serious accident has actually occurred. Otherwise, we might decide never to go anywhere at all!
On the other hand, when our children are small, we admonish them not to go near the road (risk identification and avoidance). When they have to cross the road to get to school, we examine the dangers and either teach them how to cross safely or direct them to the school crossing guard (risk assessment and planning of shift of responsibility). When they get home at the end of the day, we ask them “how they got on”—perhaps we can do something more to help them for tomorrow (information feedback and corrective action). We also make a mental note for when our youngest reaches the same age (building the data base).
Project managers will recognize the classic systems methodology of input, process, output and feedback loop outlined above which is so vital to the effective control of a project. Yet risk is somehow different. It has to do with uncertainty, probability or unpredictability, and contingency planning.
Indeed, the term risk management itself tends to be misleading because management implies control of events . On the contrary, risk management must be seen as preparation for possible events in advance, rather than responding as they happen. With time in hand, it is possible to identify alternative action plans and select that which is most consistent with project objectives. Consider the following improbable but quite possible situation. You find yourself being shot at. You have three choices:
- You can move to avoid the bullet;
- You can deflect the bullet; or
- You can repair the damage done by the bullet. At no time are you in control of the bullet. What you have to manage is your response to the event (risk), not the event itself.
Therefore, risk management is seen as the formal process whereby risk factors are systematically identified, assessed and provided for. In other words, such provisions constitute response planning and may include such defensive actions as mitigation by risk avoidance, deflection by insurance or contractual arrangement and contingent planning such as the provision and prudent management of budgeted contingency allowances to cover uncertainties.
Not only are the uncertainties in most projects numerous, but they are also interrelated. This affects project results in complex ways. It tends to lead to underestimation of risk and makes it difficult for management to be confident in identifying and prioritizing the areas on which risk management should be focused. A systematic approach is therefore necessary in order to sort through the myriad of uncertainties, to pinpoint the truly critical ones, and to identify cost-effective ways of reducing those uncertainties.
In practice, depending on the size and nature of the project, effective risk management may require some detailed quantitative analysis of the impact of the various uncertainties. This is required in order to judge the reliability of the estimates, the effectiveness of possible alternative strategies and to plan the best overall responses. Risk management is inextricably tied into cost, schedule and quality and is, therefore, a key component of the project management process.
Definition of Project Risk and Risk Management
In the context of project management, project risk may be defined as the chance of certain occurrences adversely affecting project objectives  . It is the degree of exposure to negative events, and their probable consequences. Project risk is therefore characterized by the following risk factors :
- The risk event or identification i.e., precisely what might happen to the detriment of the project;
- The risk probability, i.e., how likely the event is to occur; and
- The amount at stake, i.e., the extent of loss which could result.
Risk management may therefore be defined as follows:
Risk management, in the project context, is the art and science of identifying, analyzing and responding to risk factors throughout the life of a project and in the best interests of its objectives.
Following the typical hierarchy of the Project Management Institute's Body of Knowledge Management Functions (See Figure 1) Figures 2 and 3 show a risk management breakdown structure That is to say, the function itself is at level 1, followed by processes, activities, and finally techniques at level 4 . As illustrated earlier, and as shown in Figures 1 and 2, the risk management processes are risk identification, impact analysis, response planning, the response system, and the application of the resulting data.
On most projects, responsibility for project risk is so pervasive that it is rarely given sufficient central attention. It should be noted, therefore, that not all risk events are independent. Indeed, the total amount at stake may be highly dependent upon a series of interacting events. Unhappily, the old saying, “It never rains but it pours!” is not an uncommon experience. More-over, a series of risk events can, and frequently does, cross traditional functional responsibility boundaries with disastrous consequences.
Risk can be divided into two basic types. The first of these business risk, involves the inherent chances for a profit or loss associated with any business endeavour. Business entities employ staffs of specially trained managers, accountants, engineers, technicians, and labourers in order to reduce the chance of a loss and increase the chance of profit.
The second type of risk is usually called Pure, or Insurable Risk. Insurable risk differs from business risk in that it involves only a chance for loss and no chance for profit. For example, insurable risks can be further divided into four general categories. These include the chance for direct property loss, the chance for indirect property loss, the chance for liability loss, and the chance for personnel-related loss.
Obviously, direct property loss involves the destruction of property such as by fire, flood or by wind storm. Indirect loss is somewhat more subtle and involves, for example the extra expenses associated with renting a temporary replacement of a crucial piece of equipment following its damage or destruction or the business interruption if operations cannot be continued because a replacement is not immediately available.
Liability loss, of course, involves the chance of a member of the public filing a lawsuit for bodily injury, personal injury, or property damage against the contractor.
Finally, personal losses generally involve injuries to employees such as contemplated by Workman's Compensation Laws.
On any given project, the spectrum of risk events will obviously vary, as will both their degree of probability and the amount at stake. Figure 1 sets out to classify roughly the types of project risk according to cause rather than effect  . It will be seen that this form of classification also serves to rank the various risk groups according to ability to manage effective responses (from low ability to high ability). The degree of ability to manage the response is, of course independent of probability and amount at stake.
Ultimate responsibility for the identification of risks and their subsequent treatment must rest with the owner or the client. He must be motivated to assume this responsibility by the threat posed to the successful completion of the project objectives. That is, those objectives which are likely to be expressed in terms of cost, time and functional performance.
Risk response should be considered in terms of avoidance, reduction, transfer or retention. Thus, in dealing with risk, it may be ignored (by default), recognized but no action taken (as a matter of policy), or reduced, transferred or shared (as part of response planning). These approaches may also be combined. The first step, then, is to set some policies, procedures, goals and responsibilities for risk management on the project in question. This will set the scope and frame-work for the management function, whether it is simply a recognition of a task to be undertaken by the project manager, or the responsibility of a specialist or team under his direction.
Bear in mind that risk events will affect the project's cost, schedule or quality of the work to an extent which depends on the event and how it is handled. The overall project risk will also vary considerably throughout the life of the project. It will increase as tasks with risk events of high probability are undertaken and will generally tend to decrease as the bulk of the work is completed.
The project risk may also change substantially as a result of changes in the scope of the project or changes in the method of working. Consequently, continuous review of the situation with appropriate adjustment of response planning is recommended.
In broad terms, a risk impact analysis requires the project to be broken down into management tasks closely allied to the project's work breakdown structure. The extent and depth of this analysis should be determined by the risk management policies and goals noted above. In practice, particular emphasis may be given at this point to those events which may be perceived as having “high risk” (i.e., high probability) and hence require detailed analysis.
Care however, should be taken not to overlook the possibility of a significant impact as a result of some combination of apparently minor events. For example, a series of relatively insignificant schedule delays could result in completely missing a “window of opportunity” such as reaching a market before a competitor, construction in the summer season rather than in winter, or completing a project before an anticipated adverse regulatory change.
At the other end of the scale, a very “low risk” may, as a matter of policy, be considered “out-of-scope” even though the event could have a major impact. For example, a risk event might be such that it has the potential to undermine other activities of the sponsoring organization. In this case, appropriate response planning should be undertaken as part of the organization's business planning rather than at the project level.
Various diagramming techniques such as influence diagrams  and probability trees are available for gaining an appreciation of risk event interdependencies.4 Through such techniques a screening process can be applied to assess the merits of further detailed consideration of specific risks and the manner in which combined effects of risk events can be modeled. These techniques are generally within the purview of specialists in risk analysis in the various technical project fields.
During the analysis, especially on large projects, it is often necessary to develop a further breakdown in which each activity is numbered and documented for reference. As with the project work breakdown structure this breakdown serves to focus discussion, to aid in identification of all risks, and to provide a basis for formalizing dependency links within the project. Using this breakdown, the risks within each activity are identified by mentally stepping through all aspects of the activity to produce a comprehensive list of uncertainties.
The next step in the process is to quantify the various risks identified. This must be done in terms of severity of impact, probability, and sensitivity to changes in related project variables. In complex situations, perhaps the most satisfactory approach is to model the variables by discrete distributions with specified intervals. This allows maximum flexibility in representing distribution shapes as well as offering mathematical simplicity. It also paves the way for solving complex combinations of dependent and independent variables by repetitive computerized calculations.
Where risk combination is analyzed by modeling, three levels of models are typically required. These are:
- For detailed analysis of the joint impact of a small number of risks within an activity;
- For examining the joint effects of all risks within an activity; and
- For examining the broad overall impact of risks from several or all activities.
This can be conceptualized as the successive summarization of a large probability tree. The resulting out-put shows overall distributions as they impact cost, schedule and quality. These distributions can be displayed graphically so as to show the relative importance of each contributing risk, as well as their cumulative effect.
A significant commitment of time and resources may be required for an in-depth impact analysis. Therefore, this analysis may only be appropriate at the level of detail where the stakes are high and where there is substantial uncertainty .
The actual data base used to quantify the risk events and probabilities must be obtained from objective sources such as recorded experience on past projects. Data collected on the current project, as it proceeds, will be even more valuable for updating the assessment of overall project risk. All such data should be archived to form part of the post project assessment and the organization's eventual historic data base.
However, for many of the risks, especially at the initial impact analysis stage, the data are necessarily subjective in nature and must be obtained through careful questioning of experts or persons with the relevent knowledge. For example, an expert could be asked to estimate the optimistic, most probable and pessimistic values for a particular variable, together with percentage chances of better than optimistic or worse than pessimistic outcomes. The amount at stake for each and the sensitivity of this amount to changes in related variables must also be assessed.
The description of risk distributions and combinations, and the quantification and sensitivity assessments, can all be demanding technical tasks.
As a result of the methodology outlined above, a picture of project risk will emerge. This will include where, when and to what extent exposure may be anticipated. For a complete picture the internal intrinsic worth of the project should also be established as well as the external “status quo” of the risks to the sponsoring organization associated with not carrying out the project at all.
With this picture in mind it is then possible to formulate suitable risk management strategies, whether by way of mitigation, deflection or systematic contingency planning. Mitigation may simply involve the proper recognition of certain risks by appropriate modification of the project's scope, budget, schedule, quality specification or all four.
Adequate contingency allowance and good control, even on a tight budget, will reduce the chance of over-run. A logically developed schedule with attention to resource requirements and conflicts will reduce the probability of schedule overrun. But how often has one heard in the enthusiastic initiation of a project the battle cry, “Our objective is to build the best there is!”? Not surprisingly, such unrealistic definitions of quality result in very high-risk projects indeed!
Deflection involves the transfer of risk by such means as contracting it to another party, whether by insurance or by including it in the implementation contract. In the latter case, caution is advised since experience shows that this strategy will only be cost effective if the contractor has proper and effective control over the risk or risks concerned . Contingency planning includes the management of a contingency budget , the development of schedule alternatives or work-arounds and complete emergency responses to deal with specific major areas of risk.
The effects of all such strategies can, if required, be analyzed by making appropriate changes to the risk model. In this way decisions can be optimized and the project can proceed with increased confidence.
As noted in the Introduction, the whole point of undertaking a project is to achieve something new, to venture, to take a risk. While much of the detail described in the foregoing outline of risk management is applicable to large complex projects, the principles involved are just as applicable to any size project in any field of endeavor.
Since there is no point in taking any risk that is not necessary, risk management should be a recognized project management responsibility on all projects—even on a small one.
Glossary Of Terms
The suggested definitions for the terms in this glossary are all presented in the context of project management in general and in risk management in particular.
Risk Management: The art and science of identifying, analyzing and responding to risk factors throughout the life of a project and in the best interest of its objectives.
Project Risk: The cumulative effect of the chances of uncertain occurrences which will adversely affect project objectives. It is the degree of exposure to negative events and their probable consequences. Project risk is characterized by three factors: risk event, risk probability and the amount at stake.
Risk Event: The precise description of what might happen to the detriment of the project.
Risk Probability: The degree to which the risk event is likely to occur.
Amount at Stake: The extent of adverse consequences which could occur to the project.
Risk Factor: Any one of risk event, risk probability or amount at stake, as defined above.
Risk Identification: The process of systematically identifying all possible risk events which may impact on a project. They may be conveniently classified according to their cause or source and ranked roughly according to ability to manage effective responses. A suggested classification is shown in Figure 1. Not all risk events will impact all projects, but the cumulative effect of several risk events occurring in conjunction with each other may well be more severe than the examination of the individual risk events would suggest.
Risk Factor: Any one of risk event, risk probability or amount at stake as defined above.
Risk Identification: The process of identifying, classifying an organizing all the risks likely to impact a particular project. Such risks may be classified by source or cause (rather than effect) and organized or ranked according to ability to manage an effective response. On this basis, self-explanatory headings and typical entries under each are shown in Figure 1.
Impact Analysis: The mathematical examination of the nature of individual risks on the project, as well as potential structures of interdependent risks. It includes the quantification of their respective impact severity, probability, and sensitivity to changes in related project variables, including the project life cycle. To be complete, the analysis should also include an examination of the external “status quo” prior to project implementation as well as the project's internal intrinsic worth as a reference baseline. A determination should also be made as to whether all risks identified are within the scope of the project's response planning process.
Response Planning: The process of formulating suitable risk management strategies for the project, including the allocation of responsibility to the project's various functional areas. It may involve mitigation, deflection and contingency planning. It should also make some allowance, however tentative, for the completely unforeseen occurrence.
Mitigation: The act of revising the project's scope, budget, schedule or quality, preferably without material impact on the project's objectives, in order to reduce uncertainty on the project.
Deflection: The act of transferring all or part of a risk to another party, usually by some form of contract.
Contingency Planning: The establishment of management plans to be invoked in the event of specified risk events. Examples include the provision and prudent management of a contingency allowance in the budget, the preparation of alternative schedule activity sequences or “work-arounds,” and emergency responses to reduce the impact and the evaluation of liabilities in the event of the complete project shutdown.
Response System: The on-going process put in place during the life of the project to monitor, review and update project risk and make the necessary adjustments. Examination of the various risks will show that some risks are greater in some stages of the project life cycle than in others.
Data Application: The development of a data base of risk factors both for the current project and as a matter of historic record.